CentOS server security configuration strategy

Recently, the server has been frequently cracked by brute force. We roughly analyzed the intrusion behavior and sorted out the commonly used security strategies:

Minimum permissions + minimum services = maximum security

1. Modify the default ssh connection port 22 and add firewall firewalld through the port steps:

1) Change the default ssh port to 22:

vi /etc/ssh/sshd_config

2) Allow the firewall to pass this port

firewall-cmd --state [whether firewalld is running]
firewall-cmd --permanent --list-port [View port list]
firewall-cmd --permanent --zone=public --add-port=48489/tcp [Add port]
firewall-cmd --permanent --remove-port=48489/tcp [Delete port]

3) Restart the SSH service and exit the currently connected SSH port

service sshd restart

4) Then connect through putty ssh connection software. You cannot enter SSH using the default port 22. If you achieve your goal, it's OK~

2. Disable direct login by root account

The default administrator name of Linux is root. You only need to know the ROOT password to log in to SSH directly. Disabling Root from logging in directly from SSH can improve server security. This can be achieved after the following operations.

1) Create a new account and set the account password

useradd ityangs
passwd ityangs

2) Do not allow root to log in directly

vi /etc/ssh/sshd_config

Find "#PermitRootLogin yes", remove the leading "#", change the short tail "Yes" to "No", and save the file.

systemctl restart sshd.service [Restart ssh, another way to restart]

3) Next login

First use the newly created account "ityangs" to log in as a normal user.

To obtain ROOT privileges, execute the following command in SSH:

su root

Execute the above command and enter the root password to obtain root permissions.

4) Tips for switching to root using su under WinSCP (when root remote ssh login is prohibited)

Remote login of the root user is restricted, but important data files are all 700. Even sadder is that WinSCP is completely useless. Because the root account cannot log in, and protocols such as FTP, SFTP, and SCP do not support switching users after logging in.
The SCP protocol can specify a shell when logging in. The default and recommended one is /bin/bash, but we can modify it to do something fancy, such as changing it to sudo su -
But a new problem arises. Sudo requires a password, but WinSCP does not have an interactive process when logging in. However, there is always someone who can cancel the sudu password by running visudo with root privileges and adding the following line:
yourusername ALL=NOPASSWD: ALL
In order to use sudo in a non-putty environment, we also need to comment out the following line:
Defaults requiretty
Then save it, and you can enjoy the pleasure of root when logging into WinSCP!

step:

Ordinary users ssh to the server and switch to root permissions
visudo, then add the line yourusername ALL=NOPASSWD: ALL and comment out Defaults requiretty

[root@iZ252wo3Z ~]# visudo
ityangs ALL=NOPASSWD: ALL
#Defaults requiretty [Don't worry if it's not available]

Change WinSCP's file protocol to SCP

Modify the environment-SCP/Shell shell to sudo su-

Just log in to WinSCP.

3. Install DenyHosts [intercept the attacking IP, generate a blacklist, and prevent further attacks]

DenyHosts (project homepage: http://denyhosts.sourceforge.net/) is a software that runs on Linux to prevent SSH brute force cracking. It can be downloaded from http://sourceforge.net/projects/denyhosts/files/, and then the downloaded DenyHosts-2.6.tar.gz source code package can be uploaded to the Linux system.

Here is the installation process
****************************************************************
tar zxvf DenyHosts-2.6.tar.gz #Unzip the source package
cd DenyHosts-2.6 #Enter the installation and decompression directory
python setup.py install #Install DenyHosts
cd /usr/share/denyhosts/ #Default installation path
cp denyhosts.cfg-dist denyhosts.cfg #denyhosts.cfg is the configuration file
cp daemon-control-dist daemon-control #daemon-control is the startup program
chown root daemon-control #Add root permissions
chmod 700 daemon-control #Change to executable file
ln -s /usr/share/denyhosts/daemon-control /etc/init.d #Soft link daemon-control for easy management

The installation is now complete.
/etc/init.d/daemon-control start #Start denyhosts
chkconfig daemon-control on #Set denghosts to start at boot
******************************************************************

vi /usr/share/denyhosts/denyhosts.cfg #Edit the configuration file. For some parameters of the configuration file, check it through grep -v "^#" denyhosts.cfg
SECURE_LOG = /var/log/secure #ssh log file, redhat series judges based on /var/log/secure file; Mandrake and FreeBSD judge based on /var/log/auth.log
#SUSE uses /var/log/messages to make judgments, which are explained in detail in the configuration file.
HOSTS_DENY = /etc/hosts.deny #File that controls user login
PURGE_DENY = 30m # How long does it take to clear the prohibited ones? Set it to 30 minutes;
# 'm' = minutes
# 'h' = hours
# 'd' = days
# 'w' = weeks
# 'y' = years
BLOCK_SERVICE = sshd #The prohibited service name. Of course, DenyHost is not only used for SSH services.
DENY_THRESHOLD_INVALID = 1 #The number of times invalid users are allowed to fail
DENY_THRESHOLD_VALID = 3 #Number of failed login attempts allowed for normal users
DENY_THRESHOLD_ROOT = 3 #Number of root login failures allowed
DAEMON_LOG = /var/log/denyhosts #The path where the DenyHosts log file is stored, by default

After changing the default configuration of DenyHosts, restart the DenyHosts service to take effect:
/etc/init.d/daemon-control restart #Restart denyhosts

Well, this is the end of this article. Friends in need can refer to it.