Servers on the network are vulnerable to attacks. The worst thing is to be logged in and get root privileges. There are a few simple defensive measures:
1. Modify the default port of the ssh service.
The default port of the ssh service is 22, and ordinary malicious users often scan or try to connect to port 22. So the first step is to modify this default port.
Open /etc/ssh/sshd_config, find
Port 22
and then modify 22 to other ports that are not occupied, such as 1022. It is best to be between 1-1024 to prevent port conflicts with user processes.
Then restart sshd to
sudo /etc/init.d/ssh restart
2. Limit IP
First modify the /etc/hosts.allow file and add the client IP that can access the server's ssh service in the format as follows
sshd: 192.168.1.0/255.255.255.0
sshd: 202.114.23.45
sshd: 211.67.67.89
and then modify /etc/hosts. deny file, add
sshd: ALL to disable other clients connecting to ssh service
3. Upgrade the server
The story of Spear and Shield never ends. It is necessary to upgrade the server frequently
apt-get update
apt-get dist-upgrade
The above part of this article is taken from: http://zfsn.iteye.com/blog/1224212
/
4. Check the login log
Not afraid of ten thousand, just in case, there is no unbreakable castle. Some thieves may be Xiaobai, or they may come and go in a hurry. They do bad things on the server without erasing traces, so check the login logs frequently. A security measure
more /var/log/secure
who /var/log/wtmp
Finally, I have been using the who /var/log/wtmp statement to get the data I want, as follows:
Because I am just doing a simple demonstration here, I will log in directly with the root account.
root@MRtancp:~# who /var/log/wtmp
root tty1 2018-10-07 13:00
root pts/0 2018-10-29 17:12 (117.136.32.98)
root pts/1 2018-10-29 17:16 (117.136.32.98)
root pts/2 2018-10-29 17:16 (117.136.32.98)
root pts/3 2018-10-29 17:17 (117.136.32.98)
root pts/4 2018-10-29 17:17 (117.136.32.98)
root pts/5 2018-10-29 17:17 (117.136.32.98)
root pts/6 2018-10-29 17:17 (117.136.32.98)
root pts/7 2018-10-29 17:17 (117.136.32.98)
root pts/8 2018-10-29 17:21 (117.136.32.98)
root pts/9 2018-10-29 17:21 (117.136.32.98)
root pts/10 2018-10-29 17:21 (117.136.32.98)
root pts/11 2018-10-29 17:21 (117.136.32.98)
root pts/12 2018-10-29 17:22 (117.136.32.98)
root pts/13 2018-10-29 17:27 (117.136.32.98)
root@MRtancp:~#The above is the connection of the Alibaba Cloud server that I used to log in to the local ssh remotely. Because I have repeatedly turned off and reconnected many times, it seems to be able to record. Each time I log in to the server ssh name, login time and corresponding terminal Ip.
Then briefly introduce the meaning of ttyX and ptsX:
tty[1-6] is the terminal you see with ctr+alt+f[1-6]; that is, the virtual console. In addition, tty7 represents a graphical interface, that is, we are currently logged in to GNOME, of course, it is a graphical interface, and there is only a command line interface on the server.
(In addition: tty1-tty6 represents the text interface, you can use Ctrl+Alt+F1-F6 to switch, +F7 is to switch back to the graphical interface.)
The following two lines indicate that I currently have two terminal windows open, so there are pts/0 and pts/1. The others are external terminals and network terminals.
pts/* is a pseudo (virtual) terminal, where pts/0,1,2... are standard input, standard output, and standard error in desktop Linux.
In addition, we can also simply take a look at what this account login does?
Enter the root account su - username
switch to the username input
history
can see the history command, default to the last 1000
---------------------
Author: lailaiququyi
Source: CSDN
original text: https://blog.csdn.net/lailaiquququ11/article/details/83510406
Copyright statement: This article is the original article of the blogger, please attach the link to the blog post if you reprint it!
These three lines are more practical:
1、who /var/log/wtmp
2、su - username
3、history