Modification of SSH login port and simple firewall configuration

Time:2021-5-7

After a remote login, add users and other processes

Modify SSH login port

The default port is 22. We can change it to a port above 1024.

  1. Enter SSH configuration filesudo vi /etc/ssh/sshd_configFind the line port 22 in the open file and change it to the new port number.
  2. Execute after savingsudo service ssh restart, restart the SSH service.
  3. Add a set of rules to the alicloud console security group, set it as the in direction, customize TCP, and modify the port range to a new port number.

Try logging in with a new port number and type “SSH” in bash [email protected] Address – P new port number “, if it is successful, you can log in. If there is an error in the toss, you can’t log in now. You can try the remote connection in the alicloud console as root.

Update Ubuntu resource pack and upgrade Ubuntu

Enter in the command linesudo apt-get update && sudo apt-get upgrade

Set up simple firewall aptables

  1. sudo iptables -FClear all current iptables rules
  2. Edit the configuration file to set the iptables rules, and enter thesudo vi /etc/iptables.up.rules
  3. Enter the following configuration in the open file. Note that in the note “SSH port login”, my login port is 39999. Just fill in the new port after modifying the previous SSH login port here.
*filter #allow all connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow out traffic
-A OUTPUT -j ACCEPT

#allow http https
-A INPUT -p tcp --dport 443 -j ACCEPT

-A INPUT -p tcp --dport 80 -j ACCEPT

#allow ssh port login
-A INPUT -p tcp -m state --state NEW --dport 39999 -j ACCEPT

#allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#log denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied:" --log-level 7

#drop incoming sensitive connetions
-A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 150 -j DROP
#reject all other inbound
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Let’s look at the meaning of this setting later. Now let’s copy it first^_^


After the above is done, save it, return it and input itsudo iptables-restore < /etc/iptables.up.rulesMake the settings work.
We can live with each othersudo ufw statusTo monitor whether the firewall is on.
usesudo ufw enableOpen firewall

Set the firewall to start automatically

inputsudo vi /etc/network/if-up.d/iptables, write the following script


    #!/bin/sh
    iptables-restore /etc/iptables.up.rules

wq! After saving and exiting, enterchmod +x /etc/network/if-up.d/iptablesIncrease authority