Ubuntu 服务器基本防护
Ubuntu 服务器基本防护
记录一下步骤
- 加一个新用户
- 禁用 root 登录
- 禁用密码登录(只允许 rsa)
- 修改 ssh 端口
- 防火墙
# 用户
# * 加用户
sudo adduser USERNAME
# * 加到 root 组
sudo usermod -aG sudo USERNAME
# * 删除用户(可能要先 kill 该用户进程)
# ps -aux | grep USERNAME
# sudo pkill -u USERNAME
sudo deluser USERNAME
sudo groupdel GROUPNAME
# * 查看用户和组
cat /etc/passwd
cat /etc/group
# * 修改密码,ubuntu 初始 root 无密码
sudo su root
sudo passwd root
# * sudo 免密
echo -e "\n USERNAME ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers
# * 加 shh key (在 host 操作 需要在关闭密码登录前操作)
ssh-copy-id -i ~/LOCALKEY.public USER@HOST
# * ssh 认证文件位置 每条 append
# /root/.ssh/authorized_keys
# /home/USERNAME/.ssh/authorized_keys
# * change user
su
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# ssh 配置
# * check
# sudo vi /etc/ssh/sshd_config
# * tweak config
sudo sed -i 's/^.*\bPort\b.*$/Port 0000/' /etc/ssh/sshd_config
sudo sed -i 's/^.*PasswordAuthentication.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
# sudo sed -i 's/^.*PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
# * default is 'prohibit-password', so its not necessery
sudo sed -i 's/^.*PermitRootLogin.*$/PermitRootLogin no/' /etc/ssh/sshd_config
# sudo sed -i 's/^.*PermitRootLogin.*$/PermitRootLogin yes/' /etc/ssh/sshd_config
# sudo sed -i 's/^.*PermitRootLogin.*$/#PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
# * 重启服务
sudo service sshd restart
# sudo systemctl restart sshd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# ufw 防火墙
# * 拒绝所有,打开指定
sudo ufw default deny incoming
# sudo ufw allow ssh
sudo ufw allow 0000
sudo ufw allow from 0.0.0.0 to any port 0000 proto tcp
# * 禁止 ping
sudo copy /etc/ufw/before.rules /etc/ufw/before.rules.bak
sudo sed -ir 's/\(ufw-before-input -p icmp --icmp-type.*\) .*/\1 DROP/' /etc/ufw/before.rules
# sudo sed -ir 's/\(ufw-before-input -p icmp --icmp-type.*\) .*/\1 ACCEPT/' /etc/ufw/before.rules
# * 直接改了配置文件需要重启 ufw
sudo ufw reload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 系统
# * 设置主机名
hostnamectl set-hostname example.com
# * 查看 shell
echo $SHELL
cat /etc/shells
# * 查看系统信息
cat /etc/*-release
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
# 其他命令
# * 生成秘钥
ssh-keygen -t rsa -b 4096 -f ~/folder/id_rsa
# * 端口转发
ssh -LN localhost:2000:theirlocalhost:80 root@0.0.0.0 -p 0000
# * 清除某个 known_hosts
ssh-keygen -R HOSTNAME
# * proxy
export http_proxy=http://
export https_proxy=http://
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
上次更新: Nov 18, 2022 10:11 PM