How to prevent the server from being invaded by others

It is not difficult to harden the server, but when there are many routine operations to be performed, it is easy to forget. So here I would like to talk to you about how to prevent others from invading the server and at the same time deepen your impression. I hope it will be helpful to you after reading it.

How to find vulnerabilities

The situation I encountered was relatively simple. I executed the following command:

cat /var/log/auth.log |  grep Accepted

This command returned the successful authentication record on my server, where There is an IP that is not mine. So, the SSH service was compromised.

Don’t forget there is another command last, this command returns the most recently successfully logged in user.

How to harden the server

What you need to do immediately after purchasing the server:

• Installationufw, simple and easy-to-use firewall software;
• Close all ports except SSH and HTTP(s);
• Install and configure the fail2ban tool. This tool is based on /var/log/auth.log to identify malicious behavior and ban IPs;
• modify the sshd configuration to only use key authentication.

How to do it specifically?

If a break-in occurs, you need to know how to investigate and clean up. The best way is to recreate the VPS. It is exactly what I have done. I bought a server from hetzner, and its console offers the ability to recreate (remove the old VPS, create a new one) a VPS and keep the original IP. So I recreated a VPS. I then generated the SSH key on my local machine using the ssh-keygen tool (part of the standard OpenSSH package): (The command below works on both Linux and macOS)

ssh-keygen

The command A pair of keys is created in the ~/.ssh directory. Then run the following command:

ssh-copy-id you_user@your_server_id

This command will upload the newly created public key to the server. Next, log in to the server and modify the sshd configuration:

nano /etc/ssh/sshd_config

Modify the PasswordAuthentication configuration in the configuration file:

PasswordAuthentication no

This configuration disables password login (only keys can be used to log in).

Installation and configuration ufw and fail2ban

The system I use on the server is Ubuntu, so these two tools can be installed through the following commands:

apt install ufw fail2ban

Only open ssh and http( s) Port:

ufw allow ssh
ufw allow 80
ufw allow 443

Enable ufw:

ufw enable

Next configure the fail2ban tool:

# 备份默认配置
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

Find banaction = in the configuration file and change it Set to ufw. Then reload the fail2ban configuration:

fail2ban-client reload

After such a simple configuration, three incorrect login attempts from the same IP will ban the IP for 10 minutes. I personally adjusted the ban period to 7 days. The following command can check the status of fail2ban:

fail2ban-client status sshd

My configuration is like this:

Status for the jail: sshd
|- Filter
|  |- Currently failed:    1
|  |- Total failed:    6
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned:    1
   |- Total banned:    2
   `- Banned IP list:    187.109.168.150

As you can see, one IP has been blocked by the firewall. We can also confirm this through ufw's report:

ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   REJECT      187.109.168.150           
80/tcp                     ALLOW       Anywhere                  
22                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere

If you want to know more technical tutorials, please pay attention to other content on PHP Chinese website.

The above is the detailed content of How to prevent the server from being invaded by others. For more information, please follow other related articles on the PHP Chinese website!