For a long time, the main purpose of a VPS in the hands of a good VPS is to install lnmp, look at the probe in your spare time, and get a sense of self-satisfaction O(∩_∩)O~ Therefore, I don’t pay too much attention to security issues. There are always so many people with pain on the Internet... After encountering something, it is necessary to reflect on it and take some necessary, simple, novice-level security measures suitable for VPS. Today, we will share the most basic security configuration of VPS.
First, modify the SSH port
The default SSH port of VPS is 22. Those who scan exhaustive passwords are bound to start from 22, so changing 22 to another number is Very necessary.
Ok, log in to the VPS via SSH and modify the configuration file.
vi /etc/ssh/sshd_config
Find #Port 22, remove the # in front, and change it to Port 1380 (try to use 4 digits for this number to avoid being occupied), then restart sshd
service sshd restart
***Note: If you are afraid that you will not be able to log in to the VPS due to modification errors, you can also find #Port 22 and remove #, then add a line of Port 1380, open another putty window, try to log in with the new port, confirm OK, and then Just delete Port 22!
Second, disable root login and add a new account
First, add a new user account
useradd zrblog #This is user-defined, here we take zrblog as an example
Set new user password
passwd zrblog
After entering the password twice, OK.
Next, disable root login by modifying the configuration file, still modifying /etc/ssh/sshd_config.
vi /etc/ssh/sshd_config
Find #PermitRootLogin yes, remove the # in front, change yes to no, and then restart sshd.
service sshd restart
Try to log in with a new user, and then use su root to escalate privileges to root.
login as: zrblog #New username
[email protected ]*.*.*.* password:***** <x2 > #New user password
Last login: Thu Mar 5 08:14:21 2012 from *.*.*.*
su root <x2 > < x2> #Elevate privileges
Password:************ <x2 > < x2> #ROOT password
***Note: Setting a strong password is also a barrier to ensure account security. For example, if you use a complex, random password as the root password, the chance of being guessed is very small, just like buying a welfare lottery!
Third, install DDos deflate to defend against lightweight CC and DDOS
In the wp forum, I saw a friend who used Hostigation to open free space and said a very classic saying: Nowadays, children can Station D... low profile is the best choice. Try not to show off or be too ostentatious in certain places, it can be regarded as a safety defense! I often walk along the river, how can I not get my shoes wet? It is necessary to nip problems in the bud. Okay, enough nonsense, now install DDos deflate.
Before talking about DDos deflate, we need to understand one more thing: iptables
iptables is an IP packet filtering system integrated into the Linux kernel. It can easily add, edit and remove rules. These rules are the rules that the firewall follows and composes when making packet filtering decisions.
Our first choice is to confirm the iptables service status (this is usually included in VPS systems)
service iptables status
After confirmation, install DDos deflate
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod +x install.sh
./install.sh
After the installation is complete, you still need to modify the configuration file to achieve the purpose of automatically locking the IP using iptables.
vi /usr/local/ddos/ddos.conf
Next, modify it. The main thing here is to change APF_BAN=1 to 0 (using iptables). In addition, EMAIL_TO=”root” can change the root to one of your email addresses. In this way, the system will notify you by email which IP is removed.
##### Paths of the script and other files
PROGDIR=”/usr/local/ddos”
PROG=”/usr/local/ddos/ddos.sh”
IGNORE_IP_LIST=”/usr /local/ddos/ignore.ip.list” //IP address whitelist
CRON=”/etc/cron.d/ddos.cron” //Timing execution Program
APF="/etc/apf/apf"
IPT="/sbin/iptables"
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with –cron
##### option so that the new frequency takes effect
FREQ=1 //Check time interval, default is 1 minute
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150 //Maximum number of connections. IP addresses exceeding this number will be blocked. Generally, the default is
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=0 //Use APF or iptables. It is recommended to use iptables and change the value of APF_BAN to 0.
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1 //Whether to block IP, the default is
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
[email protected] //Send an email to the specified mailbox when the IP is blocked. It is recommended to use it. Change it to your own mailbox
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600 //Ban IP time, default 600 seconds, can be adjusted according to the situation
Since there are some problems with the default whitelist of this system and mistakes often occur, it is best to set the whitelist manually and not modify it.
vi /usr/local/ddos/ignore.ip.list #Manually set the whitelist IP
chattr +i /usr/local/ddos/ignore.ip.list # Force modifications not allowed
chattr -i /usr/local/ddos/ignore.ip.list #Unblock modifications
Uninstall DDos deflate method.
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 700 uninstall.ddos
./uninstall.ddos
Okay, that’s all for the simple security configuration. Of course, you can also cooperate with the system firewall to make more advanced settings.