In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article will explain in detail the example analysis of the basic security settings in the centos7 server. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.
Turn off ping scanning, although it is of no use to eggs
Switch to root first
Echo 1 > / proc/sys/net/ipv4/icmp_echo_ignore_all
1 means off.
0 means enable
Use iptables
Iptables-I INPUT-p icmp-j DROP
A brief introduction to the basic security settings
First, create ordinary users, disable root login, and only allow ordinary users to switch to root using the su command
The advantage of this is dual password protection. Even if a hacker knows the password of an ordinary user, if there is no root password, the attack on the server is relatively limited.
Here are the specific practices (need to be under root)
Add a normal user
Useradd xxx
Set password
Passwd xxx
In this way, an ordinary user is created.
Disable root login
Vi / etc/ssh/sshd_config
PermitRootLogin no
Systemctl restart sshd
This completes the first step, after which root cannot log in to the server and can only be switched through the ordinary user su
Second, modify the default port 22 of ssh, because the port of ssh is 22. If we modify this port, it will take them some time to scan, which makes it a little more difficult.
If you change the port to 51866, you can change it according to your needs. You'd better choose a port within 10000-65535.
Step1 modification / etc/ssh/sshd_config
Vi / etc/ssh/sshd_config
# Port 22 / / remove the # number from this line
Port 51866 / / add this line below
Why not delete 22 first, in case other ports are not configured successfully, but delete 22 and cannot enter the server again
Step2 modifies SELinux
Install semanage
$yum provides semanage
$yum-y install policycoreutils-python
Use the following command to view the ssh ports allowed by the current SElinux:
Semanage port-l | grep ssh
Add port 51866 to SELinux
Semanage port-a-t ssh_port_t-p tcp 51866
Note: the operation is not successful. Please refer to: https://sebastianblade.com/how-to-modify-ssh-port-in-centos7/
If it fails, the selinux should not be opened.
Then confirm whether to add it or not
Semanage port-l | grep ssh
If successful, it will output.
Ssh_port_t tcp 51866, 22
Step3 restart ssh
Systemctl restart sshd.service
Check to see if ssh is listening on port 51866
Netstat-tuln
Step4 firewall opens port 51866
Firewall-cmd-permanent-zone=public-add-port=51866/tcp
Firewall-cmd-reload
Then test whether you can log in through 51866. If you can log in, it means it is successful, and then delete port 22.
Vi / etc/ssh/sshd_config
Delete port 22 wq
Systemctl restart sshd.service
At the same time, the firewall also closes port 22.
Firewall-cmd-permanent-zone=public-remove-port=22/tcp
Note that if you are using Ali's server, you need to add new inbound rules to the security group in Ali (it should be because Ali's server uses a private network and port mapping is required)
Use some software similar to DenyHosts to prevent SSH brute force cracking (not described in detail)
In fact, it is a python script to check for illegal logins and automatically blacklist ip if the number of times exceeds the set number.
This is the end of the article on "sample Analysis of basic Security Settings in centos7 Server". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.