Home >Operation and Maintenance >Linux Operation and Maintenance >How to protect your Linux server using the command line

How to protect your Linux server using the command line

王林
王林Original
2023-09-09 10:15:111118browse

How to protect your Linux server using the command line

How to use the command line to protect your Linux server

Overview:
In today’s digital age, server security is particularly important. As server administrators, we need to take a series of measures to protect our Linux servers. The command line is a very effective tool that can help us achieve this goal. This article will explain how to use the command line to protect your Linux server and provide some code examples.

1. Update the system
It is very important to keep the server operating system up to date. We can use the following command to update the system:
sudo apt update
sudo apt upgrade

2. Use the firewall
The firewall is the first line of defense to protect the server. We can use iptables commands to configure and manage firewall rules. Here are some commonly used examples:

  1. Allow specific IP addresses to access the SSH port (default is 22):
    sudo iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 - j ACCEPT
  2. Allow specific IP address range to access HTTP port (default is 80):
    sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT
  3. Deny all other inbound connections:
    sudo iptables -A INPUT -j DROP

3. Use Fail2Ban to protect SSH
Fail2Ban is an open source intrusion prevention tool that can protect The server is protected from brute force attacks. Here is an example of how to use Fail2Ban to secure SSH:

  1. Install Fail2Ban:
    sudo apt install fail2ban
  2. Edit the Fail2Ban configuration file:
    sudo nano /etc/fail2ban /jail.local
  3. Add the following content to the file:
    [ssh]
    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log /auth.log
    maxretry = 3
    bantime = 3600
  4. Restart the Fail2Ban service:
    sudo service fail2ban restart

4. Use defensive DNS settings
Using defensive DNS settings can help block malicious traffic on your server. Here is an example:

  1. Edit the resolv.conf file:
    sudo nano /etc/resolv.conf
  2. Add the following to the file (Google Public DNS):
    nameserver 8.8.8.8
    nameserver 8.8.4.4
  3. Save and exit the file.

5. Use secure SSH configuration
SSH is an important way to access the server remotely, but it is also vulnerable to attacks. The following are some suggested modifications in the configuration file /etc/ssh/sshd_config:

  1. Change the SSH default port (a port above 1024 is recommended):
    Port 2222
  2. Disable root User login:
    PermitRootLogin no
  3. Restrict users who can log in:
    AllowUsers user1 user2
  4. Disable password login, use key login:
    PasswordAuthentication no
  5. Change login response time:
    LoginGraceTime 60
  6. Disable empty passwords:
    PermitEmptyPasswords no
  7. Save and exit the file, restart the SSH service:
    sudo service ssh restart

6. Use password strength check
In order to protect the server account, we can use the passwdqc command to check the password strength. Here is an example:

  1. Install passwdqc:
    sudo apt install libpam-passwdqc
  2. Edit the password policy configuration file:
    sudo nano /etc/pam.d/ common-password
  3. Add the following line (after the password requisite line):
    password requisite pam_passwdqc.so min=disabled,disabled,16,12,8
  4. Save and exit the file.

Summary:
By using the command line to protect a Linux server, we can increase the security of the server and prevent malicious attacks. This article introduces some common command line operations and code examples for server administrators' reference and use. At the same time, we should always pay attention to the latest information on server security and promptly update systems and tools to deal with new security threats. Securing servers is a process of continuous learning and continuous improvement.

The above is the detailed content of How to protect your Linux server using the command line. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn