AHdark

AHdark Blog

Senior high school student with a deep passion for coding. Driven by a love for problem-solving, I’m diving into algorithms while honing my skills in TypeScript, Rust, and Golang.
telegram
tg_channel
twitter
github

Basic Security Policy for Linux Servers

Preface#

The writing of this article was decided on August 13, 2022. Friends in my QQ group often engage in extremely non-standard operational practices, which leaves me speechless. Therefore, I wrote this article to help avoid pitfalls for various webmasters.

Server Selection#

Non-website operators can skip this section, which does not consider situations where services cannot use CDN or other reverse proxy services.

In today's market, there are various cloud service providers. Large companies like Alibaba Cloud, Tencent Cloud, AWS, Azure, GCP, etc., operate cloud services, while smaller entities can operate IDC services (commonly known as One Man IDC) by connecting to data centers or other cloud service providers.

The diversity of cloud service providers has also led to a disparity in service quality in the industry. As a provider and maintainer of several services, I personally tend to seek a balance between cost-effectiveness and SLA, ensuring high reliability while avoiding excessively high costs, low cost-effectiveness, and low performance.

Large Public Clouds#

In this section, we define "large public clouds" as "public cloud services operated by listed companies."

Rankings are based on market share, with market share data from the second half of 2021.

We commonly see many public cloud services, both domestic and international:

I personally recommend using large public clouds to run production environment services, as they typically offer better stability, higher technical capabilities, faster customer service efficiency, and more benefits.

Most large public clouds in China offer new user discounts, allowing higher configuration cloud servers to be purchased at lower prices. Most large public clouds abroad provide free quotas, such as AWS's 12-month trial period, Azure's $200 quota, and DigitalOcean's $100 quota.

Public clouds usually offer a variety of services, including but not limited to elastic computing, object storage, CDN, SaaS, Kubernetes, container images, container repositories, etc., which provides significant advantages for subsequent architecture upgrades and expansions.

It is important to note that due to the higher quality hardware typically chosen by public clouds and their higher SLA requirements, their prices can also be higher.

Private Clouds#

Some group enterprises and government enterprises use private cloud services, which are cloud environments created specifically for end users and are usually located within the user's firewall. Typically, large public clouds offer various private cloud solutions.

Small IDC Service Providers#

As cloud computing resources have become increasingly abundant, the market has gradually expanded in recent years, leading to the emergence of many small businesses, studios, or individuals operating IDC services.

Such services typically have fewer maintenance personnel and cloud resources. Some IDC service providers obtain cloud computing resources by connecting to large public clouds or local data centers and then reselling them.

The cloud computing resources of small IDC service providers are usually not as extensive as those of large public clouds, with many only offering virtual private server (VPS) services and lacking high technical strength.

Compared to large public clouds, small IDCs have a higher likelihood of abandoning services (commonly known as "running away"). Typically, I use the following two methods to assess the credibility of cloud service providers in mainland China.

  1. Companies registered in mainland China are required to register their capital. Some companies have registered capital exceeding one million but have zero actual capital, meaning the company itself has no value and can be established at no cost.

  2. Mainland China requires value-added telecommunications service providers to have a value-added telecommunications business license. For selling virtual private servers, they need to have "Internet Access Service Business" and "Internet Data Center Business" types. You can check the licenses held by a company through the Telecom Business Market Comprehensive Management Information System by searching for the company name.

  3. Websites established in mainland China are required to undergo ICP filing. You can check the filing information through the ICP/IP Address/Domain Name Information Filing Management System by searching for the domain name.

If a small IDC service provider sells cloud servers in mainland China but does not hold any Chinese corporate entity or licenses, it is advisable to consider its credibility carefully.

Personally, I do not recommend using the cloud computing resources of small IDC service providers as a carrier for production environments.

Server Security#

The security and permissions of servers are the foundation of site security, while shell security is the cornerstone of server security.

Typically, we connect to the Linux terminal via the SSH protocol and execute commands. Among them, the security of SSH is extremely necessary.

Login Method#

I recommend not using password login for SSH services on any public server; please use SSH key pairs instead of passwords whenever possible.

Generating Key Pairs#

We generate keys on the Linux server using the ssh-keygen command.

