Recently, I suffered a bit on the issue of server security, so I decided to write a few articles related to Linux server initialization to record the results of this pitfall. Setting up as early as possible will make the server more secure, improve its availability, and lay the foundation for subsequent deployment procedures.
After we buy a [cloud server] (https://cloud.tencent.com/product/cvm?from=10680), we can get the server's ip and account password from the console. At this time we can pass
ssh root@SERVER_IP_ADDRESS
This command is used to connect to the server. If there is a warning about accepting the authenticity of the host, choose to agree and after entering the password, the login process can be completed.
In Unix and Unix-like systems, root is the common name of a user (that is, super user) who has all rights to all files and programs in all modes (single/multi-user).
The permissions of the root account are very large, so after we log in to the root account for the first time, we should prepare a new account, and use this new account to log in later. So in the next step we are going to create a new user.
For example, I want to create a new user named "leon".
adduser leon
After confirmation, we need to set a password for the account first. After that, the system will ask us for some information, including full name, home phone number, work phone number and so on. If possible, set a strong password for the account and remember it. You can also optionally leave your other information.
The leon we just created is an account with regular account permissions, but we may need super administrator permissions in daily use. The way to use this permission is to add sudo before the command, for example:
sudo vi /etc/hosts
In order to avoid insufficient permissions, we need to give some trustworthy accounts with root permissions as appropriate. This is done when we log in with the root account.
usermod -aG sudo leon
Now our user leon has the command to run superuser privileges.
Using the ssh key to log in to the server can improve the security of the server. I have already written about this operation in my previous blog, so I will post a link here.
[ Use ssh-key to log in to the server without password](http://originalix.github.io/2018/04/25/%E5%9C%A8Mac%E4%B8%8A%E4%BD%BF%E7%94%A8ssh -key%E5%85%8D%E5%AF%86%E7%A0%81%E7%99%BB%E5%BD%95%E6%9C%8D%E5%8A%A1%E5%99%A8 /)
After completing the SSH login server configuration, let's talk about how to disable the password authentication method to improve the security of the server.
If we allow the server to log in through password authentication, then any bad guy who gets our account password may log in to the server to perform destructive operations. Therefore, for the security of the server, I recommend that you prohibit the use of password authentication to log in to the server. After all, we have configured ssh-key on the trusted computer.
Warning⚠️: You must configure the ssh-key to be able to log in to the server before performing this step, otherwise your server will never be able to log in, and you can only reinstall and restore it, which may cause data loss.
Use the root account or sudo command to open the ssh configuration file:
sudo vi /etc/ssh/sshd_config
Look for the Passwordauthentication option, delete the comment # in front of him, and then change its value to no.
# sshd_config disable password login settings
PasswordAuthentication no
Next, find the following two configurations, if they are consistent with mine, do not change, otherwise change to the same, the default configuration is the following value:
PubkeyAuthentication yes
ChallengeResponseAuthentication no
When you finish these changes, save and use, use :wq to save and exit.
Restart the ssh program
sudo systemctl reload sshd
Password authentication is now closed, you can only use ssh for authentication.
Before you log out of this login connection, it is best to open a new window to verify your configuration, first confirm that ssh can successfully log in, so as not to wait for a while to log in, try to log in to the server with another account, if the password access is denied , Then our configuration is successful.
Ubuntu 16.04 server can use UFW firewall to ensure that only connections with certain services are allowed. We can easily use this application to set up a basic firewall.
Different applications can register their configuration files with UFW during installation. These configuration files allow UFW to manage these applications by name. OpenSSH, the service that allows us to connect to our server now, has registered a configuration file with UFW.
You can view this by typing:
sudo ufw app list
You can see the following
Available applications:
Apache
Apache Full
Apache Secure
OpenSSH
We need to ensure that the firewall allows ssh connections, so we allow these connections through the following command:
sudo ufw allow OpenSSH
Use the following command to enable the firewall:
sudo ufw enable
We can also check the status of the firewall by ourselves:
sudo ufw status
can be seen:
Status: active
To Action From
------------
Apache Full ALLOW Anywhere
OpenSSH ALLOW Anywhere
Apache Full(v6) ALLOW Anywhere(v6)OpenSSH(v6) ALLOW Anywhere(v6)
For example, the api interface of iOS, the configuration of WeChat applet needs to use the https protocol, then we need to open the port 443 to access, we can use the following command to open the port:
sudo ufw allow 443 allows external access to port 443
At this point, the basic configuration of our server has been completed, and then we can create a separate configuration for secure access to the database.
Recommended Posts