Explore how to protect your Linux server

No matter which Linux distribution you use, you need to protect it with an iptables-based firewall.

Aha! You've set up your first Linux server and are ready to go! Is it? Well, wait.

By default, your Linux system is not secure enough from attackers. Sure, it's much more secure than Windows XP, but that doesn't mean much.

To make your Linux system truly stable, you need to follow Linode's Server Security Guide.

In general, first you must turn off those services that you do not need. Of course, to do this, you first need to know which network services you are using.

You can use the shell command to find out which services are:

netstat -tulpn

netstat will tell you what services are running and what ports those services are using. If you don't need a service or port, you should turn it off. For example, unless you are running a website, you do not need an Apache or Nginx server running, nor do you need to have port 80 or 8080 open.

In short, if you are not sure, just turn it off first.

On a simple Linux server without any additional changes, you will see SSH, RPC and NTPdate running on their public ports. Don't add an old and unsafe shell program like telnet, otherwise the old driver will drive away your Linux sports car without you noticing. Maybe you liked telnet as a backup login to your SunOS machine in the 1980s, but that's long gone.

For SSH, you should use RSA keys and Fail2Ban for hardening. Unless you need RPC, uninstall it - if you don't know you don't need it, you don't need it.

Enough about how to lock down; let’s talk about using iptables to lock down incoming traffic.

When you start a Linux server there are no rules. This means that all traffic is allowed. Of course this is bad. Therefore, you need to set up your firewall in time.

Iptables is a shell tool used to set network policy rules for netfilter. Netfilter is the default firewall under Linux systems. It uses a set of rules to allow or prohibit traffic. When someone tries to connect to your system - and some people try this all the time and never get discouraged - iptables checks to see if those requests match a list of rules. If no rule is matched, it takes the default action.

The default operation should be to "Drop" the connection, that is, to ban these intended intruders. And it doesn't let them know what's going on with these network probes. (You can also "Reject" the link, but that will also let them know that you have a running Linux firewall. For now, the less information that strangers can get into our systems, the better. At least, I I think so.)

Now, you can use iptables to set up your firewall. I've already done this. Like before, I rode my bike to work six miles away and it was uphill on both sides. And now, I drive there.

This is actually a metaphor for my use of FirewallD in the Fedora distribution and UFW (Uncomplicated Firewall) in the Debian distribution. These are easy-to-use shell front ends for iptables. You can find suitable usage in the following Linode guides: FirewallD and UFW.

Essentially setting these rules is to place a "no entry" sign on your server. Use it.

But don’t get too excited and close all the links. For example:

sudo ufw default deny incoming

Looks like a good idea. Don’t forget, it bans all links, including yours!

Great, that's what it does. This means it also disables SSH logins. This means that you can no longer log in to your new server. Wow!

However, if you make a mistake, more links will be banned by mistake. You see, the veteran driver is also blocked by you.

Or, to be more precise, this is not an isolated phenomenon experienced by you or your server. Of course, you're not the National Security Agency (NSA) who is subject to over 300 million attack attempts every day. But the attack script doesn't care who you are. It just continuously checks for servers with known vulnerabilities in the network. On a normal day my own little server would be hit by hundreds of attacks.

That’s it, what are you waiting for? Go ahead and harden your network services. Install FirewallD or UFW to harden your server. You will be willing to do it.

The above is the detailed content of Explore how to protect your Linux server. For more information, please follow other related articles on the PHP Chinese website!