Shulou(Shulou.com)06/01 Report--

How to configure server security policy in CentOS? I believe that many inexperienced people are at a loss about this, so this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

1. Modify ssh default connection port 22 and add firewall firewalld pass port

Steps:

1) modify the default port 22 of ssh:

Vi / etc/ssh/sshd_config

2) Let the firewall pass through this port

Firewall-cmd-- state [whether firewalld is running]

Firewall-cmd-- permanent-- list-port [View Port list]

Firewall-cmd-- permanent-- zone=public-- add-port=48489/tcp [add Port]

Firewall-cmd-- permanent-- remove-port=48489/tcp [Delete Port]

3) restart the SSH service and exit the currently connected SSH port

Service sshd restart

4) then link through the putty ssh connection software, and you cannot enter SSH using the default port 22. If you achieve the goal, you will OK ~

two。 Direct login of root account is prohibited

The default administrator name for Linux is root, and you only need to know the ROOT password to log in to SSH directly. Preventing Root from logging in directly from SSH can improve server security. It can be realized after the following operations.

1) create a new account and set the account password

Useradd ityangs

Passwd ityangs

2) root is not allowed to log in directly

Vi / etc/ssh/sshd_config

Look for "# PermitRootLogin yes", remove the previous "#", change the short tail "Yes" to "No", and save the file.

Systemctl restart sshd.service [restart ssh, another way to restart]

3) next login

First use the new account "ityangs" to log in as an ordinary user.

To get ROOT permissions, execute the following command in SSH

Su root

After executing the above command and entering the root password, you can gain root permission.

4) skills of switching from su to root under WinSCP (when root remote ssh login is prohibited)

Remote login for root users is limited, but the important data files are 700. More sadly, WinSCP completely lost the opportunity to use his talents. Because root accounts cannot be logged in, protocols such as FTP,SFTP,SCP do not support switching users after logging in.

SCP protocol can specify shell when logging in. Generally, the default is / bin/bash, but we can modify it to play tricks, such as changing it to sudo su-

But there's a new problem. Sudo needs to enter a password, but WinSCP doesn't interact when logging in. However, in the path of root permission, as long as you visudo under root permission, add the following line to cancel the sudu password:

Yourusername ALL=NOPASSWD: ALL

In order to sudo in a non-putty environment, we also need to comment out the following line:

Defaults requiretty

Then save, and you can enjoy the pleasure of root when you log in to WinSCP!

Steps:

Ordinary user ssh to the server, switch to root permissions

Visudo, and then add the line yourusername ALL=NOPASSWD: ALL to comment out Defaults requiretty

[root@iZ252wo3Z ~] # visudo

Ityangs ALL=NOPASSWD: ALL

# Defaults requiretty [No but don't worry about it]

Modify WinSCP file protocol to SCP

Modify the shell under SCP/Shell to sudo su-

Just log in to WinSCP.

3. Install DenyHosts [block the IP that gets the attack, generate a blacklist to prevent another attack]

DenyHosts (project home page: http://denyhosts.sourceforge.net/) is an anti-SSH brute force cracking software running on Linux. It can be downloaded from http://sourceforge.net/projects/denyhosts/files/, and then the downloaded DenyHosts-2.6.tar.gz source code package can be uploaded to the Linux system.

The following is the installation process

*

Tar zxvf DenyHosts-2.6.tar.gz # decompress the source package

Cd DenyHosts-2.6 # enter the installation and decompression directory

Python setup.py install # install DenyHosts

Cd / usr/share/denyhosts/ # default installation path

Cp denyhosts.cfg-dist denyhosts.cfg # denyhosts.cfg is the configuration file

Cp daemon-control-dist daemon-control # daemon-control is the launcher

Chown root daemon-control # add root permissions

Chmod 700daemon-control # modified to executable file

Ln-s / usr/share/denyhosts/daemon-control / etc/init.d # soft connection to daemon-control for easy management

The installation is complete at this step.

/ etc/init.d/daemon-control start # launch denyhosts

Chkconfig daemon-control on # set denghosts to boot

*

Vi / usr/share/denyhosts/denyhosts.cfg # edits the configuration file, and some parameters of the configuration file can be viewed through grep-v "^ #" denyhosts.cfg

SECURE_LOG = / var/log/secure # ssh log file, redhat series is judged by / var/log/secure file; Mandrake and FreeBSD are judged by / var/log/auth.log

# SUSE is judged by / var/log/messages, which is explained in detail in the configuration file.

HOSTS_DENY = / etc/hosts.deny # controls the file that the user logs in

PURGE_DENY = 30m # how long will it take to clear the prohibited ones, set to 30 minutes

# 'm' = minutes

#'h' = hours

#'d' = days

#'w' = weeks

# 'y' = years

BLOCK_SERVICE = sshd # forbidden service name, of course DenyHost is not only used for SSH services

DENY_THRESHOLD_INVALID = 1 # number of failures to allow invalid users

DENY_THRESHOLD_VALID = 3 # number of failures to allow the average user to log in

DENY_THRESHOLD_ROOT = 3 # number of failures to allow root login

DAEMON_LOG = / var/log/denyhosts # the path where DenyHosts log files are stored. Default is

After you change the default configuration of DenyHosts, restart the DenyHosts service will take effect:

/ etc/init.d/daemon-control restart # restart denyhosts

After reading the above, have you mastered how to configure server security policies in CentOS? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.