AdvertCN - 广告中国

 找回密码
 立即注册

QQ登录

只需一步,快速开始

Binom
 谷歌+Bing+TT+MSN官方代理 
⚡️按条S5代理⚡️静态⚡️独享⚡️5G⚡️最干净<Wifi住宅+5G移动>IP代理指纹浏览器,就用AdsPower
Mediabuy⚡️玩家开户首选【鲁班跨境通-自助充值转账】FB/GG/TT❤️官方免费开户Affiliate 全媒体流量资源⚡️
Taboola/Outbrain /Bing⚡️一级代理开户投流-7*24h❤️人工在线【官方】❤️搜索套利广告开户独立站⚡️开户投放
DuoPlus专注打造跨境电商云手机E.PN 虚拟卡BINOM TRACKER 60% OFF!比Adplexity还好用的Spy工具
MediaGo+Taboola+Ob开户百度国际MediaGo⚡️让产品狂奔全球百度国际,高点击转化,快速放量百度国际MediaGo,独家原生流量
ADPLEXITY + ADVERTCN7200W全球动态不重复住宅IP代理虚拟信用卡+独立站收款全球虚拟卡, 支持U充值
Facebook 批量上广告尤里改 - FB 稳定投放免费黑五教程(持续更新、欢迎交流)FB 三不限源头 - 自助下户充值转款
各种主页、账单户、BM户(优势)⚡️个人户,bm户不限额,账单户一手BM分享户不限额9Proxy ⚡️ $0.04/IP, 无限带宽
FB二三解0.1元一个虚拟卡|PTM星际卡FB专用虚拟卡Google、Bing官方总代  联盟流量开户
FB账号资源/稳定靠谱/运行5年啦FB开户代投/三不限/白名单fb耐用号0.01一个fb账号官方合作商
广告位出租   
查看: 7798|回复: 11

关于linux服务器安全, linode给了一个简单的答案

[复制链接]

6

主题

800

广告币

779

积分

中级会员

Rank: 3Rank: 3

积分
779

社区QQ达人

发表于 2013-5-12 16:45:49 | 显示全部楼层 |阅读模式
Securing Your ServerPublished: Friday, February 17th, 2012 by Matthew Cone

In the Getting Started guide, you learned how to deploy Linux, boot your Linode, and perform some basic system administration tasks. Now it's time to secure your Linode and protect it from unauthorized access. You'll learn how to implement a firewall, SSH key pair authentication, and an automatic blocking mechanism called Fail2Ban. By the time you reach the end of this guide, your Linode will be protected from attackers.

Contents
  • Adding a New User
  • Using SSH Key Pair Authentication
  • Disabling SSH Password Authentication and Root Login
  • Creating a Firewall
  • Installing and Configuring Fail2Ban
  • Next Steps

Adding a New User
In the Getting Started guide, we asked you to log in to your Linode as the root user, the most powerful user of all. The problem with logging in as root is that you can execute anycommand - even a command that could accidentally break your server. For this reason and others, we recommend creating another user account and using that at all times. After you log in with the new account, you'll still be able to execute superuser commands with the sudo command.
Here's how to add a new user:
  • Open a terminal window and log in to your Linode via SSH.
  • Create the user by entering the following command. Replace example_user with your desired username:
    adduser example_user
  • Add the user to the administer the system (admin) group by entering the following command. Replace example_user with your username:
    usermod -a -G sudo example_user
  • Log out of your Linode as the root user by entering the following command:
    logout
  • Log in to your Linode as the new user by entering the following command. Replace example_user with your username, and the example IP address with your Linode's IP address:
    ssh [email protected]
Now you can administer your Linode with the new user account instead of root. When you need to execute superuser commands in the future, preface them with sudo. For example, later in this guide you'll execute sudo iptables -L while logged in with your new account. Nearly all superuser commands can be executed with sudo, and all commands executed with sudo will be logged to /var/log/auth.log.

