centos7 Server Basic Security Setup Steps
- 2021-07-09 09:43:27
- OfStack
Turn off ping scan, although it is useless
Switch to root first
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
1 stands for closed
0 for open
With iptables
iptables -I INPUT -p icmp -j DROP
Briefly introduce the basic security settings
1. Create an ordinary user, prohibit root login, and only allow ordinary users to switch to root by using su command
The advantage of this is double password protection, even if the hacker knows the password of ordinary users, if there is no root password, the attack on the server is relatively limited
The following is the specific practice (required under root)
Add ordinary users
useradd xxx
Set password
passwd xxx
This creates a normal user
Disable root login
vi /etc/ssh/sshd_config
PermitRootLogin no
Systemctl restart sshd
This completes step 1, after which root cannot log in to the server and can only be switched by ordinary user su
2. Modify the default port 22 of ssh, because the port of ssh is 22. If we modify this port, it will take them 1 point to scan, which makes it a little more difficult
Change the port to 51866 below, and you can change it according to your needs. It is best to choose the port within 10000-65535
step1 Modification/etc/ssh/sshd_config
vi /etc/ssh/sshd_config
# Port 22//Remove the # in this line
Port 51866//Add this 1 line below
Why not delete 22 first, in case other ports are not configured successfully, and then delete 22 and can't enter the server again
step2 Modified SELinux
Installing semanage
$ yum provides semanage
$ yum -y install policycoreutils-python
Use the following command to view the current ssh ports allowed by SElinux:
semanage port -l | grep ssh
Add Port 51866 to SELinux
semanage port -a -t ssh_port_t -p tcp 51866
Note: The operation was unsuccessful. Please refer to: https://sebastianblade.com/how-to-modify-ssh-port-in-centos7/
If it fails, selinux should not be turned on
Then confirm whether it is added under 1
semanage port -l | grep ssh
Output if successful
ssh_port_t tcp 51866, 22
step3 Restart ssh
systemctl restart sshd.service
Check whether ssh listens on port 51866
netstat -tuln
Step4 firewall opens port 51866
firewall-cmd --permanent --zone=public --add-port=51866/tcp
firewall-cmd --reload
Then test try, can you log in through 51866, if you can log in, it shows success, and then delete port 22
vi /etc/ssh/sshd_config
Delete Port 22 wq
systemctl restart sshd.service
At the same time, the firewall also closes the 22 port
firewall-cmd --permanent --zone=public --remove-port=22/tcp
Note that if you use Ali's server, you need to add new inbound rules to the security group in Ali (it should be because Ali's server uses the intranet and needs to do port mapping)
3. Use some software similar to DenyHosts to prevent SSH brute force cracking (not described in detail)
In fact, it is an python script, which can check illegal login, and automatically add ip to the blacklist if the number exceeds the set number.
4. Use cloud locks (not described in detail)
Reference from http://tim-fly.iteye.com/blog/2308234
Generally speaking, the first two steps can reduce at least 510% of intrusions, and after the third step, more than 810% of intrusions can be basically eliminated. Of course, the most important thing is to have safety awareness and learn more about safety knowledge and linux.
There is a slight mention of one point in No.3 and No.4. If you are interested, you can have a look