Detailed Configuration Explanation of Tencent Cloud Security Group: How to Correctly Open Ports and Reject Malicious Scanning
Many friends who had just contacted Tengxunyun happily matched the environment. As a result, the website could not be opened. After checking the reason for half a day, they finally found that the "security group" was stuck and did not open the port. Or vice versa, in order to save trouble, directly in the security group
0.0.0.0/0
(All released) As a result, the server was treated as a mining chicken by hackers and even encountered blackmail software within three days of running.
The security group, to put it bluntly, is one that tengxunyun gave you free of charge.
Virtual Firewall
. It set up a checkpoint outside the server, determining which traffic can come in and which traffic can go out.
Today is not complicated network theory. Let's start from the actual combat and talk about how we can not only correctly open the business port, but also keep out the malicious scripts that scan your server every day.
Phase 1: the core underlying logic of a security group
Before you start configuration, you must understand the two core death principles, otherwise you will definitely make a mistake:
1. "Inbound" and "Outbound"
Inbound rule (Inbound): People outside visit you. For example, users visit your website (port 80/443), or you use SSH to connect to the server (port 22). 99% of security group configurations are configured with inbound rules.
Outbound Rule (Outbound): The server is accessed outside. For example, your server needs to download system updates and call WeChat Pay's API. The default outbound rule of Tengxun cloud security group is full release, keep the default, don't touch it, otherwise the server itself will be "disconnected.
2. Rules are matched "from top to bottom"
The rules of a security group have priority (the higher the number of rows, the higher the priority). When traffic comes in, it will start with the first rule, and once it is on, it will be executed immediately (allow or deny),
no longer look down
.
Knock on the blackboard: If your first rule is "deny all traffic" and your second is "allow port 80", then port 80 will never get in. Always remember that precise, permissible rules are put on top, and broad, denied rules are put on top.
The second stage: hand-in-hand configuration of a "copper wall and iron wall" security group
Now log in to your
Tencent Cloud Console
search for security groups ". Click "New" and select "Custom" for the template. The name is
Web Server High Security Specification
.
Click "Inbound Rules"-> "Add Rules" and let's build a line of defense one by one:
1. Must-open public service port (visible to all mankind)
If your server is used to run websites, these two ports must be unconditionally open to the world:
HTTP (port 80): Source: 0.0.0.0/0 (for any IP worldwide) Protocol Port: TCP:80 Policy: Allow
HTTPS(443 port): Source: 0.0.0.0/0 Protocol Port: TCP:443 Policy: Allow
2. Life gate port: remote management port (refuse streaking)
Linux port 22 (SSH) and Windows port 3389 (remote desktop) are the hardest hit areas for hackers to scan maliciously.
Absolutely, absolutely not right
0.0.0.0/0
Open both ports.
High security matching method (fixed IP): if your home broadband or company has fixed public network IP, directly fill in your fixed IP (e.g. 220.181.111.85) in the "source. In this way, no one in the world wants to connect to this server except you.
Etradeoff (IP segment): If it is dynamic IP, it will change every time the router is restarted. You can fill in the operator IP segment of your city (e.g. 220.181.0.0/16) to reduce the probability of being scanned.
Lazy but safe matching method (change the default port): if it is really necessary to open the whole network, don't use the default 22. Go to the server system and change the SSH port to a high-level random port like 59222, and then open TCP:59222 in the security group. Hacker's blind scan script usually only scans 22 ports. Changing the port can help you block 99% of mindless scans.
3. Database and middleware ports (must be isolated from intranet)
Like MySQL(3306), Redis(6379), MongoDB(27017), these are your core assets.
Iron Law: Never open the database port to the whole network (0.0.0.0/0) in the security group!
How to access?: If your frontend server and database server are in the same region of the same Tengxun cloud account, enter the intranet IP address of the frontend server (for example, 10.0.0.5). If you only need to check the data occasionally, please use SSH tunnel (Tunnel) to forward it, or close the security group rule immediately after using it.
The third stage: take the initiative to attack, refuse to scan and defend the enemy outside the country.
How do hackers target you? They use network-wide automated scanning tools (such as ZMap, Masscan). If your server responds to any probe, you will be put on their "to crack list".
1. Ultimate Defense: Rejection Rule
When you allow all the ports that need to be opened (80,443, modified SSH ports) at the top, add one at the end of the rule list:
Source: 0.0.0.0/0
Protocol Port: ALL
Policy: Deny
This forms the famous "default deny" security policy:
Those who are not on my white list will be beaten to death with sticks.
2. Disable ICMP (Prohibit Ping)
The first step many hackers take to find a target is
ping
Your IP, see if the machine is on.
You can add a rule: protocol select ICMP, source 0.0.0.0/0, policy select reject.
This is another p.
ing your server will show a timeout, pretend your server doesn't exist, and directly dissuade some of the primary scanners.
Phase 4: Verification and Association after Configuration
When the security group rules are ready, don't forget the most important step:
Bind Instance
.
On the security group details page, switch to the Associated Instances tab, click Associated, and select your ECS. If it is not related, the rule you just matched is a dead letter.
How do you verify that you are worthy?
Test service: use mobile phone 4G/5G network (simulating external environment) to visit your website. if you can open it, it means 80/443 is no problem.
Test Interception: If you do not open the database port, try to use local database tools (such as Navicat) to directly connect to port 3306 of the server's public network IP. If the connection timeout is displayed (instead of refusing the connection), the security group has successfully dropped the request silently (Drop), and the anti-theft and anti-scanning effect is as expected.
Summary
The essence of the security group is "breaking away".
The ports that can not be opened will not be opened, the ports that can limit IP access will not be opened, and finally a full rejection rule will be used to cover the bottom.
As long as you keep this principle, those malicious scanning scripts and automated Trojans that wander the public network will have no way to take your server.
