The growth experience of a joke station four

book above, this time mainly to share the security aspects of Linux configuration.

one, port

iptables all banned, after must be only allowed to open ports, such as 21,22,80, but in addition to the 80, FTP and SSH ports, we better make some changes, this also brings some difficulty to the hacker scanning, also explain, your server is black on the level higher than you, but most are not true, but with some master write tools to scan your server. The so-called flies do not bite seamless eggs.

two, user

removes all default users, prohibits root users from logging in remotely, locks passwd and group files, and prevents anyone from accessing. Open only necessary users, such as users from Internet, to control permissions as much as possible. Manage your password to be updated regularly, recommend the use of automatically generated password tool, complexity enough, especially at the head of the black chain break prevailed, a server can bring considerable benefits, should pay more attention to.

three, application


applications, do not use ready-made templates, especially for free, you can get, everyone can get, any program theory is flawed, if a user of the program too much, and find loopholes will get great benefits, it should pay attention to. The so-called "no benefits, not early.". Daily attention to access logs, you can see, a lot of scanner access, are generally trying to access a specific program or file, if you find that you are in use, and there is no repair vulnerabilities, then you have to be careful.

four, flexible design access policy


Apache has provided a powerful access control, but also flexible enough, the best you can with fine-grained access control strategy, to let our customers can visit, to reject most of the malicious access.

malicious access, there are many, such as hotlinking, will use our precious resources to bandwidth and server, provide related services for others, but if used properly, it will bring us flow, the so-called MoGaoYiChe, daogaoyizhang. Because of the relationship between the work, this content can be expanded, the opportunity to do a special topic in this area, showing a few flowers as a miraculous example of decay.

, for example, disgusting grasping, misappropriation of our hard work organized content. We can screen from the IP, the access frequency, and the URL parameter immediately, but mainly with reliable discovery mechanisms.

five, server monitoring on

server monitoring is essential, but it is not recommended to use complex monitoring software, such as Nagios, primarily for performance considerations, and the server is overwhelmed and burdened with a heavy burden.