Shulou(Shulou.com)06/01 Report--

What are the security skills of centos server? I believe many inexperienced people don't know what to do about it. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

There are some common sense that every system administrator should know by heart, so the following points will not be mentioned in this article:

Make sure the system is up to date

Change passwords frequently-use a combination of numbers, letters, and non-alphabetic symbols

Give users minimum permissions to meet their daily use needs

Install only those packages that are really needed

Change the SSH default port

The first thing to do after setting up a brand new server is to change the default port of SSH. This small change can protect your server from thousands of violent attacks. (not changing the default port is equivalent to hackers knowing your house number, so all they need is a test key to open your lock.)

To change the default SSH port, first open the sshd_config file:

Sudo vim / etc/ssh/sshd_config

Find the following line:

# Port 22

The "#" sign indicates that this line is a comment. First delete the # number, then change the port number to the destination port. The port number cannot exceed 65535, making sure that the port number you want to specify is not occupied by the system or other services. It is recommended that you check the list of common port numbers on Wikipedia. In this article, use this port number:

Port 16543

Then save and close the file and wait for the changes to take effect.

The next step is:

Use SSH key authentication

Using SSH keys for authentication is particularly important when accessing the server through SSH. This adds additional protection to the server, ensuring that only those who have the key can access the server.

Run the following command on the local machine to generate the SSH key:

Ssh-keygen-t rsa

You will see the following output, asking which file you want to write the key to, and setting a password:

Generating public/private rsa key pair.

Enter file in which to save the key (/ root/.ssh/id_rsa): my_key

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in my_key.

Your public key has been saved in my_key.pub.

The key fingerprint is:

SHA256:MqD/pzzTRsCjZb6mpfjyrr5v1pJLBcgprR5tjNoI20A

When you're done, you get two files:

My_key

My_key.pub

Next, copy the my_key.pub to ~ / .ssh / authorized_key

Cp my_key.pub / .ssh/authorized_keys

Then use the following command to upload the key to the server:

Scp-P16543 authorized_keys user@yourserver-ip:/home/user/.ssh/

At this point, you can access the server without a password from this local machine.

Turn off password authentication for SSH

Now that you have the SSH key, it is safer to turn off password authentication for SSH. Open and edit sshd_config again, as set as follows:

ChallengeResponseAuthentication no

PasswordAuthentication no

UsePAM no

Turn off Root login

The next key step is to turn off direct access to root users and use sudo or su to perform administrator tasks. First, you need to add a new user with root privileges, so edit the sudoers file under this path:

/ etc/sudoers/

It is recommended that you use a command such as visudo to edit the file because it checks for any possible syntax errors before closing the file. This is very useful when you make a mistake in editing the file.

Next, give a user root permissions. In this article, the user sysadmin is used. Make sure that the user you use when editing this file is an existing user of the system. Find the following line:

Root ALL= (ALL) ALL

Copy this line, paste it on the next line, and change root to "sysadmin", as follows:

Root ALL= (ALL) ALL

Sysadmin ALL= (ALL) ALL

Now explain the meaning of each option in this line:

(1) root (2) ALL= (3) (ALL) (4) ALL

(1) specify a user

(2) specify the terminal for which the user uses sudo

(3) specify the user roles that the user can play

(4) commands that this user can use

LCTT Note: so the above configuration means that the root user can act as any user on any terminal and execute any command. )

Use this configuration to give users access to some system tools.

At this point, you can rest assured to save the file.

To turn off direct access to root through SSH, you need to open sshd_config again and find the following line:

# PermitRootLogin yes

Change to:

PermitRootLogin no

Then save the file and restart the sshd daemon to make the changes take effect. Execute the following command:

Sudo / etc/init.d/sshd restart

Set up a firewall

Firewalls help filter entry and exit ports and prevent login attempts using brute force. I prefer to use SCF (Config Server Firewall) as a powerful firewall. It uses iptables, is easy to manage, and provides a web interface for users who are not good at entering commands.

