Shulou(Shulou.com)06/01 Report--

This article will explain in detail the example analysis of the basic security settings in the centos7 server. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

Turn off ping scanning, although it is of no use to eggs

Switch to root first

Echo 1 > / proc/sys/net/ipv4/icmp_echo_ignore_all

1 means off.

0 means enable

Use iptables

Iptables-I INPUT-p icmp-j DROP

A brief introduction to the basic security settings

First, create ordinary users, disable root login, and only allow ordinary users to switch to root using the su command

The advantage of this is dual password protection. Even if a hacker knows the password of an ordinary user, if there is no root password, the attack on the server is relatively limited.

Here are the specific practices (need to be under root)

Add a normal user

Useradd xxx

Set password

Passwd xxx

In this way, an ordinary user is created.

Disable root login

Vi / etc/ssh/sshd_config

PermitRootLogin no

Systemctl restart sshd

This completes the first step, after which root cannot log in to the server and can only be switched through the ordinary user su

Second, modify the default port 22 of ssh, because the port of ssh is 22. If we modify this port, it will take them some time to scan, which makes it a little more difficult.

If you change the port to 51866, you can change it according to your needs. You'd better choose a port within 10000-65535.

Step1 modification / etc/ssh/sshd_config

Vi / etc/ssh/sshd_config

# Port 22 / / remove the # number from this line

Port 51866 / / add this line below

Why not delete 22 first, in case other ports are not configured successfully, but delete 22 and cannot enter the server again

Step2 modifies SELinux

Install semanage

$yum provides semanage

$yum-y install policycoreutils-python

Use the following command to view the ssh ports allowed by the current SElinux:

Semanage port-l | grep ssh

Add port 51866 to SELinux

Semanage port-a-t ssh_port_t-p tcp 51866

Note: the operation is not successful. Please refer to: https://sebastianblade.com/how-to-modify-ssh-port-in-centos7/

If it fails, the selinux should not be opened.

Then confirm whether to add it or not

Semanage port-l | grep ssh

If successful, it will output.

Ssh_port_t tcp 51866, 22

Step3 restart ssh

Systemctl restart sshd.service

Check to see if ssh is listening on port 51866

Netstat-tuln

Step4 firewall opens port 51866

Firewall-cmd-permanent-zone=public-add-port=51866/tcp

Firewall-cmd-reload

Then test whether you can log in through 51866. If you can log in, it means it is successful, and then delete port 22.

Vi / etc/ssh/sshd_config

Delete port 22 wq

Systemctl restart sshd.service

At the same time, the firewall also closes port 22.

Firewall-cmd-permanent-zone=public-remove-port=22/tcp

Note that if you are using Ali's server, you need to add new inbound rules to the security group in Ali (it should be because Ali's server uses a private network and port mapping is required)

Use some software similar to DenyHosts to prevent SSH brute force cracking (not described in detail)

In fact, it is a python script to check for illegal logins and automatically blacklist ip if the number of times exceeds the set number.

This is the end of the article on "sample Analysis of basic Security Settings in centos7 Server". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.