The most basic security configuration for DNSHE after purchasing a server:
Firstly, modify the SSH port
The default SSH port for VPS is 22, and those who scan and exhaustively search for passwords will inevitably start from 22. Therefore, it is necessary to change 22 to a different number.
Alright, SSH login to VPS and modify the configuration file.
vi /etc/ssh/sshd_config
Find # Port 22, remove the preceding #, and modify it to Port 1380 (use 4 digits as much as possible to avoid being occupied), then restart sshd
service sshd restart
***Attention: If you are afraid of making mistakes that prevent you from logging into VPS, you can also find # Port 22 and remove #, then add a line of Port 1380, open another Putty window, try logging in on the new port, confirm OK, and then delete Port 22!
Secondly, disable root login and add a new account
Firstly, add a new user account
Useradd dnshe # This user-defined example is dnshe
Set new user password
passwd dnshe
After entering the password twice, OK。
Next, by modifying the configuration file to prohibit root login, we will still modify/etc/ssh/sshd_comfig.
vi /etc/ssh/sshd_config
Find # PermitRootLogin yes, remove the preceding #, change 'yes' to' no ', and then restart sshd.
service sshd restart
Try logging in as a new user and then using su root to gain access to root.
Login as: dnshe # New username
dnshe@*.*.*.* password:***** #New user password
Last login: Thu Mar 5 08:14:21 2024 from *.*.*.*
Su root # Empower
Password: *********** # ROOT Password
***Attention: Setting a strong password is also a barrier to ensure account security. For example, using a complex, random password as the root password has a very low chance of being exhaustively guessed, just like buying welfare lottery!
Thirdly, install DDoS deflate defense for lightweight CC and DDOS
On the WP forum, I saw a friend who used Hostigation to open free space and said a very classic sentence: Nowadays, even children can use D-site... Being low-key is the best choice. Try not to show off in certain places, being too ostentatious can also be considered as a safety defense! Speaking of walking by the river, where are the shoes that don't get wet? It is necessary to take preventive measures. Alright, I've talked a lot of nonsense. Now let's install DDoS deflate.
Before discussing DDoS deflate, we need to understand one more thing: iptables
Iptables is an IP packet filtering system integrated into the Linux kernel, which allows for easy addition, editing, and removal of rules that are followed and composed by firewalls when making packet filtering decisions.
We prefer to confirm the status of the Iptables service (which is usually included in VPS systems)
service iptables staus
After confirmation, install DDoS deflate
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod +x install.sh
./install.sh
After installation, it is necessary to modify the configuration file to achieve the goal of automatically locking the IP using iptables.
vi /usr/local/ddos/ddos.conf
Next, the main modification here is to change APF-BAN=1 to 0 (using iptables). In addition, EMAIL_TO="root" can be changed to one of your email addresses, so that the system will notify you via email which IP address to remove.
##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE-IP_LIST="/var/local/ddos/ignore. ip. list"//IP address whitelist
CRON="/etc/cron. d/ddos. cron"//Scheduled program execution
APF="/etc/apf/apf"
IPT="/sbin/iptables"
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1//Check time interval, default is 1 minute
##### How many connections define a bad IP? Indicate that below.
NOOFVNet=150//The maximum number of connections, beyond which the IP will be blocked, usually by default
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF-BAN=0//Use APF or iptables. Recommend using iptables and changing the value of APF-BAN to 0.
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
WILL=1//Whether to block IP, default is sufficient
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO= admin@dnshe.com //When the IP is blocked, send emails to the designated email address. It is recommended to use your own email address instead
##### Number of seconds the banned ip should remain in blacklist.
BAN-PERIOD=600//Disable IP time, default is 600 seconds, can be adjusted according to the situation
Due to some issues with the default whitelist of this system, there are often errors, so it is best to manually set the whitelist to be non modifiable.
Vi/usr/local/ddos/ignore.ip.list # Manually set whitelist IP addresses
Chattr+i/usr/local/ddos/ignore.ip.list # Forcefully disallow modifications
Chattr - i/usr/local/ddos/ignore.ip.list # Remove disallowed modifications
Uninstall DDoS deflate method.
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 700 uninstall.ddos
./uninstall.ddos
- Servers, 服务器, 安全, secure
- 0 Users Found This Useful
