search

Home  >  Article  >  Operation and Maintenance  >  Summary of Linux Centos7 system reinforcement knowledge points

Summary of Linux Centos7 system reinforcement knowledge points

小云云
小云云Original
2018-03-01 09:27:091876browse

This article mainly introduces the relevant knowledge points of Centos7 system reinforcement in LINUX to you in detail. I hope it can help you.

Note: The cloud server in this tutorial uses centos7 or above as an example. The cloud server is purchased from Alibaba Cloud.

The cloud server configurations of other service providers are similar.

Recommendations: It is not recommended to install graphical tools on Linux servers, because they occupy memory, bandwidth, and resources, and the harm far outweighs the benefits.

Manually update the system:

yum -y update

Firewall configuration:

service firewalld start //Start the firewall
systemctl enable firewalld.service //Start automatically after booting

selinux configuration:

vim /etc/selinux/config

Modify:

SELINUX=enforcing //Set enforcement mode
reboot // Restart to take effect

ssh configuration: (anti-brute force cracking)

useradd normal //Create a system user and set that only this user can log in to the system remotely
vim /etc/ssh/sshd_config

Modify:

Port 2000 //The port must be greater than 1024
Protocol 2 //If not, add it, if it is, don’t use it
PermitEmptyPasswords no //Prohibit empty password login
X11Forwarding no //Prohibit port forwarding
PermitRootLogin no //Prohibit root user login
MaxAuthTries 3 //Allow three attempts
LoginGraceTime 20 //In 20 If the login cannot be completed within seconds, disconnect
AllowUsers normal //Add, only allow this user to log in remotely

Save and exit, restart ssh

service sshd restart

Firewall opens ssh port

firewall-cmd --zone=public --add-port=2000/tcp --permanent
firewall-cmd - -reload

selinux opens ssh port

yum -y install policycoreutils-python //Install selinux port management tool
semanage port -a -t ssh_port_t -p tcp 2000 //Add port
semanage port -l |grep ssh //View the ssh port opened by selinux
service sshd restart

Prevent IP SPOOF attacks

vim /etc/host.conf

Add

nospoof on

to prohibit being pinged

vim /etc/sysctl.conf

Modify if yes, add if not

net.ipv4.icmp_echo_ignore_all=0

Save configuration

sysctl -p

Firewall is prohibited from being pinged

firewall-cmd --permanent --add-rich-rule= 'rule protocol value=icmp drop'
firewall-cmd --reload

Note: You can also delete the rules that allow the ICMP protocol in the security group rules of the Alibaba Cloud console

Update the system every ten days, delete unused software, and clear the yum cache

crontab -e

Modify the following content as needed

0 0 */10 * * yum update -y
0 0 */11 * * yum autoremove -y
0 0 */12 * * yum clean all

Firewall prohibits port scanning (centos7 is invalid, the port is still scanned out, I don’t know if it takes effect below centos7)

iptables -F #Clear firewall policy
iptables -A INPUT -p tcp - -tcp-flags ALL FIN,URG,PSH -j Drop
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Drop
iptables -A INPUT -p tcp --tcp -flags SYN,FIN SYN,FIN -j Drop
iptables -A INPUT -p tcp --tcp-flags SYN,SYN --dport 80 -j Drop

Uninstall Alibaba Cloud's cloud Shield (Server Server), because the server is inherently tight on memory, Cloud Shield does more harm than good, uninstall

wget http://update.aegis.aliyun.com/download/uninstall.sh
chmod +x uninstall.sh
./uninstall.sh
wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
chmod +x quartz_uninstall.sh
./quartz_uninstall .sh
pkill aliyun-service
rm -fr /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*

Note: After the uninstallation is completed, the above two script files can be deleted. If you cannot wget the file, please contact the webmaster to request it!

Block Cloud Shield IP, Cloud Shield will regularly scan the server to simulate hacker attacks

vim shield_ip.sh

Add the following content:

#!/bin/bash
echo "开始屏蔽云盾扫描云服务器的IP"
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.201.0/28" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.201.16/29" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.201.32/28" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.225.192/29" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.225.200/30" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.225.184/29" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.225.183/32" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.225.206/32" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.225.205/32" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.225.195/32" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="140.205.225.204/32" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="106.11.224.0/26" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="106.11.224.64/26" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="106.11.224.128/26" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="106.11.224.192/26" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="106.11.222.64/26" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="106.11.222.128/26" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="106.11.222.192/26" drop'
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="106.11.223.0/26" drop'
firewall-cmd --reload

保存退出

chmod +x shield_ip.sh
./shield_ip.sh

注意:这些IP地址段来源于阿里云官方给的云盾服务器IP,来源:(https://help.aliyun.com/knowledge_detail/37436.html)

编码设置:

vim /etc/locale.conf

删除原有,添加如下内容:

LANG=zh_CN.utf8 //中文界面
LC_MESSAGES=en_US.utf8 //英文提示

reboot //重启生效

进入阿里云控制台,云服务器ECS–>安全组–>配置规则–>添加安全组规则

安全组添加ssh端口,否则外网是无法进入的,包括ftp和apache的端口不在安全组开放的话

下载xshell远程登录软件,normal用户远程登录至linux系统,xshell的使用不再赘述,登录成功后

su - root //提权

注意:在阿里云控制台远程连接登录系统后,不能以任何用户一直处于登录状态,使用系统完后,必须退出用户登录,界面保持在需要输入用户名的界面

如:在阿里云控制台登录(而不是xshell登录),退出用户登录命令

logout //exit也可以

注意:root用户的话必须退出两次才可以

最后:在阿里云控制台–>安全(云盾)–>态势感知–>开启态势感知服务–>设置邮箱或短信提醒

相关推荐:

Centos7安装和配置Mysql5.7的方法分享

centos7上elastic search安装详解

Centos7在Linux下安装Mysql5.7.19的教程(图)

The above is the detailed content of Summary of Linux Centos7 system reinforcement knowledge points. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:Detailed explanation of phpize extension installation example under LinuxNext article:Detailed explanation of phpize extension installation example under Linux

Related articles

See more