Note: The cloud server in this tutorial takes centos7 or higher as an example, and the cloud server is purchased from Alibaba Cloud
The cloud server configuration of other service providers is similar
Recommendation: It is not recommended to install graphical tools on Linux servers, because it takes up memory, bandwidth, and resources, and the disadvantages far outweigh the benefits.
Manually update the system:
yum -y update
Firewall configuration:
service firewalld start //Start the firewall
systemctl enable firewalld.service //starts after booting
selinux configuration:
vim /etc/selinux/config
modify:
SELINUX=enforcing //Set mandatory mode
reboot //reboot to take effect
ssh configuration: (anti-brute force cracking)
useradd normal //Create a system user, set to only log in to the system remotely through this user
vim /etc/ssh/sshd_config
modify:
Port 2000 //Port must be greater than 1024
Protocol 2 //If not, add it, if there is no need
PermitEmptyPasswords no //Prohibit login with empty password
X11Forwarding no //Port forwarding is prohibited
PermitRootLogin no //Forbid root user to log in
MaxAuthTries 3 //allow three attempts
LoginGraceTime 20 //If login cannot be completed within 20 seconds, disconnect
AllowUsers normal //Add, only allow this user to log in remotely
Save and exit, restart ssh
service sshd restart
Firewall open ssh port
firewall-cmd –zone=public –add-port=2000/tcp –permanent
firewall-cmd –reload
selinux opens ssh port
yum -y install policycoreutils-python //install selinux port management tool
semanage port -a -t ssh_port_t -p tcp 2000 //Add port
semanage port -l |grep ssh //View the ssh port opened by selinux
service sshd restart
Prevent IP SPOOF attacks
vim /etc/host.conf
Add at the end
nospoof on
Prohibit being pinged
vim /etc/sysctl.conf
Modify if you have it, add if you don't
net.ipv4.icmp_echo_ignore_all=0
Save configuration
sysctl -p
Firewall prohibits being pinged
firewall-cmd –permanent –add-rich-rule=’rule protocol value=icmp drop’
firewall-cmd –reload
Note: You can also delete the rules that allow the ICMP protocol in the security group rules of the Alibaba Cloud console
Update the system every ten days, delete unused software, and clear the yum cache
crontab -e
The following content is modified as needed
0 0 * /10 * * yum update -y
0 0 * /11 * * yum autoremove -y
0 0 * /12 * * yum clean all
The firewall prohibits port scanning (centos7 is invalid, the port is still scanned, I don’t know if it is effective below centos7)
iptables -F #Clear firewall policy
iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j Drop
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j Drop
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j Drop
iptables -A INPUT -p tcp –tcp-flags SYN,SYN –dport 80 -j Drop
Uninstall Alibaba Cloud Cloud Shield (Anknight), because the server is inherently tight on memory, and Cloud Shield does more harm than good, uninstall
wget http://update.aegis.aliyun.com/download/uninstall.sh
chmod +x uninstall.sh
. /uninstall.sh
wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
chmod +x quartz_uninstall.sh
. /quartz_uninstall.sh
pkill aliyun-service
rm -fr /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
Note: After uninstallation is complete, you can delete the above two script files. If you cannot wget to the file, please contact the webmaster to ask for it!
Shield Cloud Shield IP, Cloud Shield will scan the server regularly to simulate hacker attacks
vim shield_ip.sh
Add the following content:
#! /bin/bash
echo "Start shielding cloud shield to scan the IP of cloud server"
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.201.0/28″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.201.16/29″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.201.32/28″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.225.192/29″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.225.200/30″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.225.184/29″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.225.183/32″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.225.206/32″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.225.205/32″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.225.195/32″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”140.205.225.204/32″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”106.11.224.0/26″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”106.11.224.64/26″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”106.11.224.128/26″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”106.11.224.192/26″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”106.11.222.64/26″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”106.11.222.128/26″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”106.11.222.192/26″ drop’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=”106.11.223.0/26″ drop’
firewall-cmd –reload
Save and exit
chmod +x shield_ip.sh
. /shield_ip.sh
Note: These IP address segments are from the cloud shield server IP officially given by Alibaba Cloud, source: (https://help.aliyun.com/knowledge_detail/37436.html)
Encoding settings:
vim /etc/locale.conf
Delete the original and add the following content:
LANG=zh_CN.utf8 //Chinese interface
LC_MESSAGES=en_US.utf8 //English prompt
reboot //reboot to take effect
Enter the Alibaba Cloud console, cloud server ECS -> Security Group -> Configuration Rules -> Add Security Group Rules
Add the ssh port to the security group, otherwise the external network will not be accessible, including ftp and apache ports that are not open in the security group
Download the xshell remote login software, normal users remotely log in to the linux system, the use of xshell will not be repeated, after the login is successful
su-root //Elevate the right
Note: After remotely connecting to the Alibaba Cloud console to log in to the system, you cannot always log in as any user. After using the system, you must log out of the user and log in. The interface remains in the interface where you need to enter the user name
Such as: log in at the Alibaba Cloud console (not xshell login), exit the user login command
logout //exit also works
Note: The root user must exit twice before it can
Finally: in the Alibaba Cloud console -> Security (Cloud Shield) -> Situational Awareness -> Open Situational Awareness Service -> Set Email or [SMS] (https://cloud.tencent.com/product/sms?from=10680) reminder
Recommended Posts