Using SSH Key Pair Authentication
You've used password authentication to connect to your Linode via SSH, but there's more a secure method available: key pair authentication. In this section, you'll generate a public and private key pair using your desktop computer and then upload the public key to your Linode. SSH connections will be authenticated by matching the public key with the private key stored on your desktop computer - you won't need to type your account password. When combined with the steps outlined later in this guide that disable password authentication entirely, key pair authentication can protect against brute-force password cracking attacks.
Here's how to use SSH key pair autentication to connect to your Linode:
  • Generate the SSH keys on a desktop computer running Linux or Mac OS X by entering the following command in a terminal window on your desktop computer. PuTTY users can generate the SSH keys by following the instructions in our PuTTY guide.
    ssh-keygen
  • The SSH keygen utility appears. Follow the on-screen instructions to create the SSH keys on your desktop computer. To use key pair authentication without a passphrase, press Enter when prompted for a passphrase.

Note
Two files will be created in your ~/.ssh directory: id_rsa and id_rsa.pub. The public key is id_rsa.pub - this file will be uploaded to your Linode. The other file is your private key. Do not share this file with anyone!

  • Upload the public key to your Linode with the secure copy command (scp) by entering the following command in a terminal window on your desktop computer. Replaceexample_user with your username, and 123.456.78.90 with your Linode's IP address. If you have a Windows desktop, you can use a third-party client like WinSCP to upload the file to your home directory.
    scp ~/.ssh/id_rsa.pub [email protected]:
  • Create a directory for the public key in your home directory (/home/yourusername) by entering the following command on your Linode:
    mkdir .ssh
  • Move the public key in to the directory you just created by entering the following command on your Linode:
    mv id_rsa.pub .ssh/authorized_keys
  • Modify the permissions on the public key by entering the following commands, one by one, on your Linode. Replace example_user with your username.
    chown -R example_user:example_user .sshchmod 700 .sshchmod 600 .ssh/authorized_keys
The SSH keys have been generated, and the public key has been installed on your Linode. You're ready to use SSH key pair authentication! To try it, log out of your terminal session and then log back in. The new session will be authenticated with the SSH keys and you won't have to enter your account password. (You'll still need to enter the passphrase for the key, if you specified one.)

Disabling SSH Password Authentication and Root Login
You just strengthened the security of your Linode by adding a new user and generating SSH keys. Now it's time to make some changes to the default SSH configuration. First, you'll disable password authentication to require all users connecting via SSH to use key authentication. Next, you'll disable root login to prevent the root user from logging in via SSH. These steps are optional, but are strongly recommended.
Note
You may want to leave password authentication enabled if you connect to your Linode from many different desktop computers. That will allow you to authenticate with a password instead of copying the private key to every computer.

Here's how to disable SSH password authentication and root login:
  • Open the SSH configuration file for editing by entering the following command:
    sudo nano /etc/ssh/sshd_config
Note
If you see a message similar to -bash: sudo: command not found, you'll need to install sudo on your Linode. To do so, log in as root by entering the su command, and type theroot password when prompted. Next, install sudo by entering the following command: apt-get install sudo. After sudo has been installed, log out as the root user by entering the exit command.

  • Change the PasswordAuthentication setting to no as shown below. Verify that the line is uncommented by removing the # in front of the line, if there is one.:
    PasswordAuthentication no
  • Change the PermitRootLogin setting to no as shown below:
    PermitRootLogin no
  • Save the changes to the SSH configuration file by pressing Control-X, and then Y.
  • Restart the SSH service to load the new configuration. Enter the following command:
    sudo service ssh restart
After the SSH service restarts, the SSH configuration changes will be applied.

Creating a Firewall
Now it's time to set up a firewall to limit and block unwanted inbound traffic to your Linode. This step is optional, but we strongly recommend that you use the example below to block traffic to ports that are not commonly used. It's a good way to deter would-be intruders! You can always modify the rules or disable the firewall later.
Here's how to create a firewall on your Linode:
  • Check your Linode's default firewall rules by entering the following command:
    sudo iptables -L
  • Examine the output. If you haven't implemented any firewall rules yet, you should see an empty ruleset, as shown below:
    Chain INPUT (policy ACCEPT)target     prot opt source               destinationChain FORWARD (policy ACCEPT)target     prot opt source               destinationChain OUTPUT (policy ACCEPT)target     prot opt source               destination
  • Create a file to hold your firewall rules by entering the following command:
    sudo nano /etc/iptables.firewall.rules
  • Now it's time to create some firewall rules. We've created some basic rules to get you started. Copy and paste the rules shown below in to the iptables.firewall.rules file you just created.

