回风舞雪

Love My Love

Linode 的 CentOS-7.1 初始化操作

2015.08.15

参考文献:https://www.linode.com/docs/

前面内容不再多说,直接说我开始的地方:

Getting Started

登录VPS

首先是第一次登录,这里主要谈登陆失败的情况: 我之前做过一个vps,然后听说日本的好,然后就把之前的那个服务器删了,删除后才发现日本机房的根本买不上,买上的很多也是IP被封了.当时自己还刷了很久linode网站,无果,最终选择了美国西海岸机房.据说除了日本机房最好选它.于是重新添加硬盘,Rebuild,等等,系统起来了,准备ssh登录了,然后就报错了,“That’s because SSH clients try to match the remote host with the known keys on your desktop computer. When you rebuild your Linode, the remote host key changes. “下面动手删了那一行:

vim ~/.ssh/known_hosts

找到之前的记录内容,删除掉就好了

Setting the hostname

CentOS 7 / Fedora version 18 and above

hostnamectl set-hostname hostname

Ubuntu 15.04 / Debian 8

hostnamectl set-hostname hostname

Setting the Timezone

Arch Linux and CentOS 7

timedatectl list-timezones

then

timedatectl set-timezone Asia/Shanghai

Ubuntu / Debian

dpkg-reconfigure tzdata

checking the time

Now try entering the following command to view the current date and time according to your server:

date

installing software update

yum update

Securing Your Server

Add a New User

The problem with logging in as root is that you can execute any command - even a command that could accidentally break your server. For this reason and others, we recommend creating another user account and using that at all times.

  1. Open a terminal window and log in your linode server

  2. Create the user by entering the following command.Replace exampleuser to your desired username:

adduser exampleuser
  1. Set the password for your new user by entering the following command. Replace exampleuser with your desired username:
passwd exampleuser
  1. You will now need to edit your sudoers file to grant your new user the correct permissions. Enter the following command to open your sudoers file for editing:
visudo
  1. add an entry for your user below the root user, granting all permissions. Replace exampleuser with your username:
## Allow root to run any commands anywhere
root         ALL=(ALL)       ALL
exampleuser        ALL=(ALL)       ALL
  1. Enter the command logout And then log in your linode again by the following command,Replace exampleuser with your username, and the example IP address with your Linode’s IP address:
ssh exampleuser@123.456.78.90

Using SSH Key Pair Authentication(SSH认证配对)

  1. linux Or Mac OS, Entering the following command in a terminal window
ssh-keygen
  1. copy the public key ~/.ssh/id_rsa.pub to your linode,you can entering the following command in a terminal window.Replace example_user with your username, and 123.456.78.90 with your Linode’s IP address.
scp ~/.ssh/id_rsa.pub example_user@123.456.78.90:
  1. Create a directory for public key in your home directory (/home/yourusername) by entering the following command ** on your linode: **
mkdir .ssh
  1. move the file which is on your linode’s home directory to the directory your just create:
mv id_rsa.pub .ssh/authorized_keys
  1. Modify the permissions on the public key by entering the following commands, one by one, on your linode. Replace example_user with your username.
chown -R example_user:example_user .ssh
chmod 700 .ssh
chmod 600 .ssh/authorized_keys

Disabling SSH Password Authentication and Root Login(禁止SSH的密码登录和root登陆)

First, you’ll disable password authentication to require all users connecting via SSH to use key authentication. Next, you’ll disable root login to prevent the root user from logging in via SSH. These steps are optional, but are strongly recommended.

  1. Open the SSH configuration file for editing by entring the following command:
sudo vim /etc/ssh/sshd_config
  1. Entring /, then PasswordAuthentication and push Enter key, push n to search the key word,change the keyword’s setting to no,Verify that the line is uncommented by removing the # in front of line:
PasswordAuthentication no
  1. Change the PermitRootLogin setting to no as shown below:
PermitRootLogin no
  1. save the configuration file (:wq) and restart the SSH service to load the new configuration:

Fedora/CentOS:

sudo systemctl restart sshd

Debian/Ubuntu Users:

sudo service ssh restart

Creating a Firewall

This step is optional, but we strongly recommend that you use the example below to block traffic to ports that are not commonly used. It’s a good way to deter would-be intruders! You can always modify the rules or disable the firewall later.

  • Check your Linode’s default firewall rules by entering the following command:
sudo iptables -L
  • Examine the output. If you haven’t implemented any firewall rules yet, you should see an empty ruleset, as shown below:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
  • Create a file to hold your firewall rules by entering the following command:
sudo vim /etc/iptables.firewall.rules
  • We’ve created some basic rules to get you started. Copy and paste the rules shown below in to the iptables.firewall.rules file you just created.

By default, the rules will allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked.

File:/etc/iptables.firewall.rules

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Be sure to revise these rules if you add new services later.

  • Optional: If you plan on using the Linode Longview service, add these additional lines above the # Drop all other inbound section:

File:/etc/iptables.firewall.rules

#  Allow incoming Longview connections
-A INPUT -s longview.linode.com -j ACCEPT

# Allow metrics to be provided Longview
-A OUTPUT -d longview.linode.com -j ACCEPT
  • Save the changes by pressing :wq and then activate the firewall rules by entring the following command:
sudo iptables-restore < /etc/iptables.firewall.rules
  • Recheck your Linode’s firewall rules by entering the following command:
sudo iptables -L
  • Examine the output. The new ruleset should look like the one shown below:
  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination
  ACCEPT     all  --  anywhere             anywhere
  REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
  ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
  ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
  ACCEPT     icmp --  anywhere             anywhere
  LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
  DROP       all  --  anywhere             anywhere

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination
  DROP       all  --  anywhere             anywhere

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination
  ACCEPT     all  --  anywhere             anywhere

  • Now you need to ensure that the firewall rules are activated every time you restart your Linode.

  • CentOS 6.2 or 6.5: /sbin/service iptables save

  • CentOS 7 or Fedora 20:

yum install -y iptables-services
systemctl enable iptables
systemctl start iptables

To save your current rule set use the following command:

/usr/libexec/iptables/iptables.init save

Installing and Configuring Fail2Ban

Fail2Ban is an application that prevents dictionary attacks on your server. When Fail2Ban detects multiple failed login attempts from the same IP address, it creates temporary firewall rules that block traffic from the attacker’s IP address. Attempted logins can be monitored on a variety of protocols, including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only.

  1. Install Fail2Ban by entering the following command:
sudo yum install epel-release
sudo yum install fail2ban
  1. Optionally, you can override the default Fail2Ban configuration by creating a new jail.local file. Enter the following command to create the file:
sudo nano /etc/fail2ban/jail.local

To learn more about Fail2Ban configuration options, see this article on the Fail2Ban website.

  1. Set the bantime variable to specify how long (in seconds) bans should last.

  2. Set the maxretry variable to specify the default number of tries a connection may be attempted before an attacker’s IP address is banned.

  3. Press Control-x and then press y to save the changes to the Fail2Ban configuration file.

  4. Restart Fail2Ban by using sudo service fail2ban restart.

linux centos linode iptables fail2ban
发表评论