Since ECDSA encryption has higher reliability and lower performance overhead, we will demonstrate this in this tutorial. Some service providers do not support importing ECDSA keys, so you can replace it with RSA based on the idea.

image

ssh-keygen --help

image

ssh-keygen -t ecdsa

Here, we can specify the encryption method using the -t parameter and the encryption bit length using the -b parameter.

I personally prefer to use 4096 bits for RSA keys and 521 bits for ECDSA keys.

ssh-keygen -t ecdsa -b 521 # Generate SSH, use the default path

At this point, ~/.ssh/id_ecdsa is the private key, and ~/.ssh/id_ecdsa.pub is the public key.

Configuring Keys#

Please first copy the private key from the ~/.ssh/id_ecdsa path to your local machine.

cp ~/.ssh/id_ecdsa.pub ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Configuring SSH Service#

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup # Backup
vi /etc/ssh/sshd_config

Press i to enter edit mode and replace the content:

# Remove comments
LogLevel INFO
MaxAuthTries 3
MaxSessions 5
PubkeyAuthentication yes
PasswordAuthentication no
ClientAliveInterval 600
ClientAliveCountMax 3
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

# Add new line
Protocol 2

Press esc to exit edit mode and type :wq to save the content.

Before restarting, please ensure that there is an existing SSH connection running to avoid being completely unable to connect to the server!

Then we need to restart the SSH service:

# RHEL / CentOS
systemctl restart sshd
# Debian / Ubuntu
service sshd restart

Configuring Connection#

Here is an example using XShell:

Import the private key that was previously copied to your local machine in Tools - User Key Manager.

image

Import the private key.

image

XShell Session

Just modify the session for the server.

Then, do not close the retained connection; double-click the session file to reconnect. If you can connect successfully, it is correct.

About Ports#

Changing the SSH port is unnecessary; it is almost impossible to successfully crack ECDSA and RSA algorithms.

Usage Habits#

Private Key Security#

Please do not upload private keys to any public network platforms, such as GitHub, QQ group files, cloud drives, etc. This is extremely unsafe!

Private keys are unique; losing a private key means you cannot access the server (you can reset via VNC), and leaking a private key means your server will face significant security risks.

Users#

Please avoid using root to log in via SSH as much as possible.

You can set PermitRootLogin no in /etc/ssh/sshd_config to prevent direct root login.

The method for setting private keys for non-root users is roughly the same as above.

Network Environment#

For larger enterprises, a better choice would be to set up an authentication server and SSH jump server within the intranet, which connects to the internal server's SSH service through an SSH client exposed to the external network.

The Zero Trust philosophy also applies to the system layer.

Ports#

It is recommended to close all unnecessary ports.

You can refer to the articles:

About Panel Programs#

The views only apply to production environments; feel free to choose in non-production environments.

When choosing a panel program, please follow these principles:

  1. If you are proficient in using Linux systems and skilled in server operations, please do not use panel programs.
  2. If you understand the basic configuration file writing of Nginx and have a single server corresponding to a single site, please do not use panel programs.
  3. If you do not need to run web programs, please do not use panel programs.
  4. If your business is primarily internet-related, please do not use panel programs.
  5. If you must use a panel, please choose Baota Panel or CPanel.

Panel programs have advantages as well as disadvantages.

  • Advantages:
    • Simple and quick (can be used in development environments, but I recommend the built-in deployment process of JetBrains IDE).
    • Convenient for multi-site maintenance.
    • Graphical operation (suitable for beginners).
  • Disadvantages:
    • Has a certain resource occupation; not recommended for small machines.
    • Domestic panel programs like Baota Panel will upload your server-related information to their servers and require real-name registration.
    • There is a possibility of significant 0day vulnerabilities (refer to the Baota PMA database deletion incident).
    • Has some bugs.

The main issue is that once a panel program has a bug, almost all users will be greatly affected.

Moreover, domestic panels will inevitably upload your server-related information and site information, making it possible for the police to come knocking.

Acknowledgments#

Without the following two talents, this article would not have been created.

  • @Bruce A loyal follower of Baota, has read all my articles but learned nothing
  • @HenryJiu A staunch advocate of password login for SSH

Purely for fun, the above two are good friends of both group members and bloggers~

Thanks to the group members' suggestions, which helped me improve the content of this article.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.