File:/etc/iptables.firewall.rules
*filter#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0-A INPUT -i lo -j ACCEPT-A INPUT -d 127.0.0.0/8 -j REJECT#  Accept all established inbound connections-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT#  Allow all outbound traffic - you can modify this to only allow certain traffic-A OUTPUT -j ACCEPT#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).-A INPUT -p tcp --dport 80 -j ACCEPT-A INPUT -p tcp --dport 443 -j ACCEPT#  Allow SSH connections##  The -dport number should be the same port number you set in sshd_config#-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT#  Allow ping-A INPUT -p icmp -j ACCEPT#  Log iptables denied calls-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7#  Drop all other inbound - default deny unless explicitly allowed policy-A INPUT -j DROP-A FORWARD -j DROPCOMMIT
  • Edit the rules as necessary. By default, the rules will allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked.
Note
Be sure to revise these rules if you add new services later.

  • Save the changes to the firewall rules file by pressing Control-X, and then Y.
  • Activate the firewall rules by entering the following command:
    sudo iptables-restore < /etc/iptables.firewall.rules
  • Recheck your Linode's firewall rules by entering the following command:
    sudo iptables -L
  • Examine the output. The new ruleset should look like the one shown below:
    Chain INPUT (policy ACCEPT)target     prot opt source               destinationACCEPT     all  --  anywhere             anywhereREJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachableACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHEDACCEPT     tcp  --  anywhere             anywhere             tcp dpt:httpACCEPT     tcp  --  anywhere             anywhere             tcp dpt:httpsACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:sshACCEPT     icmp --  anywhere             anywhereLOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "DROP       all  --  anywhere             anywhereChain FORWARD (policy ACCEPT)target     prot opt source               destinationDROP       all  --  anywhere             anywhereChain OUTPUT (policy ACCEPT)target     prot opt source               destinationACCEPT     all  --  anywhere             anywhere
  • Now you need to ensure that the firewall rules are activated every time you restart your Linode. Start by creating a new script with the following command:
    sudo nano /etc/network/if-pre-up.d/firewall
    CentOS users: If you are using CentOS 6.2 or higher, save your current iptables rules with the following command:
    /sbin/service iptables save
  • Copy and paste the following lines in to the file you just created:

File:/etc/network/if-pre-up.d/firewall
#!/bin/sh/sbin/iptables-restore < /etc/iptables.firewall.rules
  • Press Control-X and then press Y to save the script.
  • Set the script's permissions by entering the following command:
sudo chmod +x /etc/network/if-pre-up.d/firewall
That's it! Your firewall rules are in place and protecting your Linode. Remember, you'll need to edit the firewall rules later if you install other software or services.

Installing and Configuring Fail2Ban
Fail2Ban is an application that prevents dictionary attacks on your server. When Fail2Ban detects multiple failed login attempts from the same IP address, it creates temporary firewall rules that block traffic from the attacker's IP address. Attempted logins can be monitored on a variety of protocols, including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only.
Here's how to install and configure Fail2Ban:
  • Install Fail2Ban by entering the following command:
    sudo apt-get install fail2ban
  • Optionally, you can override the default Fail2Ban configuration by creating a new jail.local file. Enter the following command to create the file:
    sudo nano /etc/fail2ban/jail.local
Note
To learn more about Fail2Ban configuration options, see this article on the Fail2Ban website.

  • Set the bantime variable to specify how long (in seconds) bans should last.
  • Set the maxretry variable to specify the default number of tries a connection may be attempted before an attacker's IP address is banned.
  • Press Control-x and then press y to save the changes to the Fail2Ban configuration file.
Fail2Ban is now installed and running on your Linode. It will monitor your log files for failed login attempts. After an IP address has exceeded the maximum number of authentication attempts, it will be blocked at the network level and the event will be logged in /var/log/fail2ban.log.

当然各位可以用搜索去原网站去看.

