The basic principles of system security are to only start the necessary services, provide only the necessary port access, and pay attention to system patch updates
1. Update software package
centos: yum update -y
debian/ubuntu: apt update && apt upgrade -y
#Upgrade system minor version
centos: yum upgrade -y
2. Set relatively complex passwords
Suggested password includes letters, numbers, symbols, capitalization, and length
3. Modify the default remote port
/etc/ssh/sshd_config
Port 22000
systemctl restart sshd
4. Firewall settings
Only allow commonly used ports, such as remote: 22000 (if the local public IP is fixed, it is best to set it to only allow local public IP), web:80,ftp:21
Disable UDP port and only allow requests to external port 53
Ubuntu/Debian requires installation of: apt-get install iptables
centos: /etc/sysconfig/iptables
ubuntu: /etc/iptables.rules
debian: /etc/iptables/rules.v4
Reference rules:
*filter
: INPUT ACCEPT [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22000 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -j DROP
COMMIT
Service iptables reload or systemctl reload iptables
Rules for importing iptables from debian:/ sbin/iptables-restore < /etc/iptables/rules.v4
5. Do not provide external connection services to listen for loopback IP
Such as Redis, MySQL, Elasticsearch, Memcache, etc
Example:
/etc/redis/redis.conf
bind 127.0.0.1
6. Shut down unnecessary services in the system
List the running services: pstree
Stop self starting:
centos6: chkconfig postfix off
centos7+/debian/ubuntu: systemctl stop postfix ; systemctl disable postfix
- 0 用户发现这个很有用
