Shulou(Shulou.com)06/01 Report--

This article is to share with you about how Linux servers are locked. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

No matter which Linux distribution you use, you need to use an iptables-based firewall to protect it.

Ah! You have set up your first Linux server and are ready to start! Is that so? Yeah, wait a minute.

By default, your Linux system is not secure enough for attackers. Of course, it's much safer than Windows XP, but that doesn't mean anything.

To make your Linux system really solid, you need to follow Linode's server security guidelines.

In general, first of all, you have to turn off services you don't need. To do this, of course, you need to know which web services you are using.

You can use the shell command to find out which services are:

Netstat-tulpn

Netstat will tell you which services are running and what ports they are using. If you don't need one of these services or ports, you should shut it down. For example, unless you are running a website, you do not need a running Apache or Nginx server, nor do you need to open port 80 or 8080.

In a word, if you are not sure, turn it off first.

On the simplest Linux server without any additional changes, you will see SSH, RPC, and NTPdate running on their public ports. Don't add an old and unsafe shell program like telnet, or the old driver will drive your Linux trolley away inadvertently. Maybe you liked to use telnet as a backup login on your SunOS machine in the 1980s, but that's a thing of the past.

In the case of SSH, you should use RSA keys and Fail2Ban for reinforcement. Unless you need RPC, uninstall it-- if you don't know if you need it, you don't.

Enough has been said about how to close doors; let's talk about using iptables to lock in incoming traffic.

When you start the Linux server, it has no rules. This means that all traffic is allowed. Of course this is not good. Therefore, you need to set up your firewall in time.

Iptables is a shell tool used to set network policy rules for netfilter. Netfilter is the default firewall on Linux systems, which uses a set of rules to allow or prohibit traffic. When someone tries to connect to your system-- some try to do so all the time and never get discouraged-- iptables checks to see if these requests match the list of rules. If no rules are matched, it takes the default action.

The default action should be to disable the connection "Drop", that is, to disable these intended intruders. And it won't let them know what's going on with these network probes. You can also drop the link "Reject", but this will also let them know that you have a running Linux firewall. For now, the less information that strangers have access to our system, the better. At least, that's what I think. )

Now you can use iptables to set up your firewall. I already did. Just like before, I rode my bike to work six miles away, and it was uphill on both sides. And now, I'm driving.

This is actually a metaphor for using FirewallD in the Fedora distribution and UFW (Uncomplicated Firewall) in the Debian distribution. These are easy-to-use shell front ends for iptables. You can find appropriate ways to use it in the following Linode guides: FirewallD and UFW.

Essentially, setting these rules is to put a "do not enter" sign on your server. Use it.

But don't be too excited to close all the links. For example:

Sudo ufw default deny incoming

Seems like a good idea. Don't forget, it forbids all links, including yourself!

Well, that's how it does it. This means that it also forbids the login of SSH. Which means you can no longer log on to your new server. WOW!

However, if you make a mistake, you will ban more links if you make a mistake. You see, the old driver is also blocked by you.

Or, more accurately, this is not an individual phenomenon encountered by you or your server. Of course, you are not the National Security Agency (NSA) that is attacked more than 300 million times a day. But the attack script doesn't care who you are. It just keeps checking for servers in the network that have known vulnerabilities. In a normal day, my own small server will be subjected to hundreds of attacks.

Thank you for reading! This is the end of the article on "how to lock the Linux server". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.