评分

参与人数 2广告币 +3 收起 理由
河小马 + 2 赞一个!
妖妖 + 1

查看全部评分

相关帖子
给分是最好的支持
回复

使用道具 举报

70

主题

1647

广告币

2803

积分

版主

Rank: 7Rank: 7Rank: 7

积分
2803

社区QQ达人

发表于 2013-5-12 17:35:49 | 显示全部楼层
回复 支持 反对

使用道具 举报

6

主题

800

广告币

779

积分

中级会员

Rank: 3Rank: 3

积分
779

社区QQ达人

 楼主| 发表于 2013-5-12 19:33:52 | 显示全部楼层
yincthh 发表于 2013-5-12 17:35
你如果翻译下。肯定+10广告币

如果自己安装过linux, 这些已经够了.或者用google 译一下看看就行了.基本的就几个点.
给分是最好的支持
回复 支持 反对

使用道具 举报

1618

主题

2万

广告币

2万

积分

管理员

宇宙无敌河马天神

Rank: 9Rank: 9Rank: 9

积分
29619

社区QQ达人

发表于 2013-5-12 22:04:57 | 显示全部楼层
firewall 是个大问题
学会提问的艺术, 从小处入手, 忌大而空
AdvertCN电报群

我最喜欢用的工具
7200W全球动态不重复住宅IP代理
回复 支持 反对

使用道具 举报

0

主题

21

广告币

59

积分

初级会员

Rank: 2

积分
59

社区QQ达人

发表于 2013-5-12 23:18:34 | 显示全部楼层
用密钥对登录,禁止密码登录

真心觉得还是root好,sudo太烦
从今天起关心粮食和蔬菜,面朝大海春暖花开
回复 支持 反对

使用道具 举报

0

主题

20

广告币

75

积分

初级会员

Rank: 2

积分
75

社区QQ达人

QQ
发表于 2013-5-13 09:57:53 | 显示全部楼层
前几天不是爆出linode自己的服务器都被攻破了N多客户的信用卡信息都被泄露了!
回复 支持 反对

使用道具 举报

6

主题

800

广告币

779

积分

中级会员

Rank: 3Rank: 3

积分
779

社区QQ达人

 楼主| 发表于 2013-5-13 12:15:40 | 显示全部楼层
wl052613 发表于 2013-5-13 09:57
前几天不是爆出linode自己的服务器都被攻破了N多客户的信用卡信息都被泄露了! ...

是的.之后就没有结果了. 这个只是说自己的vps的基本的防护.又不是什么大牛, 这些基本的设置足以防住大部分的黑客了.
给分是最好的支持
回复 支持 反对

使用道具 举报

13

主题

191

广告币

283

积分

初级会员

Rank: 2

积分
283
发表于 2013-5-13 22:55:36 | 显示全部楼层
linode躺着中枪了,别人是想打他的客户
https://github.com/jingchunzhang
回复 支持 反对

使用道具 举报

1

主题

2

广告币

29

积分

初级会员

Rank: 2

积分
29

社区QQ达人

发表于 2013-5-14 10:51:24 | 显示全部楼层
看着感觉还是很厉害的。
回复 支持 反对

使用道具 举报

79

主题

3913

广告币

5668

积分

版主

Rank: 7Rank: 7Rank: 7

积分
5668

社区QQ达人

发表于 2013-5-14 16:13:37 | 显示全部楼层
是中文就好
回复 支持 反对

使用道具 举报

13

主题

1576

广告币

4044

积分

金牌会员

Rank: 6Rank: 6

积分
4044

社区QQ达人

发表于 2013-5-19 10:42:15 | 显示全部楼层
补充下:
更改ssh端口,限制仅特定用户可ssh登录
使用iptables renct模块限制单IP时间内连接ssh端口次数
直接使用iptables封ssh端口,使用knockd解锁,这招无敌了,什么爆破都是浮云。
回复 支持 反对

使用道具 举报

110

主题

520

广告币

1180

积分

中级会员

Rank: 3Rank: 3

积分
1180

社区QQ达人

发表于 2013-5-19 23:41:44 | 显示全部楼层
都太麻烦了 LINUX基本安全都是可以的
最多弄个自动屏蔽SSH暴力破解的脚本即可
真要是能玩LINUX 0DAY的 那都是大神级的人 一般也看不上小服务器
一般入侵都是脚本入侵 做好网站的权限设置 最重要
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

关于我们|联系我们|DMCA|广告服务|小黑屋|手机版|Archiver|Github|网站地图|AdvertCN

GMT+8, 2024-11-21 23:56 , Processed in 0.057828 second(s), 15 queries , Gzip On, MemCache On.

Copyright © 2001-2023, AdvertCN

Proudly Operating in Hong Kong.

快速回复 返回顶部 返回列表