Harden Linux Servers: Improve Security with Command Line Tools

Hardening Linux Servers: Utilizing Command Line Tools to Improve Security

Overview:
With the development of the Internet, Linux servers are becoming more and more popular . However, as the number of servers continues to grow, server security issues have become increasingly prominent. In order to ensure the security of the server, administrators need to take some measures to harden the server. In this article, we will highlight some command line tools that can help administrators improve server security.

1. Password policy management

On a Linux server, password policy is very important. By setting appropriate password policies, you can reduce the risk of passwords being guessed and cracked. The following are some command line tools that can be used to manage password policies:

• passwd: used to change user passwords and can force complex passwords.
• chage: used to set password expiration time and account lock options.
• pam_pwquality: used to set password quality requirements, such as length, complexity, etc.

Sample code:

# 设置密码过期时间为30天
chage -M 30 username

# 设置密码必须包含数字和特殊字符，并且长度不少于6个字符
pam_pwquality --retry=3 --minlen=6 --minclass=2 --enforce-for-root

2. Firewall configuration

The firewall is one of the important components to protect the server from unauthorized access. The following are some commonly used command line tools that can be used to configure firewalls:

• iptables: The most commonly used firewall tool on Linux, you can control the incoming and outgoing of data packets by setting rules.
• ufw: A firewall configuration tool on Ubuntu Linux that can simplify the configuration of iptables.
• firewalld: Firewall configuration tool on CentOS and Fedora, providing more advanced configuration options.

Sample code:

# 配置iptables，只允许SSH和HTTP流量通过
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP

# 使用ufw配置防火墙
ufw allow ssh
ufw allow http
ufw default deny
ufw --force enable

# 使用firewalld配置防火墙
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --reload

3. SSH configuration

SSH is the preferred way for administrators to remotely manage Linux servers, so keep SSH secure Very important. The following are some command line tools that can be used to harden SSH:

• sshd_config: The configuration file of the SSH server. You can edit this file to restrict login methods, disable empty password login, etc.
• ssh-keygen: Used to generate key pairs to provide more secure SSH connections.
• fail2ban: Used to prevent SSH brute force cracking and can automatically disable IP addresses based on the number of failed logins.

Sample code:

# 禁用空密码登录
sed -i 's/#PermitEmptyPasswords yes/PermitEmptyPasswords no/' /etc/ssh/sshd_config

# 限制登录用户和用户组
sed -i 's/#AllowUsers/AllowUsers/' /etc/ssh/sshd_config
sed -i 's/#AllowGroups/AllowGroups/' /etc/ssh/sshd_config

# 生成SSH密钥对
ssh-keygen -t rsa -b 4096

# 安装fail2ban
apt-get install fail2ban -y
systemctl enable fail2ban

Conclusion:
By using these command line tools, administrators can harden Linux servers and improve server security. However, these tools are only part of hardening the server. You also need to pay attention to other security measures, such as timely updating of system patches, monitoring logs, etc. Only by taking comprehensive security measures can your server be protected against a variety of threats.

When managing a Linux server, please always remain vigilant and respond to security issues in a timely manner to ensure the security of the server.

The above is the detailed content of Harden Linux Servers: Improve Security with Command Line Tools. For more information, please follow other related articles on the PHP Chinese website!