centos7 Server Basic Security Setup Steps

Turn off ping scan, although it is useless

Switch to root first

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

1 stands for closed

0 for open

With iptables

iptables -I INPUT -p icmp -j DROP

Briefly introduce the basic security settings

1. Create an ordinary user, prohibit root login, and only allow ordinary users to switch to root by using su command

The advantage of this is double password protection, even if the hacker knows the password of ordinary users, if there is no root password, the attack on the server is relatively limited

The following is the specific practice (required under root)

Add ordinary users

useradd xxx

Set password

passwd xxx

This creates a normal user

Disable root login

vi /etc/ssh/sshd_config

PermitRootLogin no

Systemctl restart sshd

This completes step 1, after which root cannot log in to the server and can only be switched by ordinary user su

2. Modify the default port 22 of ssh, because the port of ssh is 22. If we modify this port, it will take them 1 point to scan, which makes it a little more difficult

Change the port to 51866 below, and you can change it according to your needs. It is best to choose the port within 10000-65535

step1 Modification/etc/ssh/sshd_config

vi /etc/ssh/sshd_config

# Port 22//Remove the # in this line

Port 51866//Add this 1 line below

Why not delete 22 first, in case other ports are not configured successfully, and then delete 22 and can't enter the server again

step2 Modified SELinux

Installing semanage

$ yum provides semanage
$ yum -y install policycoreutils-python

Use the following command to view the current ssh ports allowed by SElinux:

semanage port -l | grep ssh

Add Port 51866 to SELinux

semanage port -a -t ssh_port_t -p tcp 51866

Note: The operation was unsuccessful. Please refer to: https://sebastianblade.com/how-to-modify-ssh-port-in-centos7/

If it fails, selinux should not be turned on

Then confirm whether it is added under 1

semanage port -l | grep ssh

Output if successful

ssh_port_t tcp 51866, 22

step3 Restart ssh

systemctl restart sshd.service

Check whether ssh listens on port 51866

netstat -tuln

Step4 firewall opens port 51866

firewall-cmd --permanent --zone=public --add-port=51866/tcp

firewall-cmd --reload

Then test try, can you log in through 51866, if you can log in, it shows success, and then delete port 22

vi /etc/ssh/sshd_config

Delete Port 22 wq

systemctl restart sshd.service

At the same time, the firewall also closes the 22 port

firewall-cmd --permanent --zone=public --remove-port=22/tcp

Note that if you use Ali's server, you need to add new inbound rules to the security group in Ali (it should be because Ali's server uses the intranet and needs to do port mapping)

3. Use some software similar to DenyHosts to prevent SSH brute force cracking (not described in detail)

In fact, it is an python script, which can check illegal login, and automatically add ip to the blacklist if the number exceeds the set number.

4. Use cloud locks (not described in detail)

Reference from http://tim-fly.iteye.com/blog/2308234

Generally speaking, the first two steps can reduce at least 510% of intrusions, and after the third step, more than 810% of intrusions can be basically eliminated. Of course, the most important thing is to have safety awareness and learn more about safety knowledge and linux.

There is a slight mention of one point in No.3 and No.4. If you are interested, you can have a look