Shulou(Shulou.com)06/02 Report--

Note: the CVM for this tutorial is above centos7 as an example, and the CVM is purchased from Aliyun.

The CVM configurations of other service providers are more or less the same.

Suggestion: it is not recommended to install graphical tools on linux servers, because it takes up memory, bandwidth and resources, and the disadvantages far outweigh the advantages.

Update the system manually:

Yum-y update

Firewall configuration:

Service firewalld start / / start the firewall

Systemctl enable firewalld.service / / Boot

Selinux configuration:

Vim / etc/selinux/config

Modify:

SELINUX=enforcing / / sets the mandatory mode

Reboot / / restart takes effect

Ssh configuration: (anti-brute force cracking)

Useradd normal / / create a system user who can only log in to the system remotely.

Vim / etc/ssh/sshd_config

Modify:

Port 2000 / / Port must be greater than 1024

Protocol 2 / / add it if you don't have it, don't use it if you have it.

PermitEmptyPasswords no / / disable login with empty password

X11Forwarding no / / disable port forwarding

PermitRootLogin no / / prohibit root users from logging in

MaxAuthTries 3 / / allow three attempts

LoginGraceTime 20 / / if login cannot be completed within 20 seconds, disconnect

AllowUsers normal / / add, only this user is allowed to log in remotely

Save exit and restart ssh

Service sshd restart

Firewall opens ssh port

Firewall-cmd-zone=public-add-port=2000/tcp-permanent

Firewall-cmd-reload

Selinux opens the ssh port

Yum-y install policycoreutils-python / / install selinux port management tools

Semanage port-a-t ssh_port_t-p tcp 2000 / / add port

Semanage port-l | grep ssh / / View the ssh port opened by selinux

Service sshd restart

Prevent IP SPOOF attacks

Vim / etc/host.conf

Add at the end

Nospoof on

Forbidden by ping

Vim / etc/sysctl.conf

Modify it if you have it, and add it if you don't.

Net.ipv4.icmp_echo_ignore_all=0

Save configuration

Sysctl-p

Firewall prohibited by ping

Firewall-cmd-permanent-add-rich-rule='rule protocol value=icmp drop'

Firewall-cmd-reload

Note: you can also delete the rules that allow ICMP protocol in the security group rules on the Aliyun console.

Update the system every ten days, delete unused software, and clear the yum cache

Crontab-e

The following content can be modified as needed

0 * / 10 * * yum update-y

0 * / 11 * * yum autoremove-y

0 * / 12 * * yum clean all

Firewall forbids port scanning (invalid centos7, port is still scanned out, I don't know whether the following centos7 is in effect)

Iptables-F # clear Firewall Policy

Iptables-An INPUT-p tcp--tcp-flags ALL FIN,URG,PSH-j Drop

Iptables-An INPUT-p tcp--tcp-flags SYN,RST SYN,RST-j Drop

Iptables-An INPUT-p tcp--tcp-flags SYN,FIN SYN,FIN-j Drop

Iptables-An INPUT-p tcp--tcp-flags SYN,SYN-- dport 80-j Drop

Uninstall Ali Cloud Cloud Shield (an Knight), because the server is already short of memory, and Cloud Shield does more harm than good. Uninstall it.

Wget http://update.aegis.aliyun.com/download/uninstall.sh

Chmod + x uninstall.sh

. / uninstall.sh

Wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh

Chmod + x quartz_uninstall.sh

. / quartz_uninstall.sh

Pkill aliyun-service

Rm-fr / etc/init.d/agentwatch / usr/sbin/aliyun-service

Rm-rf / usr/local/aegis*

Note: after the uninstall is complete, you can delete the above two script files. If you can't wget to the file, please contact the webmaster for it!

Shield Cloud Shield IP, which regularly scans the server to simulate hacker attacks

Vim shield_ip.sh

Add the following:

#! / bin/bash

Echo "starts shielding cloud shield to scan the IP of CVM"

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "140.205.201.0ax 28" drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "140.205.201.16ax 29" drop'

Firewall-cmd-permanent-add-rich-rule='rule family=ipv4 source address= "140.205.201.32ax 28" drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "140.205.225.19x29" drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "140.205.225.200X30" drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "140.205.225.184ax 29" drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "140.205.225.183 drop'"

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "140.205.225.206 drop'"

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "140.205.225.205 drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "140.205.225.195lap32" drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "140.205.225.204 drop'"

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "106.11.224.0 Universe 26" drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "106.11.224.64 Universe 26" drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "106.11.224.128 drop'"

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "106.11.224.192 drop' 26" drop'

Firewall-cmd-permanent-add-rich-rule='rule family=ipv4 source address= "106.11.222.64 Universe 26" drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "106.11.222.128 drop'"

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "106.11.222.192 drop' 26" drop'

Firewall-cmd-- permanent-- add-rich-rule='rule family=ipv4 source address= "106.11.223.0 Universe 26" drop'

Firewall-cmd-reload

Save exit

Chmod + x shield_ip.sh

. / shield_ip.sh

Note: these IP address fields come from the cloud shield server IP officially given by Aliyun. Source: (https://help.aliyun.com/knowledge_detail/37436.html)

Encoding settings:

Vim / etc/locale.conf

Delete the original and add the following:

LANG=zh_CN.utf8 / / Chinese interface

LC_MESSAGES=en_US.utf8 / / English prompt

Reboot / / restart takes effect

Go to the Ali Cloud console, and click ECS--> Security Group-> configuration rules-> add Security Group rules.

Add ssh ports to the security group, otherwise the public network cannot be accessed, including the ports of ftp and apache that are not open in the security group.

Download xshell remote login software, normal users log in remotely to the linux system, the use of xshell is no longer described, after the login is successful

Su-root / / raise the right

Note: after the Aliyun console connects to the login system remotely, you cannot log in as any user all the time. After using the system, you must log out of the user and keep the interface at the interface where you need to enter a user name.

For example, log in at Aliyun console (instead of xshell login) and log out of the user login command

Logout / / exit is also fine

Note: root users must exit twice.

Finally: go to Aliyun console-> Security (Cloud Shield)-> situational Awareness-> enable situational Awareness Service-> set mailbox or SMS reminder

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.