Basic security settings steps for centos7 server

Turn off ping scanning, although it doesn't help

Switch to root first

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

1 means off

0 means on

Using iptables

iptables -I INPUT -p icmp -j DROP

Briefly introduce the basic security settings

1. Create a common user, prohibit root login, and only allow common users to use the su command to switch to root

The advantage of this is double password protection. Even if a hacker knows the password of an ordinary user, if he does not have the root password, his attack on the server is relatively limited.

The following are the specific steps (need to be under root)

Adding a normal user

useradd xxx

Set password

passwd xxx

This creates a normal user

Disable root login

vi /etc/ssh/sshd_config

PermitRootLogin no

Systemctl restart sshd

This completes the first step. After that, root cannot log in to the server and can only switch through ordinary user su

2. Modify the default port 22 of ssh. Because the port of ssh is 22, if we modify the port, they will need to spend a little time to scan, which slightly increases the difficulty.

The following will change the port to 51866. You can change it as needed. It is best to choose a port within 10000-65535.

Step 1 Modify /etc/ssh/sshd_config

vi /etc/ssh/sshd_config

#Port 22 //Remove the # sign from this line

Port 51866 //Add this line below

Why don't you delete port 22 first, in case other ports are not configured successfully, and port 22 is deleted, you can't enter the server again

Step 2 Modify SELinux

Install semanage

$ yum provides semanage
$ yum -y install policycoreutils-python

Use the following command to view the ssh port currently allowed by SElinux:

semanage port -l | grep ssh

Add port 51866 to SELinux

semanage port -a -t ssh_port_t -p tcp 51866

Note: If the operation is unsuccessful, please refer to: https://sebastianblade.com/how-to-modify-ssh-port-in-centos7/

If it fails, it should be because selinux is not enabled

Then confirm whether it is added

semanage port -l | grep ssh

If successful, it will output

ssh_port_t tcp 51866, 22

Step 3 Restart ssh

systemctl restart sshd.service

Check if ssh is listening on port 51866

netstat -tuln

Step 4 Open port 51866 on the firewall

firewall-cmd --permanent --zone=public --add-port=51866/tcp

firewall-cmd --reload

Then test whether you can log in through 51866. If you can log in, it means success. Then delete port 22.

vi /etc/ssh/sshd_config

Delete port 22 wq

systemctl restart sshd.service

At the same time, the firewall also closes port 22

firewall-cmd --permanent --zone=public --remove-port=22/tcp

Note that if you are using Alibaba's server, you need to add new inbound rules to the security group in Alibaba (probably because Alibaba's server uses the intranet and port mapping is required)

3. Use some software like DenyHosts to prevent SSH brute force cracking (not introduced in detail)

In fact, it is a python script that checks for illegal logins. If the number of illegal logins exceeds the set number, the IP address will be automatically added to the blacklist.

4. Use Cloud Lock (not described in detail)

Reference: http://tim-fly.iteye.com/blog/2308234

In general, completing the first two steps can reduce at least 50% of intrusions. After completing the third step, more than 80% of intrusions can be basically eliminated. Of course, the most important thing is to have security awareness and learn more about security and Linux knowledge.

The third and fourth ones are briefly mentioned. If you are interested, you can take a look.