1. Background

Just finished a day of class network, Ali came in the cloud server's console, see below these things, I was shocked ......

Just the other day only to receive Ali cloud server, the server's knowledge of the face mask to force, just installed a pagoda (Web site is not configured), you run the script code several times, and then to attack me? But look online said, this is a normal phenomenon -
and then went to check some relevant knowledge, discovery, said default SSH port is 22, there are often a lot of people to scan and then try to crack, which is a normal operation, Welcome to the Internet!

Environment: The above Linux CentOS7, Ali cloud server

2. last command, lastb command

last role is to show recent logins user or terminal. View the program by last command log, the administrator can learn or who have attempted to connect the system.

last不加参数: Direct command executed last, it will read the name under / var / log directory for wtmp file, user login system or terminal list and the paper record of all displayed. The default display of wtmp record, btmp can show more detail, you can display remote login, such as ssh login.

Linux lastb command lists information about user login system failure.

lastb不加参数: Lastb instruction execution alone, it reads located at / var / log directory, file name btmp, and the contents of the file list of the recorded user login failures, all displayed.

[Both parameters following general]
-a: The host name or ip address from where the login system, displayed in the last line;
-d: converts IP addresses to host names;
-f <记录文件>: Specifies the log file;
-n <显示列数>或-<显示列数>:: Set lists the number of columns displayed list;
-R: Do not display login to the system the host name or IP address;
-x: display system shutdown, reboot, and change the level of implementation of information and so on.

The first column: user name;
second column: end position (pts / 0 dummy terminal, etc. from the user means connected telnet or SSH remote tools, graphical terminal falls into this category)
the third column: Log ip or kernel; ( If yes: 0.0 or nothing, meaning that the user is connected through a local terminal in addition to restart activities, kernel version will be displayed in the state).
the fourth column: start time;
fifth column: the end of time; (still login in yet quit down until the crash until normal shutdown forced shutdown)
sixth column: duration.

uptime: View from the last power system to run much longer now
cat /var/log/secure | awk '/Failed/{print $(NF-3)}'| sort| uniq -c| awk '{print $2"="$1;}': Count the number of failures

3. SSH port changes

If you are using the ssh access port 22, will be vulnerable to attack, a port number can be modified to enhance certain degree of security.

【first step】

Modify the configuration file sshd_config in the port number (1024 or more).

vim /etc/ssh/sshd_config

Port 22 find this line ( Be sure not to delete the number 22! ), It has been found to comment, and the comment will unlock and add a linePort 2333, Save and exit.

[The second step]

Restart SSH

systemctl restart sshd

Check whether the port changes

netstat -ntlp | grep 2333

Be sure to retain the original 22 ports , plus its own port, and then save the update, if the new port directly off landing, you may find the following error:

Remote connections are not, there is one thing to remember is the server console to configure the rules, you add a new port to change, and then use the default 22 connections SSH, go after also need to modify firewall rules.
CentOS7 default firewall is not iptables, but firewalle.

The firewall is the first hurdle before the entire packet into the host. Netfilter firewall and TCPwrappers mainly through two mechanisms to manage.
1) Netfilter: packet filtering mechanism
2) TCP Wrappers: program management mechanism
on packet filtering mechanism has two software: firewalld with iptables
iptables service is controlled by controlling the port, while firewalld is controlled by port control protocol.

【firewalld instructions】

systemctl status firewalld: View the status of the firewall, see active (running) it means that the firewall open;
systemctl stop firewalld: turn off the firewall, if you see inactive (dead) it means that the firewall turned off; (restart after a shutdown will be restored back to the original state)
systemctl disable firewalld: closed after the restart does not restore back to its original state;
systemctl start firewalldturn off the empathysystemctl enable firewalld

【third step】

Adds a port to the firewall, the display sucess is successful.

firewall-cmd --zone=public --add-port=2333/tcp --permanent

Reload firewall rules

firewall-cmd --reload

Check whether the port is added successfully, successful return yes

firewall-cmd --zone=public --query-port=2333/tcp

【Expand knowledge】

Security-Enhanced Linux (Security-Enhanced Linux) referred to SELinux, it is a Linux kernel module, Linux is a security subsystem.

SELinux main role is to minimize system resources accessible service process (principle of least privilege).

DAC:
the operating system does not use SELinux in determining whether a resource can be accessed factors are: a resource corresponding user has permission (read, write, execute). As long as access to the resources of the process meet the above conditions can be accessed.
The most fatal problem is, root user without any control, any resource can be unlimited access to the system. This subject is a user rights management mechanism, also known as discretionary access control (DAC).

MAC:
use the SELinux operating system, decide whether a resource that can be accessed factor in addition to the above factors, but also need to determine whether the process for each class have access to a certain type of resource.
As a result, even if the process is run as root, but also we need to determine the type of the process and to allow access to the resource types in order to decide whether to allow access to a resource. Event space process can also be compressed to a minimum.
Even at the service processes run as root, generally only have access to the resources it needs. Even if the program out of the loopholes in its sphere of influence and only allow access to the resources within. Security is greatly increased. This body of rights management mechanism is the process, also known as Mandatory Access Control (MAC).

【the fourth step】

Install SELinux management tools: semanage (already installed, then skip)

yum provides semanage

Download error found, but also because of its dependence install kit policycoreutils-python

yum install policycoreutils-python

After installing, you can directly use semanage command to query the current ssh port services

semanage port -l | grep ssh

Adding to the ssh port in SELinux

semanage port -a -t ssh_port_t -p tcp 2333

Verify ssh port is added successfully

semanage port -l | grep ssh

After adding success can restart the ssh service

systemctl restart sshd.service

【the fifth step】

Turn off the current terminal, make sure to add your own new SSH port security group, and then use the new port number for landing when the landing, you can succeed!

View the current system port opening