How to prevent the server from being invaded by others
It is not difficult to harden the server, but when there are many routine operations to be performed, it is easy to forget. So here I would like to talk to you about how to prevent others from invading the server and at the same time deepen your impression. I hope it will be helpful to you after reading it.
How to find vulnerabilities
The situation I encountered was relatively simple. I executed the following command:
cat /var/log/auth.log | grep Accepted
This command returned the successful authentication record on my server, where There is an IP that is not mine. So, the SSH service was compromised.
Don’t forget there is another command last, this command returns the most recently successfully logged in user.
How to harden the server
What you need to do immediately after purchasing the server:
- Installationufw, simple and easy-to-use firewall software;
- Close all ports except SSH and HTTP(s);
- Install and configure the fail2ban tool. This tool is based on
/var/log/auth.logto identify malicious behavior and ban IPs; - modify the sshd configuration to only use key authentication.
How to do it specifically?
If a break-in occurs, you need to know how to investigate and clean up. The best way is to recreate the VPS. It is exactly what I have done. I bought a server from hetzner, and its console offers the ability to recreate (remove the old VPS, create a new one) a VPS and keep the original IP. So I recreated a VPS. I then generated the SSH key on my local machine using the ssh-keygen tool (part of the standard OpenSSH package): (The command below works on both Linux and macOS)
ssh-keygen
The command A pair of keys is created in the ~/.ssh directory. Then run the following command:
ssh-copy-id you_user@your_server_id
This command will upload the newly created public key to the server. Next, log in to the server and modify the sshd configuration:
nano /etc/ssh/sshd_config
Modify the PasswordAuthentication configuration in the configuration file:
PasswordAuthentication no
This configuration disables password login (only keys can be used to log in).
Installation and configuration ufw and fail2ban
The system I use on the server is Ubuntu, so these two tools can be installed through the following commands:
apt install ufw fail2ban
Only open ssh and http( s) Port:
ufw allow ssh ufw allow 80 ufw allow 443
Enable ufw:
ufw enable
Next configure the fail2ban tool:
# 备份默认配置 cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local nano /etc/fail2ban/jail.local
Find banaction = in the configuration file and change it Set to ufw. Then reload the fail2ban configuration:
fail2ban-client reload
After such a simple configuration, three incorrect login attempts from the same IP will ban the IP for 10 minutes. I personally adjusted the ban period to 7 days. The following command can check the status of fail2ban:
fail2ban-client status sshd
My configuration is like this:
Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 6 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: 187.109.168.150
As you can see, one IP has been blocked by the firewall. We can also confirm this through ufw's report:
ufw status Status: active To Action From -- ------ ---- Anywhere REJECT 187.109.168.150 80/tcp ALLOW Anywhere 22 ALLOW Anywhere 443 ALLOW Anywhere
If you want to know more technical tutorials, please pay attention to other content on PHP Chinese website.
The above is the detailed content of How to prevent the server from being invaded by others. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to solve the problem that eMule search cannot connect to the server
Jan 25, 2024 pm 02:45 PM
Solution: 1. Check the eMule settings to make sure you have entered the correct server address and port number; 2. Check the network connection, make sure the computer is connected to the Internet, and reset the router; 3. Check whether the server is online. If your settings are If there is no problem with the network connection, you need to check whether the server is online; 4. Update the eMule version, visit the eMule official website, and download the latest version of the eMule software; 5. Seek help.
