No important system can ignore server security, especially in the public cloud. There are many online tips and tutorials on this subject. Here we only look at a few basic and common best practices.
Several security measures to be implemented after system configuration is completed
Take Ubuntu 16.04 as an example:
1. Update the kernel version
Of course, you can't blindly update, but for newly deployed servers, using the latest version of the kernel is generally harmless and can improve system security. Usually people would advise us to disable unused services, but I choose to trust publishers, and I believe they will make the right choice to decide which services should be installed or disabled by default.
apt-get –y update
2. Reset the root password
Accessing the virtual machine's web console requires a root password. When SSH(Secure Shell) does not work properly, for example, strange firewall settings prevent your operation, serious kernel errors occur in the system, and the machine restarts mysteriously.
root_pwd="DevOpsDennyChangeMe1"echo "root:$root_pwd" | chpasswd
3. Strengthen SSHD Service Security
Only SSH is allowed through key files, so hackers can't easily invade by cracking your password. The SSH listener port is switched to another port (default is 22) to avoid annoying SSH login attempts.
# Disable ssh by password sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/g' \ /etc/ssh/sshd_config sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' \ /etc/ssh/sshd_config grep PasswordAuthentication /etc/ssh/sshd_config # Use another ssh port sshd_port="2702" sed -i "s/^Port 22/Port $sshd_port/g" /etc/ssh/sshd_config grep "^Port " /etc/ssh/sshd_config # Restart sshd to take effect service ssh restart
4. Restricting Malicious Access through Firewall
This may be the most important security measure you should implement.
# Have a clean start with iptables iptables -F; iptables -X echo 'y' | ufw reset echo 'y' | ufw enable ufw default deny incoming ufw default deny forward # Allow traffic of safe ports ufw allow 22,80,443/tcp # Allow traffic from certain port ufw allow 2702/tcp # Allow traffic from trusted ip ufw allow from 52.74.151.55
5. Add a timestamp to the command history
This allows you to see what commands were executed at what time.
echo export HISTTIMEFORMAT=\"%h %d %H:%M:%S \" >> /root/.bashrc
6. Generating SSH key pairs
Never share the same ssh key pair across the server!
exec ssh-agent bash # General new key pair ssh-keygen # Load key pair ssh-add
7. Pay close attention to var/log
Automated detection and analysis using logwatch (https://www.howtoforge.com/tutorial/logwatch-installation-on-debian-and-ubuntu/) is a very useful Perl script that generates daily reports of system log activities.
Mainly concerned about the following log files:
/var/log/kern.log
/var/log/syslog
/var/log/ufw.log
/var/log/auth.log
/var/log/dpkg.log
/var/log/aptitude
/var/log/boot.log
/var/log/cron.log
/var/log/mailog
apt-get install -y logwatch # Full check. Takes several minutes logwatch --range ALL # Only check log of Today logwatch --range Today # Check log for last week logwatch --range "between -7 days and -1 days"
8. Use of third-party security inspection tools
Not everyone is or will become a security expert. Try some reliable multi-functional tools, lynis (https://cisofy.com/lynis/) is such a convenient and direct tool that contains only one bash file.
apt-get install -y lynis # Run lynis to check security issues lynis -c
9. Appropriate backup of data
Keep a "Plan B" at all times. As a last resort, it is very feasible to make a fast recovery system backup on another server.
Links to the original text: http://www.dennyzhang.com/linux_security#more-4078
Translation: zhangrj
linux server anti-black reinforcement, CC attacks, SQL anti-injection, DDOS attacks, you can use the suspension server guard free of charge, login to the suspension official website, you can download and use. In the process of using the suspension server guard, if you have any questions, you can add a group [539903443] for consultation.