Make a brief summary of the problem here for reference. The title says that I am a novice, but in fact I am not completely a novice. I still know some common Linux commands, but I lack the overall grasp and control of the Linux system. Here is a brief summary of what I did last Sunday. some things.
1, make ssh login more secure
(1) The most unsafe method: directly ssh root@ip address, and then You are prompted to enter your password and the login is successful. That is, logging in as root with password verification. This method is probably the most unsafe. The reason why it is unsafe: The password can be cracked by brute force. Once cracked, the intruder will directly gain root privileges, which is very scary. So how can you improve security? See item (2).
(2) looks safer than (1), but still has security risks: disable the remote ssh login function of the root account, create an account user without root permissions, and use this account to log in via ssh. After ssh login, if you need root permissions, switch via su. Reasons why it is unsafe: Passwords can still be cracked by brute force. Although root privileges cannot be obtained immediately after cracking, if an intruder cracks the password of the root account, root privileges can still be obtained. The relevant configuration file in Linux is:
vi /etc/ssh/sshd_config PermitRootLogin no #禁用root账户远程ssh登录
Add user command:
# 添加新用户 user add username # 为新用户设置密码 passwd username
(3) Better login Method: SSH key login. Generate a key pair on the client that needs to log in, then upload the public key to the server, store the private key on the client, and then log in through the key. In this way, only after the intruder obtains your private key can you log in to the server. This method is safer and more convenient than the password verification method. The relevant configuration file in Linux is:
1 vi /etc/ssh/sshd_config2 PasswordAuthentication no #禁用口令登录3 PubkeyAuthentication yes #允许公钥认证4 RSAAuthentication yes #rsa认证5 AuthorizedKeysFile .ssh/authorized_keys #相关ssh授权文件
2. What to do when encountering network problems such as ping failure and website inaccessibility
Alibaba Cloud's help documentation provides methods for handling common network problems. There is a lot of content, you can refer to it here. Here is a rough summary:
(1) It is easier to determine that the ping failure is indeed a network problem. Then just follow the relevant documents to check one by one. Generally, it is because of the firewall ( iptables) or security group.
(2) The situation where the website cannot be accessed is more complicated. When the website cannot be accessed, you can ask yourself the following questions to clarify the troubleshooting ideas: 1. My server firewall Are the security groups and security groups set correctly? The main purpose here is to troubleshoot network problems and ensure that the corresponding port can be accessed by the public network. Second, if there is no problem with the network, what server is my website running on and whether the server is running normally, that is, whether the web service on the server is running normally. For example, nginx is commonly used as a web server. Check whether it is running normally. You can use ps and other commands to check. 3. How to check the web server? Let’s take nginx as an example. (1) Which port does it monitor? Is the port it monitors disabled by the firewall? Is this port also monitored by other processes? You can use the lsof -i tcp:80 and netstat commands to check whether the port is open and monitored. (2) Whether the nginx configuration file is correct, whether the root directory of the website can be normally accessed by the nginx process, etc.
The above is the detailed content of Example tutorial on using Alibaba Cloud ECS server. For more information, please follow other related articles on the PHP Chinese website!