Preface
For newly purchased servers, the user name often defaults to root, and SSH port 22 is opened by default. When configuring the SSH service, double login with password and public key is often allowed. However, many illegal servers run brute force cracking programs that brute forcely obtain your server password by accessing the default port 22 of the username root.
Therefore, insecure default configurations pose a huge risk to you. The blogger took his own CVM configuration as an example and listed three security strategies.
Line of defense one: Modify the default port 22
Although an attacker can scan the new port number through Nmap, such a setting makes the attacker's job more difficult.
1. Log in to your remote server and open the sshd_config folder:
vim /etc/ssh/sshd_config2. Find the default annotated #Port 22 port:
Please add a new port (range is between 10000~65535 , ports below 10000 are easily occupied by the system or software)
Note that you need to reserve port 22 until the new port is successfully configured.
3. Restart the ssh service: service sshd restart
service sshd restart
4-1. Open the port on the firewall (iptables as an example):
Centos 6 uses iptables firewall by default:
Please read this link: iptables opens designated ports - gerrylon007 (CSDN blogger)
4-2. Open the port in the firewall (Firewalld as an example):
1. Turn off selinux first:
Recommended reading: Why should you turn off SELinux under Linux? ——Zhihu question
vim /etc/selinux/config2. Modify SELINUX=enforcing to SELINUX=disabled (turn off selinux permanently)
do you need:
shutdown -r now //重启您的实例
重启后,运行命令:
getenforce
验证SELinux状态为disabled,表明SELinux已关闭。2. Execute setenforce 0 to shut down the selinux firewall (temporarily shut down)
setenforce 03. Open port 11111 on the Firewalld firewall:
firewall-cmd --permanent --zone=public --add-port=11111/tcp
firewall-cmd --reload
4. View the port:
netstat -nptl|grep ssh
It can be seen that port 22 and port 11111 are currently open:
as the picture shows:
You're done! Let’s start by deleting port 22 (remember to clear port 22 in the security group rule settings as well):
1. Delete the /usr/lib/firewalld/services/ssh.xml file first
rm -rf /usr/lib/firewalld/services/ssh.xml2.firewalld deletion operation:
firewall-cmd --zone=public --remove-port=22/tcp --permanent
firewall-cmd --reload3. It is best to restart the ssh service. We can enter the following command to verify:
iptables -L
As can be seen in the figure: currently only external access to port 10022 using the tcp protocol is allowed.
It is worth mentioning that if you still have not successfully connected at this time, there are probably two reasons:
1. In your cloud server console - security group settings - open port 11111; (high probability)
2. Switch your network operator
Line of Defense 2: Disable SSH password login and use public key login instead
vim /etc/ssh/sshd_config
1. Change PasswordAuthentication yes to PasswordAuthentication no
2. Remember to restart your ssh service: service sshd restart
service sshd restart
Line of defense three: Disable remote operations of the root user
When creating a CVM instance, the cloud server manufacturer assigns the root user to the user by default. Although convenient, it will inevitably cause some unnecessary trouble in the future, and of course it is not safe. Therefore, we'd better disable the root user's remote login permissions from the beginning.
Due to time constraints, the blogger has not practiced this solution, so please read on:
Disable root users in Linux - I Eat Big Watermelon - Blog Garden (cnblogs.com)
postscript
What if I want to open port 22 again?
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --reloadEnter: iptables -L. It can be seen that there are two external SSH entrances at this time:
How to contact me? [email protected]