1. Background
Just finished a day of class network, Ali came in the cloud server's console, see below these things, I was shocked ......
Just the other day only to receive Ali cloud server, the server's knowledge of the face mask to force, just installed a pagoda (Web site is not configured), you run the script code several times, and then to attack me? But look online said, this is a normal phenomenon -
and then went to check some relevant knowledge, discovery, said default SSH port is 22, there are often a lot of people to scan and then try to crack, which is a normal operation, Welcome to the Internet!
Environment: The above Linux CentOS7, Ali cloud server
2. last command, lastb command
last role is to show recent logins user or terminal. View the program by last command log, the administrator can learn or who have attempted to connect the system.
last不加参数
: Direct command executed last, it will read the name under / var / log directory for wtmp file, user login system or terminal list and the paper record of all displayed. The default display of wtmp record, btmp can show more detail, you can display remote login, such as ssh login.
Linux lastb command lists information about user login system failure.
lastb不加参数
: Lastb instruction execution alone, it reads located at / var / log directory, file name btmp, and the contents of the file list of the recorded user login failures, all displayed.
[Both parameters following general]
-a
: The host name or ip address from where the login system, displayed in the last line;
-d
: converts IP addresses to host names;
-f <记录文件>
: Specifies the log file;
-n <显示列数>或-<显示列数>
:: Set lists the number of columns displayed list;
-R
: Do not display login to the system the host name or IP address;
-x
: display system shutdown, reboot, and change the level of implementation of information and so on.
The first column: user name;
second column: end position (pts / 0 dummy terminal, etc. from the user means connected telnet or SSH remote tools, graphical terminal falls into this category)
the third column: Log ip or kernel; ( If yes: 0.0 or nothing, meaning that the user is connected through a local terminal in addition to restart activities, kernel version will be displayed in the state).
the fourth column: start time;
fifth column: the end of time; (still login in yet quit down until the crash until normal shutdown forced shutdown)
sixth column: duration.
uptime
: View from the last power system to run much longer nowcat /var/log/secure | awk '/Failed/{print $(NF-3)}'| sort| uniq -c| awk '{print $2"="$1;}'
: Count the number of failures
3. SSH port changes
If you are using the ssh access port 22, will be vulnerable to attack, a port number can be modified to enhance certain degree of security.
Modify the configuration file sshd_config in the port number (1024 or more).
vim /etc/ssh/sshd_config
Port 22 find this line ( Be sure not to delete the number 22! ), It has been found to comment, and the comment will unlock and add a linePort 2333, Save and exit.
Restart SSH
systemctl restart sshd
Check whether the port changes
netstat -ntlp | grep 2333
Be sure to retain the original 22 ports , plus its own port, and then save the update, if the new port directly off landing, you may find the following error:
Remote connections are not, there is one thing to remember is the server console to configure the rules, you add a new port to change, and then use the default 22 connections SSH, go after also need to modify firewall rules.
CentOS7 default firewall is not iptables, but firewalle.
The firewall is the first hurdle before the entire packet into the host. Netfilter firewall and TCPwrappers mainly through two mechanisms to manage.
1) Netfilter: packet filtering mechanism
2) TCP Wrappers: program management mechanism
on packet filtering mechanism has two software: firewalld with iptables
iptables service is controlled by controlling the port, while firewalld is controlled by port control protocol.
【firewalld instructions】
systemctl status firewalld
: View the status of the firewall, see active (running) it means that the firewall open;
systemctl stop firewalld
: turn off the firewall, if you see inactive (dead) it means that the firewall turned off; (restart after a shutdown will be restored back to the original state)
systemctl disable firewalld
: closed after the restart does not restore back to its original state;
systemctl start firewalld
turn off the empathysystemctl enable firewalld
Adds a port to the firewall, the display sucess is successful.
firewall-cmd --zone=public --add-port=2333/tcp --permanent
Reload firewall rules
firewall-cmd --reload
Check whether the port is added successfully, successful return yes
firewall-cmd --zone=public --query-port=2333/tcp
【Expand knowledge】
Security-Enhanced Linux (Security-Enhanced Linux) referred to SELinux, it is a Linux kernel module, Linux is a security subsystem.
SELinux main role is to minimize system resources accessible service process (principle of least privilege).
DAC:
the operating system does not use SELinux in determining whether a resource can be accessed factors are: a resource corresponding user has permission (read, write, execute). As long as access to the resources of the process meet the above conditions can be accessed.
The most fatal problem is, root user without any control, any resource can be unlimited access to the system. This subject is a user rights management mechanism, also known as discretionary access control (DAC).
MAC:
use the SELinux operating system, decide whether a resource that can be accessed factor in addition to the above factors, but also need to determine whether the process for each class have access to a certain type of resource.
As a result, even if the process is run as root, but also we need to determine the type of the process and to allow access to the resource types in order to decide whether to allow access to a resource. Event space process can also be compressed to a minimum.
Even at the service processes run as root, generally only have access to the resources it needs. Even if the program out of the loopholes in its sphere of influence and only allow access to the resources within. Security is greatly increased. This body of rights management mechanism is the process, also known as Mandatory Access Control (MAC).
Install SELinux management tools: semanage (already installed, then skip)
yum provides semanage
Download error found, but also because of its dependence install kit policycoreutils-python
yum install policycoreutils-python
After installing, you can directly use semanage command to query the current ssh port services
semanage port -l | grep ssh
Adding to the ssh port in SELinux
semanage port -a -t ssh_port_t -p tcp 2333
Verify ssh port is added successfully
semanage port -l | grep ssh
After adding success can restart the ssh service
systemctl restart sshd.service
Turn off the current terminal, make sure to add your own new SSH port security group, and then use the new port number for landing when the landing, you can succeed!
View the current system port opening
firewall-cmd --list-ports
: If any port, the following two steps to turn off the
(unnecessary delete) modify the port number in the configuration file sshd_config
vim /etc/ssh/sshd_config
Delete firewall ports in the firewall
firewall-cmd --zone=public --remove-port=2333/tcp --permanent
Close the port semanage
semanage port -d -t ssh_port_t -p tcp 2333
Reload firewall rules
firewall-cmd --reload
Restart the ssh service
systemctl restart sshd.service
4. End
Novice audience this way!