Follow the WeChat official account "This is how you should learn cloud computing", reply with the password [001], and get 154 pages of Linux learning notes immediately.
After finally buying a server, it would be really bad if it was hacked by a hacker due to your own negligence!
Below I will tell you some simple methods to improve the security factor of the server. My cloud server is configured in this way. Although it is a bit troublesome, I feel more at ease.
Modify ssh login configuration
Open ssh configuration file
vim /etc/ssh/sshd_config
#修改以下几项
Port 10000
#更改SSH端口,最好改为10000以上,别人扫描到端口的机率也会下降。防火墙要开放配置好的端口号,如果是阿里云服务器,你还需要去阿里云后台配置开发相应的端口才可以,否则登不上哦!如果你觉得麻烦,可以不用改
Protocol 2
#禁用版本1协议, 因为其设计缺陷, 很容易使密码被黑掉。
PermitRootLogin no
#尝试任何情况先都不允许 Root 登录. 生效后我们就不能直接以root的方式登录了,我们需要用一个普通的帐号来登录,然后用su来切换到root帐号,注意 su和su - 是有一点小小区别的。关键在于环境变量的不同,su -的环境变量更全面。
PermitEmptyPasswords no
#禁止空密码登陆。
Finally, you need to restart the sshd service
service sshd restart
Disable the system from responding to any external/internal ping requests
echo “1”> /proc/sys/net/ipv4/icmp_echo_ignore_all
Its default value is 0
User Management
The following are basic user management commands
查看用户列表:cat /etc/passwd
查看组列表:cat /etc/group
查看当前登陆用户:who
查看用户登陆历史记录:last
Generally, it is necessary to delete the unnecessary default users and groups of the system to avoid being used by others to blast:
userdel sync
userdel shutdown
# 需要删除的多余用户共有:sync shutdown halt uucp operator games gopher
groupdel adm
groupdel games
# 需要删除的多余用户组共有:adm lp games dip
Accounts and passwords in Linux are based on four documents: /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow, so their permissions need to be changed to improve security:
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
If restoring, change +i to -i and execute the above four commands again.
Note: i attribute: This file is not allowed to be modified, deleted or renamed, and the setting link cannot be written or added! Only root can set this property.
Create new user
Create a new user command: adduser username
Change user password name: passwd username
Personal users can only have full permissions under this home. Other directories must be authorized by others. The root user's permissions are often required. At this time, sudo can be transformed into root to operate. I remember that I once created a file with sudo, and then found that I did not have read and write permissions because the view permissions were created by root. Linux system commands are still very important. 120 "Common Linux System Commands You Must Know" are recommended for everyone to read.
sudoers only has read-only permissions. If you want to modify it, you need to add w permissions first: chmod -v u+w /etc/sudoers Then you can add content. Add the new user in the following line: wq Save and exit , remember to take back the write permission at this time: chmod -v uw /etc/sudoers
Grant root permissions
-
Method 1: Modify the /etc/sudoers file, find the following line, and remove the previous comment (#)
## Allows people in group wheel to run all commands
# 去掉下面一句的前面的注释 #
%wheel ALL=(ALL) ALL
# 然后修改用户,使其属于root组(wheel),命令如下:
# usermod -g root uusama
After the modification is completed, you can now log in with the uusama account, and then use the command su – to obtain root permissions for operation.
-
Method 2 (recommended): Modify the /etc/sudoers file, find the following line, and add a line under root, as shown below:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
uusama ALL=(ALL) ALL
After the modification is completed, you can now log in with the uusama account, and then use the command sudo -s to obtain root permissions for operation.
-
Method 3: Modify the /etc/passwd file, find the following line, and change the user ID to 0, as shown below:
uusama:x:500:500:tommy:/home/uusama:/bin/bash
# 修改后如下
uusama:x:0:500:tommy:/home/uusama:/bin/bash
Save, and after logging in with the uusama account, you will directly obtain the permissions of the root account.
