It is not difficult to harden the server, but when there are many routine operations to be performed, it is easy to forget. So here I would like to talk to you about how to prevent others from invading the server and at the same time deepen your impression. I hope it will be helpful to you after reading it.
The situation I encountered was relatively simple. I executed the following command:
cat /var/log/auth.log | grep Accepted
This command returned the successful authentication record on my server, where There is an IP that is not mine. So, the SSH service was compromised.
Don’t forget there is another commandlast, this command returns the most recently successfully logged in user.
What you need to do immediately after purchasing the server:
/var/log/auth.logto identify malicious behavior and ban IPs;If a break-in occurs, you need to know how to investigate and clean up. The best way is to recreate the VPS. It is exactly what I have done. I bought a server from hetzner, and its console offers the ability to recreate (remove the old VPS, create a new one) a VPS and keep the original IP. So I recreated a VPS. I then generated the SSH key on my local machine using thessh-keygentool (part of the standard OpenSSH package): (The command below works on both Linux and macOS)
ssh-keygen
The command A pair of keys is created in the~/.sshdirectory. Then run the following command:
ssh-copy-id you_user@your_server_id
This command will upload the newly created public key to the server. Next, log in to the server and modify the sshd configuration:
nano /etc/ssh/sshd_config
Modify the PasswordAuthentication configuration in the configuration file:
PasswordAuthentication no
This configuration disables password login (only keys can be used to log in).
The system I use on the server is Ubuntu, so these two tools can be installed through the following commands:
apt install ufw fail2ban
Only open ssh and http( s) Port:
ufw allow ssh ufw allow 80 ufw allow 443
Enable ufw:
ufw enable
Next configure the fail2ban tool:
# 备份默认配置 cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local nano /etc/fail2ban/jail.local
Findbanaction =in the configuration file and change it Set toufw. Then reload the fail2ban configuration:
fail2ban-client reload
After such a simple configuration, three incorrect login attempts from the same IP will ban the IP for 10 minutes. I personally adjusted the ban period to 7 days. The following command can check the status of fail2ban:
fail2ban-client status sshd
My configuration is like this:
Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 6 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: 187.109.168.150
As you can see, one IP has been blocked by the firewall. We can also confirm this through ufw's report:
ufw status Status: active To Action From -- ------ ---- Anywhere REJECT 187.109.168.150 80/tcp ALLOW Anywhere 22 ALLOW Anywhere 443 ALLOW Anywhere
If you want to know more technical tutorials, please pay attention to other content onPHP Chinese website.
The above is the detailed content of How to prevent the server from being invaded by others. For more information, please follow other related articles on the PHP Chinese website!