Solution to the inability to connect to the RPC server and the inability to enter the desktop
Feb 18, 2024 am 10:34 AM
What should I do if the RPC server is unavailable and cannot be accessed on the desktop? In recent years, computers and the Internet have penetrated into every corner of our lives. As a technology for centralized computing and resource sharing, Remote Procedure Call (RPC) plays a vital role in network communication. However, sometimes we may encounter a situation where the RPC server is unavailable, resulting in the inability to enter the desktop. This article will describe some of the possible causes of this problem and provide solutions. First, we need to understand why the RPC server is unavailable. RPC server is a
Detailed explanation of CentOS installation fuse and CentOS installation server
Feb 13, 2024 pm 08:40 PM
As a LINUX user, we often need to install various software and servers on CentOS. This article will introduce in detail how to install fuse and set up a server on CentOS to help you complete the related operations smoothly. CentOS installation fuseFuse is a user space file system framework that allows unprivileged users to access and operate the file system through a customized file system. Installing fuse on CentOS is very simple, just follow the following steps: 1. Open the terminal and Log in as root user. 2. Use the following command to install the fuse package: ```yuminstallfuse3. Confirm the prompts during the installation process and enter `y` to continue. 4. Installation completed
How to configure Dnsmasq as a DHCP relay server
Mar 21, 2024 am 08:50 AM
The role of a DHCP relay is to forward received DHCP packets to another DHCP server on the network, even if the two servers are on different subnets. By using a DHCP relay, you can deploy a centralized DHCP server in the network center and use it to dynamically assign IP addresses to all network subnets/VLANs. Dnsmasq is a commonly used DNS and DHCP protocol server that can be configured as a DHCP relay server to help manage dynamic host configurations in the network. In this article, we will show you how to configure dnsmasq as a DHCP relay server. Content Topics: Network Topology Configuring Static IP Addresses on a DHCP Relay D on a Centralized DHCP Server
Best Practice Guide for Building IP Proxy Servers with PHP
Mar 11, 2024 am 08:36 AM
In network data transmission, IP proxy servers play an important role, helping users hide their real IP addresses, protect privacy, and improve access speeds. In this article, we will introduce the best practice guide on how to build an IP proxy server with PHP and provide specific code examples. What is an IP proxy server? An IP proxy server is an intermediate server located between the user and the target server. It acts as a transfer station between the user and the target server, forwarding the user's requests and responses. By using an IP proxy server
Canada plans to ban hacking tool Flipper Zero as car theft problem surges
Jul 17, 2024 am 03:06 AM
This website reported on February 12 that the Canadian government plans to ban the sale of hacking tool FlipperZero and similar devices because they are labeled as tools that thieves can use to steal cars. FlipperZero is a portable programmable test tool that helps test and debug various hardware and digital devices through multiple protocols, including RFID, radio, NFC, infrared and Bluetooth, and has won the favor of many geeks and hackers. Since the release of the product, users have demonstrated FlipperZero's capabilities on social media, including using replay attacks to unlock cars, open garage doors, activate doorbells and clone various digital keys. ▲FlipperZero copies the McLaren keychain and unlocks the car Canadian Industry Minister Franço
What should I do if I can't enter the game when the epic server is offline? Solution to why Epic cannot enter the game offline
Mar 13, 2024 pm 04:40 PM
What should I do if I can’t enter the game when the epic server is offline? This problem must have been encountered by many friends. When this prompt appears, the genuine game cannot be started. This problem is usually caused by interference from the network and security software. So how should it be solved? The editor of this issue will explain I would like to share the solution with you, I hope today’s software tutorial can help you solve the problem. What to do if the epic server cannot enter the game when it is offline: 1. It may be interfered by security software. Close the game platform and security software and then restart. 2. The second is that the network fluctuates too much. Try restarting the router to see if it works. If the conditions are OK, you can try to use the 5g mobile network to operate. 3. Then there may be more
How to install PHP FFmpeg extension on server?
Mar 28, 2024 pm 02:39 PM
How to install PHPFFmpeg extension on server? Installing the PHPFFmpeg extension on the server can help us process audio and video files in PHP projects and implement functions such as encoding, decoding, editing, and processing of audio and video files. This article will introduce how to install the PHPFFmpeg extension on the server, as well as specific code examples. First, we need to ensure that PHP and FFmpeg are installed on the server. If FFmpeg is not installed, you can follow the steps below to install FFmpe