2018On April 13 update,Add a link fail2ban Advanced Configuration Tutorial,Updated command。
Gerber drop-off site-wide migration to wills,As long as 15 yuan per month minimum,Support me consider myInvitation coderegistered,Gave $10 (Together 60 Multi-block RMB) discount! 😚
Recently purchased a vps route to learn ...... Yes! You read right! I used to really serious about learning!
=。=
In short,After the purchase of a vps,You always need to spare some basic security measures to ensure your vps will not be reduced to some sucker broiler。
Ok,This is because I purchased a Linux system vps,So I will take this as chestnuts to record。
Since one vps is equivalent to a computer with an independent IP,Direct exposure to computers over the Internet,This is for your convenience and also directly from your vps and dangerous draw on the equal sign,Password exhaustive、DDOS attacks、I can not think of a variety of attack methods you think are waiting for you,Do not believe that you can come up with creative horror how powerful password,Statistics tell us - RSA still believe it!
SSH using RSA key login
First, it is about the SSH password brute-force issues - Do not tell me you're still telnet,Otherwise, we have nothing to talk,Immediately turn off the page!
This world,There is always a lot of sucker bored doing this kind of thing SSH weak password scanning,Trust me,But you're better than dictionary。so,Close SSH password authentication is a good choice。
Before we talk about teacher:Actually, the most secure computer but those computer without a password,No password there can be no cracks - because the system will refuse to remote login。
But how close the SSH password authentication to log it? vnc? Do not,Do not。We can use the RSA key pair。
By generating RSA public-private key pair,Upload the public key to the server,Own private Reserved,This will not only strengthen your password,更带来了不需要密码就能登录的便利①
①:No password is required is an option,Members recommended route or on the basis of still using a password,So that even if someone gets your private key backup,It is not easy for Free password you the vps。
In the following example to use the command:ssh-keygen
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
logcg.com:~ r0uter$ ssh-keygen -b 2048 -t rsa //ssh-keygen是命令 //-b后边接要采用的字节长度;一般为1024,最短也要768,我采用了2048;变态一点你可以选择4096,但相信我,2048已经明显感觉会延迟一会儿才能计算完毕了。 //-t即为加密的方式,我们选择RSA,还有其他的这里略过不讲。 Generating public/private rsa key pair. //提示正在生成密钥对 Enter file in which to save the key (/Users/r0uter/.ssh/id_rsa): //接下来输入两次你的密码;①留空按回车则为免密码登录啦! Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/r0uter/.ssh/id_rsa. Your public key has been saved in /Users/r0uter/.ssh/id_rsa.pub. The key fingerprint is://你的key指纹 e0:e0:f0:40:8d:0f:c0:e0:00:12:c8:00:1e:fc:1d:4f r0uter@logcg.com The key's randomart image is: +--[ RSA 2048]----+ | | | | |.. . . | |.o0 .. 0 . | |.o0000000 | | . ..0000 . | | .00000 | | 000000 | | 00000 | +-----------------+ |
Of course,Command in the feedback I have given the necessary content over graffiti,You probably looked almost on the right。
Then,We then use scp command,It will generate good public server thrown up:
1 2 |
r0uter$ scp .ssh/id_rsa.pub root@你的vps域名或者ip:/root/ //这里会要求你的SSH密码 |
Or SSH to the server,This id_rsa.pub Copy the file to the appropriate directory ssh,Then renamed authorized_keys
It should be noted,You want this key registrationWhich account,Which would put the account under,For example, I want to automatically log in root,Then I will do so:
1 2 3 4 5 6 |
mkdir ~/.ssh //如果当前用户目录下没有 .ssh 目录,就先创建目录 chmod 700 ~/.ssh mv id_rsa.pub ~/.ssh cd .ssh mv id_rsa.pub authorized_keys chmod 600 authorized_keys |
These simple directory file operations I will not do too much to explain is to substantially id_rsa.pub Renamed and put ssh user configuration directory,of course,I am here because the new system,So directly renamed,If you already have the directory itself authorized_keys This document,Then you need to back up the original file or directly id_rsa.pub The additional content to go inside。
Such,We would be able to log in using ssh RSA key files。
Close Login ssh password
1 |
/etc/ssh/sshd_config |
Find the configuration file ssh service in the above directory,The following fields to be modified:
1 2 3 4 5 |
#PasswordAuthentication yes //修改为如下内容: PasswordAuthentication no //使用命令重启ssh服务: /etc/init.d/ssh restart |
correct, id_rsa This document I recommend you copy them additional backup,It is on the computer you want to save the private key,Once lost,You may need your vps vnc ssh to reset it!
