Shulou(Shulou.com)06/01 Report--

Editor to share with you how to set up system security in Linux, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Set sshd, disable root

Example:

Vim / etc/ssh/sshd_configPermitRootLogin yes = > PermitRootLogin nosystemctl restart sshd.servicenetstat-tulnp | grep sshdvim / etc/ssh/sshd_configPort 22 = > Port 20000systemctl restart sshd.servicenetstat-tulnp | there is a PAM module of pam_tally2.so in the security CentOS of grep sshdProtocol 2MaxAuthTries 3MaxSessions 2 system account to limit the number of login failures, if the number of times reaches the set threshold Then lock user vim / etc/pam.d/login#%PAM-1.0 auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10 auth [user_unknown=ignore success=ok ignoreignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session Optional pam_keyinit.so force revoke session required pam_loginuid.so session include system-auth session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so openeven_deny_root also restricts root users Deny sets the maximum number of consecutive error logins for ordinary users and root users, exceeding the maximum number of times, then lock the user unlock_time sets the ordinary user lock, how much time is unlocked after ordinary user lock, unit is seconds; root_unlock_time sets root user lock, how long after unlock, unit is seconds; here is the pam_tally2 module, if pam_tally2 is not supported, you can use pam_tally module. In addition, different versions of pam may have different settings. For specific usage, you can refer to the rules for the use of relevant modules. Note: under #% PAM-1.0, the second line, add content, be sure to write in front, if written in the back, although the user is locked, but as long as the user enters the correct password, you can still log in! Remote user login settings vim / etc/pam.d/sshd#%PAM-1.0 auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=10 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid. So check the number of user login failures pam_tally2-- user mw unlocks the specified user pam_tally2-r-u mw intranet security 1. All traffic on the intermediate machine is enabled by the above forwarding / etc/sysctl.confnet.ipv4.ip_forward = 0 is modified to net.ipv4.ip_forward = 1sysctl-piptables-t nat-A PREROUTING-p tcp-- dport [port number to be forwarded]-j DNAT-- to-destination [server IP to be forwarded] iptables-t nat-A PREROUTING-p udp-- dport [port number to be forwarded]-j DNAT-- to-destination [server to be forwarded IP] iptables-t nat-A POSTROUTING-p tcp-d [IP to be forwarded]-- dport [port number to be forwarded]-j SNAT-to-source [native IP] iptables-t nat-A POSTROUTING-p udp-d [server IP to be forwarded]-dport [port number to be forwarded]-j SNAT-to-source [native IP] service iptables save above is "how to set it in Linux" All the contents of the article "system Security" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.