VPS New Manual

Keywords: sudo ssh Nginx Docker

Actually, this is a running account.
Note: Taking Ubuntu 16.04 as an example

1 users

  • Hurry up and build a new user. Don't log in with your root. After the root landing:
$ sudo adduser tom #To create users interactively, all you have to do is set up a stronger password.
$ sudo vim /etc/sudoers #Increase root privileges for this new user

The last line adds tom ALL=(ALL) ALL to save the exit.

  • Change into a good shell!
$ su tom
$ cd ~ && vim .bashrc

reach here Copy all the content, copy it to your. bashrc file, and save it, $source. bashrc to see the effect!

2 SSH

  • First turn off the root login and change the default port 22. Suo vim/etc/ssh/sshd_config, find the following two lines, and modify them to read:
    PermitRootLogin no #Disable root login
    Port 2345 #Modify the default port, you can randomly specify other 1024-65535
    
  • Configuration Public Key Verification
    Select your local (non-remote vps) key pair, directory ~/. ssh /.
    If not, use the ssh-keygen command to generate a pair. After generation, you can find two files, id_rsa id_rsa.pub, in the above directory.
    • Copy id_rsa.pub file to / home/tom/.ssh/ directory of vps
    • Under tom user on vps, execute:
      $ cd ~/.ssh
      $ cat id_rsa.pub >> authorized_keys #Deployment of landing public keys
      $ chmod 600 authorized_keys #Jurisdiction
      $ chmod 700 ~/.ssh #Jurisdiction
      
    • Edit the / etc/ssh/sshd_config file to ensure that the fields are as follows:
      RSAAuthentication yes
      PubkeyAuthentication yes
      AuthorizedKeysFile .ssh/authorized_keys
      PasswordAuthentication no   # In this case, if you set this security is higher, but you can't enter through the password ssh. Don't set it up in the test stage. You can set it again when SSH is successfully logged in without secret.
      
    • Restart sshd sudo service ssh restart
      After configuring, select public key validation in your local ssh tool, then select your local id_rsa import, and then you can log in password-free! Pay attention to backing up this private key, or if you lose it, you will not be able to log in!!

3 ufw firewall

ufw is an iptables firewall configuration tool on the host side, which is easy to use. Compared with anti-human iptables, it's not so simple!

  • Installation: sudo apt-get install ufw

  • View status sudo ufw status

  • # Enable
    sudo ufw enable
    sudo ufw default deny
    
    #Discontinue use
    sudo ufw disable
    
    # Examples of application
    sudo ufw allow 22 # Do allow your ssh port first!!!
    sudo ufw allow 53 # dns
    sudo ufw allow 80 #Allow external access to port 80
    sudo ufw delete allow 80 #Prohibit external access to port 80
    sudo ufw allow from 192.168.1.1 #Allow this IP to access all native ports
    sudo ufw deny smtp #Prohibit external access to smtp services
    sudo ufw delete allow smtp #Delete a rule established above
    ...
    
  • ufw rules are simple and clear, can be developed according to their own needs, default all deny.

  • Please note that there are compatibility problems between ufw and docker, which may lead to the failure or confusion of ufw strategy. If you use docker on vps, please be aware that there is one here at present. Solution

    create the file /etc/docker/daemon.json and put the following in:

    {
        "iptables": false
    }
    

    then issued sudo service docker stop then sudo service docker start FINALLY docker is simply following the appropriate rules in UFW.

    Additional data: Docker overrules UFW!

4 ShadowSocksR

Say no more, understand nature, to here Look, there is no guarantee that links will be permanent and effective, so do yourself a favor: -)

To say more, if you have successfully installed SSR, then you are recommended to turn on BBR, which is a set of congestion control algorithms led by Google, which can greatly improve your scientific speed. One Click to install the latest kernel and open the BBR script

5 fail2ban

fail2ban It is a well-known open source framework for intrusion protection on Linux, which monitors log files of multiple systems (e.g. / var/log/auth.log or / var/log/secure) and automatically triggers different defense actions based on any suspicious behavior detected. In fact, fail2ban is very useful in defending against violent password cracking on SSH servers.

  • Install $sudo apt-get install fail2ban

  • SSH protection. Fail2ban is powerful and complex to configure, but it comes with many default monitors, such as those for SSH (all default monitors can be found in / etc/fail2ban/jail.conf). So if we only protect ssh, it's very simple. Just edit / etc/fail2ban/jail.d/defaults-debian.conf and add the following fields:

    [sshd]
    enabled = true
    bantime = 36000
    
  • Restart sudo service fail2ban restart

  • Nginx example. Because I use nginx in my vps, here's an example of nginx protection

    #/ Add file nginx.conf under etc/fail2ban/filter.d folder, as follows
    [Definition]
    failregex = <HOST> -.*- .*HTTP/1.* 404 .*$ #404 related
    ignoreregex =
    
    #/ Add the following at the end of the etc/fail2ban/jail.local file
    [nginx-get-dos]
    enabled = true
    filter = nginx # Specify filter, which is what is defined in the file above
    logpath = /var/log/nginx/access.log #log path assignment
    maxretry = 10 #ban out at most 10 times
    findtime = 600    #Number statistics period
    bantime = 36000 #ban 10h
    
  • Frequently used commands

    $ sudo service fail2ban restart #restart
    $ sudo fail2ban-client ping #Verify that the service is working
    Server replied: pong
    $ sudo fail2ban-client status #Displays a list of prisons currently active
    $ sudo fail2ban-client status nginx-get-dos #Examine the state of a particular prison
    
  • May refer to How to Use fail2ban to Defend SSH Server from Violent Cracking Attacks

The end, welcome to leave a message to discuss, if there is any new content in the future will continue to supplement.

Posted by kingsol on Sat, 25 May 2019 16:32:27 -0700