Shulou(Shulou.com)06/02 Report--

1. New users:

Useradd dk

Passwd dk

Add the ordinary user dk to the sudo permission table, so that when dk wants permission, it will sudo + command:

Vi / etc/sudoers

Find root ALL= (ALL) ALL

Add a line below: new username ALL= (ALL) ALL

: x! Save exit

Ssh (key login):

1. Ssh key creation:

Ssh-keygen-t rsa

Enter enter

. Rename the public key file to authorized_keys

$mv id_rsa.pub authorized_keys

Set the directory .ssh permission to 700and the public key file authorized_keys to 644

$chmod 700.. / .ssh/

$chmod 644 authorized_keys

Download the id_rsa private key to your local location.

2. Modify the default port of sshd:

# vim / etc/ssh/sshd_config

# port 22 changed to

Port 2222

# usedns yes changed to

Usedns no

# PermitRootLogin yes changed to

PermitRootLogin no (finally change this, disable root remote login with ssh, disable password login)

# permitEmpt passwords yes changed to

PermitEmpt passwords no

# PasswordAuthentication yes changed to

PasswordAuthentication no

# print last login yes changed to

Print last login yes

# printmotd yes changed to

Printmotd yes

Modify the ssh connection warning message:

# vim / etc/motd

Warning! This is DKS centosystems!

Chkconfig sshd on

Service sshd restart

3. Firewall opens the ssh port.

Iptables-F

Iptables-X

Iptables-I INPUT-p tcp-- dport 2222-j ACCEPT

/ etc/init.d/iptables save

/ etc/init.d/iptables start

Chkconfig iptables on

4 、 selinux:

# setenforce 0 temporarily shuts down selinux

# vim / etc/selinux/config

Change SELINUX=enforcing to SELINUX=disabled permanent shutdown

Ip address:

# vim

/ etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

ONBOOT=yes

BOOTPROTO=static

IPADDR=192.168.1.63

PREFIX=24

GATEWAY=192.168.1.1

DNS1=8.8.8.8

NETMASK=255.255.255.0

Modify the dns address:

# etc/resolv.conf

Nameserver 114.114.114.114

# service

Network restart

Fail2ban:

# tar zxvf fail2ban-0.8.10.tar.gz

# cd fail2ban-0.8.10

# python setup.py install

# cd files

Cp. / redhat-initd / etc/init.d/fail2ban

# chkconfig-add fail2ban

# service fail2ban start

Note: if you restart iptables, you must also restart fail2ban, otherwise it will not take effect. The filter table of fail2ban is added after iptables starts.

II. Configuration

1. Fail2ban's own configuration

There are only three parameters in the default fail2ban.conf, and all of them have comments.

Vi / etc/fail2ban/fail2ban.conf

# default log level

Loglevel = 3

# Log storage path

Logtarget = / var/log/fail2ban.log

# location of socket

Socket = / tmp/fail2ban.sock

2. Fail2ban protection configuration

Global Settin

Vi / etc/fail2ban/jail.conf deceives the IP range if there are more than two groups using blanks as intervals

Ignoreip = 127.0.0.1 Compact 24 # blacklist / list of rejected links

Set the time (in seconds) when IP is blocked. If the value is-1, it means permanently blocked.

Bantime = 86400

Set the number of times to reach maxretry within a certain period of time.

Findtime = 600,

Set the number of times to reach maxretry within a certain period of time.

Maxretry = 3

Number of attempts allowed

Classification settin

# Protection against sshd violence

[ssh-iptables]

Enabled = true

Filter = sshd

Action = iptables [name=SSH, port=2222, protocol=tcp]

Sendmail-whois [name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]

Logpath = / var/log/secure

If there is an individual frequency setting, it will be set here.

Maxretry = 3

# Protection against vsftpd violence

[vsftpd-iptables]

Enabled = true

Filter = vsftpd

Action = iptables [name=VSFTPD, port=ftp, protocol=tcp]

Sendmail-whois [name=VSFTPD, dest=you@mail.com]

Logpath = / var/log/secure

Maxretry = 3

# chkconfig-- level 345 fail2ban on

# service fail2ban start

Test:

Echo "test mail | mail-s test@xuegod.cn"

Iptables-L

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.