Basic security settings steps for centos7 server

Basic security settings steps for centos7 server

Turn off ping scanning, although it doesn't help

Switch to root first

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

1 means off

0 means on

Using iptables

iptables -I INPUT -p icmp -j DROP

Briefly introduce the basic security settings

1. Create a common user, prohibit root login, and only allow common users to use the su command to switch to root

The advantage of this is double password protection. Even if a hacker knows the password of an ordinary user, if he does not have the root password, his attack on the server is relatively limited.

The following are the specific steps (need to be under root)

Adding a normal user

useradd xxx

Set password

passwd xxx

This creates a normal user

Disable root login

vi /etc/ssh/sshd_config

PermitRootLogin no

Systemctl restart sshd

This completes the first step. After that, root cannot log in to the server and can only switch through ordinary user su

2. Modify the default port 22 of ssh. Because the port of ssh is 22, if we modify the port, they will need to spend a little time to scan, which slightly increases the difficulty.

The following will change the port to 51866. You can change it as needed. It is best to choose a port within 10000-65535.

Step 1 Modify /etc/ssh/sshd_config

vi /etc/ssh/sshd_config

#Port 22 //Remove the # sign from this line

Port 51866 //Add this line below

Why don't you delete port 22 first, in case other ports are not configured successfully, and port 22 is deleted, you can't enter the server again

Step 2 Modify SELinux

Install semanage

$ yum provides semanage
$ yum -y install policycoreutils-python

Use the following command to view the ssh port currently allowed by SElinux:

semanage port -l | grep ssh

Add port 51866 to SELinux

semanage port -a -t ssh_port_t -p tcp 51866

Note: If the operation is unsuccessful, please refer to: https://sebastianblade.com/how-to-modify-ssh-port-in-centos7/

If it fails, it should be because selinux is not enabled

Then confirm whether it is added

semanage port -l | grep ssh

If successful, it will output

ssh_port_t tcp 51866, 22

Step 3 Restart ssh

systemctl restart sshd.service

Check if ssh is listening on port 51866

netstat -tuln

Step 4 Open port 51866 on the firewall

firewall-cmd --permanent --zone=public --add-port=51866/tcp

firewall-cmd --reload

Then test whether you can log in through 51866. If you can log in, it means success. Then delete port 22.

vi /etc/ssh/sshd_config

Delete port 22 wq

systemctl restart sshd.service

At the same time, the firewall also closes port 22

firewall-cmd --permanent --zone=public --remove-port=22/tcp

Note that if you are using Alibaba's server, you need to add new inbound rules to the security group in Alibaba (probably because Alibaba's server uses the intranet and port mapping is required)

3. Use some software like DenyHosts to prevent SSH brute force cracking (not introduced in detail)

In fact, it is a python script that checks for illegal logins. If the number of illegal logins exceeds the set number, the IP address will be automatically added to the blacklist.

4. Use Cloud Lock (not described in detail)

Reference: http://tim-fly.iteye.com/blog/2308234

In general, completing the first two steps can reduce at least 50% of intrusions. After completing the third step, more than 80% of intrusions can be basically eliminated. Of course, the most important thing is to have security awareness and learn more about security and Linux knowledge.

The third and fourth ones are briefly mentioned. If you are interested, you can take a look.

You may also be interested in:
  • Implementation steps for building a local web server on Centos8
  • How to Install and Configure Postfix Mail Server on CentOS 8
  • Install zip and unzip command functions under Linux and CentOS (server)
  • CentOS server security configuration strategy
  • How to install and configure ftp server in CentOS8.0
  • CentOS 7.2 builds nginx web server to deploy uniapp project
  • Detailed explanation of online deployment of NodeJs project CentOs linux server
  • Detailed tutorial on building Gitlab server on CentOS8.1

<<:  MySQL 8.0.15 winx64 installation and configuration method graphic tutorial

>>:  A tutorial on how to install, use, and automatically compile TypeScript

Recommend

Alibaba Cloud Server Domain Name Resolution Steps (Tutorial for Beginners)

For novices who have just started to build a webs...

Mysql accidental deletion of data solution and kill statement principle

mysql accidentally deleted data Using the delete ...

Implementation of multi-environment configuration (.env) of vue project

Table of contents What is multi-environment confi...

React non-parent-child component parameter passing example code

React is a JAVASCRIPT library for building user i...

JS uses canvas technology to imitate echarts bar chart

Canvas is a new tag in HTML5. You can use js to o...

Detailed tutorial on installing MariaDB on CentOS 8

MariaDB database management system is a branch of...

How to view the type of mounted file system in Linux

Preface As you know, Linux supports many file sys...

How to build a MySQL high-availability and high-performance cluster

Table of contents What is MySQL NDB Cluster Preli...

CentOS 8.0.1905 installs ZABBIX 4.4 version (verified)

Zabbix Server Environment Platform Version: ZABBI...

Summary of bootstrap learning experience-css style design sharing

Due to the needs of the project, I plan to study ...