Modify ssh login configuration
and open ssh configuration file
vim /etc/ssh/sshd_config
#Modify the following items
Port 18211
#Change the SSH port. It is best to change it to more than 10000. The probability of others scanning the port will also decrease. The firewall must open the configured port number. If it is an Alibaba Cloud server, you also need to go to the Alibaba Cloud backend to configure and develop the corresponding port, otherwise you will not be able to log in! If you find it troublesome, you don’t need to change
Protocol 2
#Disable version 1 protocol. Because of its design flaws, it is easy for the password to be hacked.
PermitRootLogin no
#Do not allow Root login under any circumstances. After it takes effect, we cannot log in directly as root. We need to log in with a normal account, and then use su to switch to the root account. Pay attention to su and su - There is a little difference. The key lies in the difference in environment variables. The environment variables of su - are more comprehensive.
PermitEmptyPasswords no
#Disable empty password login.
Finally, you need to restart the sshd service
service sshd restart
prohibits the system from responding to any external/internal ping requests
echo "1"> /proc/sys/net/ipv4/icmp_echo_ignore_all.
Its default value is 0
User Management
The following are basic user management commands
View the user list: cat /etc/passwd
View the group list: cat /etc/group
View the current logged-in user: who
View user login history: last
Generally, it is necessary to delete the system's default unnecessary users and groups to avoid being used by others to blast. :
userdel sync
userdel shutdown
# The total number of redundant users that need to be deleted is: sync shutdown halt uucp operator games gopher
groupdel adm
groupdel games
# The total number of redundant user groups that need to be deleted is: adm lp games dip
Accounts and passwords in Linux are based on /etc/passwd, / etc/shadow, /etc/group, /etc/gshadow these four documents, so you need to change their permissions to improve security:
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
If restored, change +i to -i and execute the above four commands again.
Note: i attribute: This file is not allowed to be modified, deleted or renamed, and the setting link cannot be written or added! Only root can set this property.
Create a new user
Create a new user command: adduser username
Change user password name: passwd username
Personal users can only have full permissions under this home. Other directories must be authorized by others. The root user's permissions are often required. At this time, sudo can be transformed into root to operate. I remember that I once created a file with sudo, and then found that I did not have read and write permissions because the view permissions were created by root.
sudoers only has read-only permissions. If you want to modify it, you need to add w permissions first: chmod -v u+w /etc/sudoers Then you can add content. Add the new user in the following line: wq Save and exit , remember to take back the write permission at this time: chmod -v uw /etc/sudoers
Grant root permissions
Method 1: Modify the /etc/sudoers file, find the following line, and remove the comment (#) in front of it
## Allows people in group wheel to run all commands
# Remove the comment in front of the following sentence #
%wheel ALL=( ALL) ALL
# Then modify the user so that it belongs to the root group (wheel). The command is as follows:
# usermod -g root uusama
has been modified. Now you can log in with the uusama account, and then use the command su – to obtain root permissions to operate.
Method 2 (recommended): Modify the /etc/sudoers file, find the following line, and add a line under root, as shown below:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
uusama ALL=(ALL) ALL
After the modification is completed, you can now log in with the uusama account, and then use the command sudo -s to obtain root permissions for operation.
Method 3: Modify the /etc/passwd file, find the following line, and change the user ID to 0, as shown below:
uusama:x:500:500:tommy:/home/uusama:/bin/bash
# After modification,
uusama is as follows: Save x:0:500:tommy:/home/uusama:/bin/bash.
After logging in with the uusama account, you will directly obtain the permissions of the root account.