Linux VPS Server Essential Simple Security configuration Getting Started Tutorial

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Although Linux is more secure than Windows, some simple security configurations are necessary. There are a lot of tools on the Internet to scan your admin password with a dictionary, we can create some trouble and increase the possibility of being deciphered. Take a look at the entry level security configuration.

First, remote management ports

Modify the SSH login port, the default port is 22. Scan Dictionary Poor-lift passwords They all start with the default. If you change the port to 4 digits, it greatly improves their difficulty and time, edit the SSH configuration file with the VI command ( VI command to use to edit and save the exit and so on a few simple commands if unfamiliar or can not Baidu or site search):

Vi/etc/ssh/sshd_config

Find #port 22, remove the front #, and Change to port 1998 (this number uses 4 digits as much as possible to avoid other ports), and then restart Sshdservice sshd Restart don't forget to reboot after the SSH client also has to change the new port to log on.

Second, set a strong password for root users it's best to have 10 letters + digits. The possibility of being deciphered by the dictionary is as difficult as winning the lottery.

This general background can be modified such as SOLUSVM platform can be directly modified

If the other management panel does not modify the password function, you can also use the passwd command in SSH to modify

Enter two times (you can, of course, disable the root user to create a new user to give root permission but the eagle doesn't think it's necessary as long as the password is powerful enough to decipher.

Third, small-scale defensive DDoS and CC

DDoS appears for many years, the domestic room 90% have a certain defense capability, (configured hardware firewall) Attack principle is very simple is to use false data packets to block your network, but most of the foreign IDC is not to provide defense, we can only use software assistance, Can mitigate the attack to some extent. But this has much to do with the configuration and bandwidth of the server hardware itself. Generally also can only defend against small scale attack, the traffic is big or will be paralyzed.

Windows platform has a soft defense and modify the registry to achieve this goal, Linux under the software today is the DDoS deflate and system iptables to achieve specific operations as follows

Make sure the service iptables staus services generally default to bring

Then start the installation

DDos deflate

wget http://www.inetbase.com/scripts/ddos/install.sh

chmod +x install.sh

./install.sh

When the installation is complete, it appears as follows:

Installed after the display as shown above, the installation needs to be completed after the file configuration with VI Editor

Vi/usr/local/ddos/ddos.conf

Here is the main apf_ban=1 modified to 0 (using iptables), in addition to the email_to= "root" can be changed to the root of your email address, so that the system to run the IP, there will be mail prompts you.

##### Paths of the script and other files

Progdir= "/usr/local/ddos"

Prog= "/usr/local/ddos/ddos.sh"

Ignore_ip_list= "/usr/local/ddos/ignore.ip.list"//IP address white list

cron= "/etc/cron.d/ddos.cron"//Timed execution procedure

apf= "/etc/apf/apf"

ipt= "/sbin/iptables"

##### frequency in minutes for running the script

##### caution:every time This setting is changed, run the script With–cron

##### option so the new frequency takes multiplying

Freq=1//Check time interval, default 1 minutes

##### How many 50x15 define a bad IP? indicate that below.

no_of_connections=150//Maximum number of connections, more than this number of IP will be blocked, the general default can be

##### apf_ban=1 (Make throaty your APF version is atleast 0.96)

##### apf_ban=0 (Uses iptables for banning IPs instead of APF)

Apf_ban=0//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0.

##### kill=0 (Bad IPs are ' NT banned, OK for interactive execution of script)

##### kill=1 (recommended setting)

Kill=1//Whether to shield IP, by default

##### an email was sent to the following address when a IP is banned.

##### Blank would suppress sending of mails

email_to=admin@vpsck.com///When IP is blocked, send mail to the specified mailbox, recommend use, and replace it with your own mailbox

##### number of seconds the banned IP should remain in blacklist.

ban_period=600//Disable IP time, default 600 seconds, can be adjusted according to the situation

System default Whitelist There are some problems, often mistakes, so we'd better set the manual set white list and can not be modified.

Vi/usr/local/ddos/ignore.ip.list #手工设置白名单IP

Chattr +i/usr/local/ddos/ignore.ip.list #强制不允许修改

Chattr-i/usr/local/ddos/ignore.ip.list #解除不允许修改

After the above configuration of the basic security configuration is OK, of course, Liunx platform There are many of the same kind of free firewall, but basically are English literature. Need to learn more practice to actually deploy

Original Launch Eagle Blog http://www.vpsck.com/355.html