Other than that,To avoid Write failed: Broken pipe错误,Incidentally, you can also add the following at the end of the document a command,And then restart the ssh service。
1 |
ClientAliveInterval 60 |
Such,Your vps largely relatively safe,but,If your site used to do a vps,Open the services like httpd,That you may also need to
Install CSF Firewall
By installing a firewall csf,Can effectively shield the IP try to invade your vps,Advanced configuration we do not need to know,But at least you should install it。
CSF use a firewall,Well, II wrote a special articleTo guide you to install and configure it,This conflict ufw,If you decide to use csf,onIgnore the relevant parts of this article ufw.。
Software installation fail2ban
The software will use iptables firewall,Blasting will try ssh password IP SUSPENSION,Default 10 minutes,This can effectively prevent attacks。
1 |
apt install fail2ban |
If you're like me to use nginx to provide services,Then you can also consider the Advanced Configuration about fail2ban to make further protect protection Nginx nginx Fail2Ban Advanced Configuration Services
Disable unnecessary Linux port
Disable all ports off,Leaving only need to use the portAlways the right choice:
Use the following command to detect the presence ufw,It is no longer recommended to directly edit the iptables,This is not something the average person Dezhuan,So Ubuntu government has also launched a more user-friendly front-end to iptables for general administrators,In fact, the function is also very powerful,But a lot of streamlining the command?,Please introduce specific venue:Under Ubuntu more simple firewall Uncomplicated Firewall
1 |
ufw status |
If the terminal displays the firewall is not active (in theory, are supposed to be like this,Because the system is built ufw。)
We use the following command to add rules:
1 2 3 4 5 6 7 8 9 10 |
ufw allow ssh ufw allow http ufw allow https //你也可以使用端口来开启 ufw allow 53 //请务必开启 ssh 端口,如果你不是标准端口,请记得开启,否则后果自负! ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y //会提示你影响ssh 连接,但只要提前加入了规则,就不会影响。 |
You see,Command more simple? What add what。It will default to open some ports for example ICMP。
Other than that,It will default to the iptables INPUT table refusal,Convenient and safe。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
iptables -F //清空配置 iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT //ssh端口打开 iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -j ACCEPT //dns端口打开 iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT //本地回环总得打开吧 iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT //http常用端口打开 iptables-save > /etc/iptables.up.rules //保存配置文件 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT //如果上边的配置你不用,至少要执行这条命令; //上面一条命令的作用是把正在活动的连接写成配置加入防火墙 iptables -P INPUT DROP //设置其他 INPUT 流量为拒绝 iptables -L //使更改后的配置生效——重新加载配置。 |
Such,What services you want to use in the future,Add to Zhaomaohuahu Wanglibian like what ports,Additional ports opened less than useless also likely to bePort sweepHacked =。=
correct! Remember to use the following command to export the configuration,Then configure the boot loader,Otherwise, the rules will disappear for a while it!
besides,Do not look for iptables restart commands - this stuff is already in ubuntu kernel level - that,Real-time loading into force da!
1 2 3 4 5 6 7 8 9 |
iptables-save > /etc/iptables.up.rules //导出配置,以后可以直接编辑; iptables-restore < /etc/iptables.up.rules //导入配置,编辑之后就可以导入立即生效! //编辑/etc/network/interfaces文件来添加启动配置 auto eth0 iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.up.rules //最后这一条就是要添加进的命令! |
Add Chinese Environment Configuration (optional)
If you are using domestic vps,You may also need to change ubuntu update source for domestic mirroring,Can moveAli cloud Ubuntu update image source
After updating,You are likely to encounter locale empty error,Then install some locales:
1 |
apt-get install language-pack-zh-hans language-pack-zh-hans-base |
summary
Thus,You closessh password authentication,Installation of anti-intrusionFirewall,Also closed all ports not commonly used,Also use script to protect your nginx server ...... vps at least theoretically out of the ranks of broiler easily caught,Subsequent security configuration,You can customize according to their needs it!
Original article written by LogStudio:R0uter's Blog » After purchasing a VPS you should spare security measures
Reproduced Please keep the source and description link:https://www.logcg.com/archives/884.html
I'll Study,Thank you
After closing the password,Connection prompt again:Permission denied (publickey,GSSAPI-keyex,gssapi-with-mic).
Also closed SELinux,I do not know Editor's Note,I tried several times,Great God seek Analysis
Try /etc/ssh/ssh_config File, add the name of your private key,For example, IdentityFile ~/.ssh/id_rsa.somecomputer
There will be a default
Then it tries to re-allocation certificate,Ends may be caused due to the mismatch,If it is determined to exclude this issue,I Mozhe,After all, I have not encountered this problem。 :)
SFTP private key can login with certificate
That should be your private key format issues now,Ssh may not be read like,Check the next coding,In my own case,sftp client and the ssh private key format used is different,They are not common。
Hello R0uter,I surveillance104.
In fact, on transfer ssh public key can get step by cat command:
cat .ssh/id_rsa.pub | ssh root@ip address “cat >> ~/.ssh/authorized_keys”
//id_rsa.pub fact may be other names I recommend the digital ID(For example id_rsa0.pub)Because if you control two or more words vps management //
Of course, if there is no .ssh folder, then it can be:
mkdir .ssh
For other safety tips I've learned very grateful R0uter teaching
Note that quotation marks are the cat command “‘ Rather than "" this slip my hand wrong sorry
You use the ssh command is equivalent to the contents of the public key in the form of text passed to the server and then execute;My command is to use scp to copy files to a remote server,In fact, scp also be the way to copy authorized_keysfile name,In this case, if the path to write clearly,That isOnewords,Also avoids the use of the pipeline。In fact, the same thing。
The difference is still there:Your word is not easy to copy easy hand to play,Once the hand sliding,It is easy wrong,But with scp is less use of some symbols,From the hit rate in terms of,My approach is more appropriate
;)