show code js

2019年5月2日 星期四

VPS Create, base and safe config 建立第一個VPS並作基礎及安全調適

租下自已第一個VPS需要作什麼呢?答案是作基礎設定及安全方面的調整,必竟剛安裝完OS的VPS是很脆弱的,放置一段時間就會在登入後得到很多連入失敗的訊息。

Your frist VPS was creating, you can config it about base or safe setting.
You can see more log of session to connect your VPS, that is not safe.

這邊只提供基本的調整,並且以Centos為主,若是使用其他OS也可以找到相對應的資訊。

Just for OS of Centos, if you choose other os, you can search those keywords by google.

Have fun with you.

祝玩的愉快

  1. Important: Dropbox support, if you use it for git or share files, you must check out before 如l果你使用Drobpx要注意已經不支援部份Linux的磁碟格式
  2. download putty(remote control) and login your vps and winscp to upload file to vps(file transfer)
    下載putty或其他ssh連線工具連到你的vps,使用winscp或filezilla使用sftp連到vps上下傳檔案
  3. 3party: more mod need those, or you can pass this.第三方軟件、工具
    1. yum install epel-release -y
    2. replace vi: nano(to edit file easy): yum install nano -y 文字編輯器,比內建的vi還好用
      #as cat or vi
      #Save and exit the file by pressing Ctrl-x, then y, then Enter.
  4. Choose VPS 選擇VPS
  5. Choose and Rebuild OS for Centos 7 x64 or Newest with 64bit 選擇64位元或更新的版本
    1. random SSH port: can start firewalld and remove ssh and add other port number to transfer to port 22 不要使用預設的ssh埠,作以下的修改
      1. vi or nano /etc/ssh/sshd_config
      2. remark # at port 22 and change 22 to other number 將#去除後將22改為其他數字1~65535
      3. if you had installd firewall-cmd, must add this new port 如果你有啟用防火牆記得要確認
      4. reboot
      5. if you can not connect VPS, use Admin Panel to config it. 如果連不上,可使用主機商提供的控制台在後端取得登入位置、帳密後進入修改,如果在前端設定失敗遺失連線後都可以在這裡進行管理,如果親臨主機
    2. change root password: passed 修改root密碼,也有人將root封鎖並在之前建立一組新的同等於root的帳號密碼,主要防止被暴力破解及防猜
  6. Check OS version and bit 確認作業系統名稱、版本及位元
    1. os version: cat /etc/*release*
    2. os bit: uname -a
  7. (pass)close password mode: if you wanna to do, please create and install ca before this. 關閉帳密模式,在建立憑證後並作首次連線時,會確認憑證,關閉後只有有安裝憑證的裝置才可以連入,不怕帳密被洩漏
    1. vi or nano /etc/ssh/sshd_config
    2. change: passwordauthentication no
  8. change host name 改變主機名稱
    1. hostnamectl set-hostname your_domain.com
    2. hostnamectl, show just host name
  9. Yum maintain 這是centos的軟件安裝工具,作基本的維護,也可以每次開機自動執行或手動執行
    1. clean: yum clean all -y
    2. upgrade: yum upgrade -y
    3. update: yum -y update
  10. os config 系統設定:時區、ntp及語言
    1. chage timezone: timedatectl set-timezone Asia/Taipei
    2. Enable NTP: timedatectl set-ntp yes
      #if this is fail because is use new function is chrony of yum
    3. Change Language: 
      1. default: localectl
      2. list: localectl list-locales | grep zh_
      3. change: localectl set-locale LANG=zh_TW.utf8
      4. restart: reboot
  11. disable ipv6:關閉ipv6 有些時候為了某些原因需要關閉它
    1. vi or nano /etc/sysctl.conf, add below
      net.ipv6.conf.all.disable_ipv6 = 1
      net.ipv6.conf.default.disable_ipv6 = 1
    2. active: reboot or sysctl -p
  12. firewall 防火牆
    1. install: yum install firewalld -y
    2. enable: systemctl enable firewalld
    3. start: systemctl start firewalld
    4. list: --permanent is always, if not use it, your setting will lose after vps reboot 增加此參數表示永久有效,如果沒有加則重開機後就會失效
      1. temp: firewall-cmd --list-all
      2. always: firewall-cmd --list-all --permanent
    5. add new service: [--permanent forevery, if no this args will now and clean after reload or reboot]
      firewall-cmd --permanent --add-service=[service.name]
      {firewall-cmd --permanent --zone=public --add-service=[service.name]}
      firewall-cmd --reload
    6. add new port:
      firewall-cmd --permanent --add-port=[port number]/[tcp/udp]
      firewall-cmd --reload
    7. ssh port not default: need setting in firewall 如果你的ssh連線埠不是預設,需要注意在這邊測試與設定
    8. port convert transfer to port: 
      1. remove service default port
      2. firewall-cmd --permanent --add-forward-port=port=1234:proto=tcp:toport=5678
        {firewall-cmd --zone=public --add-forward-port=port=1234:proto=tcp:toport=5678 --permanent}
  13. SSH Safe only by denyhosts 防功擊模組,可以白名單與黑名單進行管理,遇到功擊將會自動列入黑名單
    1. 3party epel-release: run 5-3
    2. install: yum install denyhosts -y
    3. white ip: nano /etc/hosts.allow #sshd: 220.130.38.233
    4. black ip: nano /etc/hosts.deny #sshd: ALL **
    5. restart: systemctl restart denyhosts
    6. unlock ip:
      nano /etc/hosts.deny
      nano /var/lib/denyhosts/hosts
      nano /var/lib/denyhosts/hosts-restricted
      nano /var/lib/denyhosts/hosts-root
      nano /var/lib/denyhosts/hosts-valid
      nano /var/lib/denyhosts/users-hosts
      systemctl restart denyhosts
  14. DDOS safe 防護ddos功擊模組
    1. ip status: ip -s l(link)
      #ip -s l | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
      #ip addr show
    2. install:
      wget http://www.inetbase.com/scripts/ddos/install.sh
      chmod 0700 install.sh
      sh install.sh
      #on : prompt key "q" and enter to exit
    3. default: nano /usr/local/ddos/ddos.conf
      FREQ=1 ;检测时间间隔,默认是一分钟,如果修改这个要重新设置Cron Job
      NO_OF_CONNECTIONS=150 ;最大连接数,超过这个就会禁止IP
      APF_BAN=1 ;使用APF设置为1,使用iptables设置为0
      KILL=1 ;是否禁止IP
      EMAIL_TO=”root” ;邮件通知,写上接收邮件的邮箱
      BAN_PERIOD=600 ;禁止IP时长,默认是600秒
    4. white ip: nano /usr/local/ddos/ignore.ip.list
    5. lock modify: chattr +i /usr/local/ddos/ignore.ip.list
    6. unlock modify: chattr -i /usr/local/ddos/ignore.ip.list
    7. uninstall:
      wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
    8. chmod 0700 uninstall.ddos
      ./uninstall.ddos
  15. add new root user 增加新的帳號
    1. create
      1. adduser [username]
      2. passwd [username]
      3. usermod -aG wheel [username]
    2. test
      1. su - username
當然關於安全設定與系統調校還有很多項目與面向,可以善用搜尋找到自已想要的調整,這邊只提供我較常用的項目(我都不使用預設的埠號,因此,有些已經沒有再使用了)

If you need more safe config or info, you can use google to search more info for you need.
Those are my usually use itme by myself, but some item was not now.

沒有留言:

張貼留言