To install CSF, log in to the server and change to this directory:

Cd / usr/local/src/

Then execute the following command with root privileges:

Wget https://download.configserver.com/csf.tgz

Tar-xzf csf.tgz

Cd csf

Sh install.sh

Just wait for the installer to complete, and then edit the configuration file for CSF:

/ etc/csf/csf.conf

By default, CSF runs in test mode. Switch to product mode by setting the value of TESTING to 0.

TESTING = "0"

The next thing to set is the port that is allowed on the server. Navigate to the following section in csf.conf and modify the port as needed:

# TCP ports allowed inbound

TCP_IN = "20, 21, 25, 53, 80, 110, 143, 463, 465, 587, 993, 995, 16543"

# allowed outbound TCP port

TCP_OUT = "20, 21, 22, 25, 53, 80, 110, 113, 443, 587, 993, 995, 16543"

# UDP ports allowed inbound

UDP_IN = "20, 21, 53"

# allowed outbound UDP port

# to allow traceroute requests, add the port range of 33434 to 33523 to the list

UDP_OUT = "20pr 21pr 53113123"

Please set them one by one according to your needs. It is recommended to use only those ports that are needed, so as to avoid setting a wide range of ports. In addition, avoid using insecure ports for insecure services. For example, only ports 465 and 587 are allowed to send e-mail, replacing the default SMTP port 25. (LCTT translation note: only if your mail server supports SMTPS)

Important: don't forget to allow custom ssh ports.

It is important to allow your IP address to pass through the firewall without being blocked. The IP address is defined in the following file:

/ etc/csf/csf.ignore

The blocked IP address will appear in this file:

/ etc/csf/csf.deny

Once the changes are complete, restart csf using this command:

Sudo / etc/init.d/csf restart

The following is part of the csf.deny file on a server to illustrate the usefulness of CSF:

.216.48.205 # lfd: (sshd) Failed SSH login from 211.216.48.205 (KR/Korea, Republic of/-): 5 in the last 3600 secs-Fri Mar: 30:35 2015

.41.124.53 # lfd: (sshd) Failed SSH login from 103.41.124.53 (HK/Hong Kong/-): 5 in the last 3600 secs-Fri Mar 6 01:06:46 2015

.41.124.42 # lfd: (sshd) Failed SSH login from 103.41.124.42 (HK/Hong Kong/-): 5 in the last 3600 secs-Fri Mar 6 01:59:04 2015

.41.124.26 # lfd: (sshd) Failed SSH login from 103.41.124.26 (HK/Hong Kong/-): 5 in the last 3600 secs-Fri Mar 6 02:48:26 2015

.169.74.58 # lfd: (sshd) Failed SSH login from 109.169.74.58 (GB/United Kingdom/mail2.algeos.com): 5 in the last 3600 secs-Fri Mar 6 03:49:03 2015

You can see that IP addresses that try to log in through violence are blocked. It's out of sight and out of mind.

Lock the account

If an account will not be used for a long time, it can be locked to prevent others from accessing it. Use the following command:

Passwd-l accountName

Of course, this account can still be used by root users (LCTT).

Understand the services on the server

The essence of the server is to provide access to various services. Make the server run only the required services and shut down the unused services. Doing so not only frees up some system resources, but also makes the server more secure. For example, if you're just running a simple server, you obviously don't need an X-ray display or desktop environment. If you do not need the Windows network sharing feature, you can safely turn off Samba.

Use the following command to view the services that are started with system startup:

Chkconfig-- list | grep "3n"

If the system is running systemd, execute this command:

Systemctl list-unit-files-- type=service | grep enabled

Then use the following command to shut down the service:

Chkconfig service off

Or

Systemctl disable service

In the above example, replace "service" with the name of the service you really want to stop. Examples are as follows:

Chkconfig httpd off

Or

Systemctl disable httpd

After reading the above, have you mastered the security skills of centos server? what are your methods? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.