The necessary security settings for Linux servers, it is recommended to collect them!

I finally bought a server. If I was hacked by hackers because of my negligence, it would be really bad!

Here are some simple ways to improve the safety factor of the server. My cloud server is configured like this. Although it is a bit troublesome, I feel more at ease.

Modify ssh login configuration

Open the ssh configuration file

vim /etc/ssh/sshd_config

#修改以下几项
Port 10000
#更改SSH端口，最好改为10000以上，别人扫描到端口的机率也会下降。防火墙要开放配置好的端口号，如果是阿里云服务器，你还需要去阿里云后台配置开发相应的端口才可以，否则登不上哦！如果你觉得麻烦，可以不用改
 
Protocol 2
#禁用版本1协议, 因为其设计缺陷, 很容易使密码被黑掉。
 
PermitRootLogin no
#尝试任何情况先都不允许 Root 登录. 生效后我们就不能直接以root的方式登录了，我们需要用一个普通的帐号来登录，然后用su来切换到root帐号，注意 su和su - 是有一点小小区别的。关键在于环境变量的不同，su -的环境变量更全面。
 
PermitEmptyPasswords no
＃禁止空密码登陆。

Finally, you need to restart the sshd service

service sshd restart

Prohibit the system from responding to any ping requests from outside/inside

echo “1”> /proc/sys/net/ipv4/icmp_echo_ignore_all

The default value is 0

User Management

The following are basic user management commands

查看用户列表：cat /etc/passwd
查看组列表：cat /etc/group
查看当前登陆用户：who
查看用户登陆历史记录：last

It is generally necessary to delete unnecessary users and groups by default in the system to avoid being used by others to blast:

userdel sync
userdel shutdown
# 需要删除的多余用户共有：sync shutdown halt uucp operator games gopher
groupdel adm
groupdel games
# 需要删除的多余用户组共有：adm lp games dip

The account and password in Linux are based on the four documents /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow, so you need to change their permissions to improve security:

chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow

If it is restored, change +i to -i and execute the above four commands again.

Note: i attribute: it is not allowed to modify, delete or rename this file, and the setting link cannot write or add data! Only root can set this attribute.

I have compiled the Linux series of interview questions and answers. I pay attention to the technical road of the official account of migrant workers. You can read them online in the corporate interview column.

Create new user

Create a new user command: adduser username

Change user password name: passwd username

The permissions of individual users can only have full permissions under this home, and other directories are subject to authorization by others. However, root user permissions are often required. At this time, sudo can be transformed into root to operate. I remember that I once created a file with sudo, and then found out that I did not have read and write permissions because the view permissions were created by root. Linux system commands are still very important, 120 "must know and must know Linux system common commands" , I recommend you to take a look.

sudoers only has read-only permission. If you want to modify it, you need to add w permission first: chmod -v u+w /etc/sudoers Then you can add content, add the new user under the following line: wq save and exit , Remember to take back the write permission at this time: chmod -v uw /etc/sudoers

Give root permissions

Method 1: Modify the /etc/sudoers file, find the following line, and remove the previous comment (#)

## Allows people in group wheel to run all commands
# 去掉下面一句的前面的注释 # 
%wheel ALL=(ALL) ALL
# 然后修改用户，使其属于root组（wheel），命令如下：
# usermod -g root uusama

After the modification is completed, you can now log in with the uusama account, and then use the command su – to obtain root privileges for operation. 14 Linux system security tips, there is always one to use! recommended to take a look.

Method two (recommended): modify the /etc/sudoers file, find the following line, and add a line under root, as shown below:

## Allow root to run any commands anywhere
root ALL=(ALL) ALL
uusama ALL=(ALL) ALL

After the modification is completed, you can now log in with the uusama account, and then use the command sudo -s to obtain root privileges for operation.

Method 3: Modify the /etc/passwd file, find the following line, and modify the user ID to 0, as shown below:

uusama:x:500:500:tommy:/home/uusama:/bin/bash
# 修改后如下
uusama:x:0:500:tommy:/home/uusama:/bin/bash

Save it. After logging in with the uusama account, you will get the permissions of the root account directly.

Author: Source: 160a3a54212a39 http://uusama.com/69.html