Shulou(Shulou.com)06/01 Report--

This article focuses on "what are the security settings of the Linux server", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn what are the security settings of the Linux server.

Finally bought a server, if because of their own negligence, hackers hacked, that is really too bad!

Here are some simple ways to improve the security of the server. This is how my cloud server is configured. Although it is troublesome, I feel more at ease.

Modify ssh login configuration open ssh configuration file vim / etc/ssh/sshd_config # modify the following Port 10000 # change the SSH port, it is best to change to more than 10000, the probability of others scanning to the port will also be reduced. The firewall should open the configured port number. If it is an Ali cloud server, you also need to go to the Ali Cloud backend to configure and develop the corresponding port, otherwise you will not be able to log on. If you find it troublesome, you don't have to change Protocol 2 # to disable version 1 protocol, because of its design defects, it is easy to make the password hacked. PermitRootLogin no # does not allow Root login under any circumstances. After it takes effect, we can't log in directly as root, we need to log in with a normal account, and then use su to switch to the root account. Note that there is a slight difference between su and su. The key lies in the difference of environmental variables, the environmental variables of su-are more comprehensive. PermitEmptyPasswords no # forbids login with an empty password.

Finally, you need to restart the sshd service

Service sshd restart prohibits the system from responding to any external / internal ping requests echo "1" > / proc/sys/net/ipv4/icmp_echo_ignore_all

Its default value is 0

User management

Here are the basic user management commands

View user list: cat / etc/passwd View Group list: cat / etc/group View current login user: who View user login history: last

It is generally necessary to delete unnecessary users and groups by default in the system to avoid being used by others to explode:

Userdel sync userdel shutdown # need to delete a total of extra users: sync shutdown halt uucp operator games gopher groupdel adm groupdel games # need to delete a total of redundant user groups: adm lp games dip

The account and password in Linux are based on the four documents / etc/passwd, / etc/shadow, / etc/group and / etc/gshadow, so you need to change their permissions to improve security:

Chattr + I / etc/passwd chattr + I / etc/shadow chattr + I / etc/group chattr + I / etc/gshadow

If you restore, change + I to-I, and execute the above four commands.

Note: I attribute: this file is not allowed to be modified, deleted or renamed, and the setting link cannot write or add data! Only root can set this property.

Create a new user

Create new user command: adduser username

Change the user password name: passwd username

The permissions of individual users can only be fully authorized under this home, and other directories should be authorized by others. The permission of the root user is often required, so the sudo can be operated as a root. I remember that I once created the file by sudo and found that I didn't have read and write permission because the view permission was created by root. Linux system commands are still very important. We recommend you to take a look at the 120 "must-know and must-know commands commonly used in Linux system".

Sudoers only has read-only permission. If you want to modify it, you need to add w permission first: chmod-v UCPW / etc/sudoers and then you can add content. Add the new user under the following line: wq save and exit, and remember to take back the write permission: chmod-v UFUW / etc/sudoers

Give root permission

Method 1: modify the / etc/sudoers file, find the following line, and remove the previous comment (#)

# # Allows people in group wheel to run all commands # remove the comment #% wheel ALL= (ALL) ALL # in front of the following sentence, and then modify the user to belong to the root group (wheel), as follows: # usermod-g root uusama

After the modification, you can now log in with your uusama account, and then use the command su-to get root permission to operate.

Method 2 (recommended): modify the / etc/sudoers file, find the following line, and add a line under root, as follows:

# # Allow root to run any commands anywhere root ALL= (ALL) ALL uusama ALL= (ALL) ALL

After the modification, you can now log in with your uusama account, and then use the command sudo-s to get root permission to operate.

Method 3: modify the / etc/passwd file, find the following line, and change the user ID to 0, as shown below:

Uusama:x:500:500:tommy:/home/uusama:/bin/bash # modified as follows: uusama:x:0:500:tommy:/home/uusama:/bin/bash

Save, after logging in with a uusama account, you will directly obtain the permissions of the root account.

At this point, I believe you have a deeper understanding of "what are the security settings of the Linux server?" you might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.