2018On April 13 update,Add a link fail2ban Advanced Configuration Tutorial,Updated command。

Gerber drop-off site-wide migration to wills,As long as 15 yuan per month minimum,Support me consider myInvitation coderegistered,Gave $10 (Together 60 Multi-block RMB) discount! 😚


Recently purchased a vps route to learn ...... Yes! You read right! I used to really serious about learning!

=。=

In short,After the purchase of a vps,You always need to spare some basic security measures to ensure your vps will not be reduced to some sucker broiler。

Ok,This is because I purchased a Linux system vps,So I will take this as chestnuts to record。


 

Since one vps is equivalent to a computer with an independent IP,Direct exposure to computers over the Internet,This is for your convenience and also directly from your vps and dangerous draw on the equal sign,Password exhaustive、DDOS attacks、I can not think of a variety of attack methods you think are waiting for you,Do not believe that you can come up with creative horror how powerful password,Statistics tell us - RSA still believe it!

SSH using RSA key login

First, it is about the SSH password brute-force issues - Do not tell me you're still telnet,Otherwise, we have nothing to talk,Immediately turn off the page!

This world,There is always a lot of sucker bored doing this kind of thing SSH weak password scanning,Trust me,But you're better than dictionary。So,Close SSH password authentication is a good choice。

Before we talk about teacher:Actually, the most secure computer but those computer without a password,No password there can be no cracks - because the system will refuse to remote login。

But how close the SSH password authentication to log it? vnc? Do not,Do not。We can use the RSA key pair。

By generating RSA public-private key pair,Upload the public key to the server,Own private Reserved,This will not only strengthen your password,更带来了不需要密码就能登录的便利①

①:No password is required is an option,Members recommended route or on the basis of still using a password,So that even if someone gets your private key backup,It is not easy for Free password you the vps。

In the following example to use the command:ssh-keygen

Of course,Command in the feedback I have given the necessary content over graffiti,You probably looked almost on the right。

Then,We then use scp command,It will generate good public server thrown up:

Or SSH to the server,This id_rsa.pub Copy the file to the appropriate directory ssh,Then renamed authorized_keys

It should be noted,You want this key registrationWhich account,Which would put the account under,For example, I want to automatically log in root,Then I will do so:

These simple directory file operations I will not do too much to explain is to substantially id_rsa.pub Renamed and put ssh user configuration directory,of course,I am here because the new system,So directly renamed,If you already have the directory itself authorized_keys This document,Then you need to back up the original file or directly id_rsa.pub The additional content to go inside。

Such,We would be able to log in using ssh RSA key files。

Close Login ssh password

Find the configuration file ssh service in the above directory,The following fields to be modified:

correct, id_rsa This document I recommend you copy them additional backup,It is on the computer you want to save the private key,Once lost,You may need your vps vnc ssh to reset it!

Other,To avoid Write failed: Broken pipe错误,Incidentally, you can also add the following at the end of the document a command,And then restart the ssh service。

Such,Your vps largely relatively safe,but,If your site used to do a vps,Open the services like httpd,That you may also need to

Install CSF Firewall

By installing a firewall csf,Can effectively shield the IP try to invade your vps,Advanced configuration we do not need to know,But at least you should install it。

CSF use a firewall,Well, II wrote a special articleTo guide you to install and configure it,This conflict ufw,If you decide to use csf,onIgnore the relevant parts of this article ufw.。

Software installation fail2ban

The software will use iptables firewall,Blasting will try ssh password IP SUSPENSION,Default 10 minutes,This can effectively prevent attacks。

If you're like me to use nginx to provide services,Then you can also consider the Advanced Configuration about fail2ban to make further protect protection Nginx nginx Fail2Ban Advanced Configuration Services

Disable unnecessary Linux port

Disable all ports off,Leaving only need to use the portAlways the right choice:

Use the following command to detect the presence ufw,It is no longer recommended to directly edit the iptables,This is not something the average person Dezhuan,So Ubuntu government has also launched a more user-friendly front-end to iptables for general administrators,In fact, the function is also very powerful,But a lot of streamlining the command?,Please introduce specific venue:Under Ubuntu more simple firewall Uncomplicated Firewall

If the terminal displays the firewall is not active (in theory, are supposed to be like this,Because the system is built ufw。)

We use the following command to add rules:

You see,Command more simple? What add what。It will default to open some ports for example ICMP。

Other,It will default to the iptables INPUT table refusal,Convenient and safe。

Such,What services you want to use in the future,Add to Zhaomaohuahu Wanglibian like what ports,Additional ports opened less than useless also likely to bePort sweepHacked =。=

correct! Remember to use the following command to export the configuration,Then configure the boot loader,Otherwise, the rules will disappear for a while it!

And also,Do not look for iptables restart commands - this stuff is already in ubuntu kernel level - that,Real-time loading into force da!

Add Chinese Environment Configuration (optional)

If you are using domestic vps,You may also need to change ubuntu update source for domestic mirroring,Can moveAli cloud Ubuntu update image source

After updating,You are likely to encounter locale empty error,Then install some locales:

 

Summary

Thus,You closessh password authentication,Installation of anti-intrusionFirewall,Also closed all ports not commonly used,Also use script to protect your nginx server ...... vps at least theoretically out of the ranks of broiler easily caught,Subsequent security configuration,You can customize according to their needs it!

Published by R0uter

The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。

Join the Conversation

16 Comments

Your email address will not be published. Required fields are marked *

  1. After closing the password,Connection prompt again:Permission denied (publickey,GSSAPI-keyex,gssapi-with-mic).

    Also closed SELinux,I do not know Editor's Note,I tried several times,Great God seek Analysis

          1. That should be your private key format issues now,Ssh may not be read like,Check the next coding,In my own case,sftp client and the ssh private key format used is different,They are not common。

  2. Hello R0uter,I surveillance104.
    In fact, on transfer ssh public key can get step by cat command:

    cat .ssh/id_rsa.pub | ssh root@ip address “cat >> ~/.ssh/authorized_keys”
    //id_rsa.pub fact may be other names I recommend the digital ID(For example id_rsa0.pub)Because if you control two or more words vps management //
    Of course, if there is no .ssh folder, then it can be:
    mkdir .ssh

    For other safety tips I've learned very grateful R0uter teaching

    1. You use the ssh command is equivalent to the contents of the public key in the form of text passed to the server and then execute;My command is to use scp to copy files to a remote server,In fact, scp also be the way to copyauthorized_keysfile name,In this case, if the path to write clearly,That isOnewords,Also avoids the use of the pipeline。In fact, the same thing。

      The difference is still there:Your word is not easy to copy easy hand to play,Once the hand sliding,It is easy wrong,But with scp is less use of some symbols,From the hit rate in terms of,My approach is more appropriate
      ;)