Shulou(Shulou.com)06/01 Report--

This article mainly explains the "VPS commonly used security settings", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "VPS commonly used security settings" bar!

1. Modify SSH port

Vi / etc/ssh/sshd_config

Find # Port 22 (line 13), remove #, and modify it to Port 3333

Restart the SSH service using the following command, and note: log in with the new port later.

Service sshd restart

II. Prohibition of ROOT login

First, add a new account 80st, which can be customized:

Useradd 80st

Set the password for the weidao account:

Passwd 80st

Still modify the / etc/ssh/sshd_config file, line 39: # PermitRootLogin yes, remove the previous #, change yes to no, and then restart the SSH service. In the future, log in using weidao first, and then su root to get ROOT management rights.

Login as: 80st

Weidao@ip password:*

Last login: Tue Nov 22 15:18:18 2011 from 1.2.3.4

Su root

Password:* # Note enter the password of ROOT here

Third, use DDos deflate to simply prevent CC and DDOS attacks

Using the netstat command, check the current link of VPS to confirm that it is under attack:

Netstat-ntu | awk'{print $5}'| cut-d:-F1 | sort | uniq-c | sort-n

The number in front of IP, that is, the number of connections, if a normal website, dozens to 100 are normal connections, but hundreds, or thousands, can be reclaimed that there may be suspicious connections between this IP and your VPS.

You can use iptables to directly BAN permanent access to this IP:

Iptables-An INPUT-s 12.34.56.78-j DROP

Use the software DDos deflate to automatically detect and directly BAN the method, first of all to confirm the status of the iptables service, the default CENTOS is installed, do not look at it.

Service iptables status

Install DDos deflat:

Wget http://www.inetbase.com/scripts/ddos/install.sh

Chmod + x install.sh

. / install.sh

You need to modify / usr/local/ddos/ddos.conf after installation, mainly because APF_BAN=1 should be set to 0, because you want to use iptables to seal some suspicious connections, pay attention to EMAIL_TO= "root", so that BAN which IP will have an email prompt:

# Paths of the script and other files

PROGDIR= "/ usr/local/ddos"

PROG= "/ usr/local/ddos/ddos.sh"

IGNORE_IP_LIST= "/ usr/local/ddos/ignore.ip.list" / / IP address whitelist

CRON= "/ etc/cron.d/ddos.cron" / / timed execution program

APF= "/ etc/apf/apf"

IPT= "/ sbin/iptables"

# frequency in minutes for running the script

# Caution: Every time this setting is changed, run the script with-cron

# option so that the new frequency takes effect

FREQ=1 / / check interval. Default is 1 minute.

# How many connections define a bad IP? Indicate that below.

NO_OF_CONNECTIONS=150 / / maximum number of connections. If the number exceeds this number, IP will be blocked. Generally speaking, it can be done by default.

# APF_BAN=1 (Make sure your APF version is atleast 0.96)

# APF_BAN=0 (Uses iptables for banning ips instead of APF)

APF_BAN=1 / / use APF or iptables. It is recommended to use iptables. Change the value of APF_BAN to 0.

# KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)

# KILL=1 (Recommended setting)

KILL=1 / / whether to block IP. Default is fine.

# An email is sent to the following address when an IP is banned.

# Blank would suppress sending of mails

EMAIL_TO= "root" / / send an email to the specified mailbox when IP is blocked. It is recommended to use it and change it to your own mailbox.

# Number of seconds the banned ip should remain in blacklist.

BAN_PERIOD=600 / / disable IP time. Default is 600s, which can be adjusted according to the situation.

Use iftop to view the details of the network.

Install the IFTOP software:

Yum-y install flex byacc libpcap ncurses ncurses-devel libpcap-devel

Wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz

Tar zxvf iftop-0.17.tar.gz

Cd iftop-0.17

. / configure

Make & & make install

After installation, run using iftop to check the network. TX, send traffic; RX, receive traffic; TOTAL, total traffic; Cumm, traffic during iftop operation; peak, peak traffic; rates, which represents the average traffic of 2 seconds, 10 seconds and 40 seconds, respectively.

Shortcut keys: h help, n toggle to display IP hostname, s whether to display local information, d whether to display remote information, N to switch port service name, b to switch whether hour flow graph bar.

Upgrade NGINX in LNMP to the latest version

Now the latest version is 0.8.53.If a new version is released later, just update the version number and run it in SSH:

Wget http://www.nginx.org/download/nginx-0.8.53.tar.gz

Tar zxvf nginx-0.8.53.tar.gz

Cd nginx-0.8.53

. / configure-user=www-group=www-prefix=/usr/local/nginx-with-http_stub_status_module-with-http_ssl_module-with-http_sub_module

Make

Mv / usr/local/nginx/sbin/nginx / usr/local/nginx/sbin/nginx.old

Cd objs/

Cp nginx/ usr/local/nginx/sbin/

/ usr/local/nginx/sbin/nginx-t

Kill-USR2 `cat / usr/local/nginx/logs/ nginx.pid`

Kill-QUIT `cat / usr/local/nginx/logs/ nginx.pid.oldbin`

/ usr/local/nginx/sbin/nginx-v

Cd..

Cd..

Rm-rf nginx-0.8.53

Rm-rf nginx-0.8.53.tar.gz

6. Commonly used netstat commands:

1. Check the number of connections on all ports 80

Netstat-nat | grep-I "80" | wc-l

two。 Sort the IP of connections by number of connections

Netstat-ntu | awk'{print $5}'| cut-d:-F1 | sort | uniq-c | sort-n

3. View TCP connection status

Netstat-nat | awk'{print $6}'| sort | uniq-c | sort-rn

Netstat-n | awk'/ ^ tcp/ {+ + S [$NF]}; END {for (an in S) print a, S [a]}'

Netstat-n | awk'/ ^ tcp/ {+ + state [$NF]}; END {for (key in state) print key, "\ t", state [key]}'

Netstat-n | awk'/ ^ tcp/ {+ + arr [$NF]}; END {for (k in arr) print k, "\ t", arr [k]}'

Netstat-n | awk'/ ^ tcp/ {print $NF}'| sort | uniq-c | sort-rn

Netstat-ant | awk'{print $NF}'| grep-v'[a murz]'| sort | uniq-c

4. View the 20 IP with the largest number of connections on port 80

Netstat-anlp | grep 80 | grep tcp | awk'{print $5}'| awk-F:'{print $1}'| sort | uniq-c | sort-nr | head-N20

Netstat-ant | awk'/: 80 / {split ($5 ip IP, ":"); + + A [ip [1]]} END {for (i in A) print AMagi}'| sort-rn | head-N20

5. Use tcpdump to sniff the access to port 80 to see who is the highest.

Tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F "."'{print $1 "." $2 "." $3 "." $4}'| sort | uniq-c | sort-nr | head-20

6. Find more time_wait connections

Netstat-n | grep TIME_WAIT | awk'{print $5}'| sort | uniq-c | sort-rn | head-N20

7. Look for more SYN connections

Netstat-an | grep SYN | awk'{print $5}'| awk-F:'{print $1}'| sort | uniq-c | sort-nr | more

Thank you for reading, the above is the content of "Security Settings commonly used in VPS". After the study of this article, I believe you have a deeper understanding of the security settings commonly used in VPS, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.