Aliyun account purchase: 5 Aliyun ECS security protection settings that must be opened immediately!!
In the circle of cloud computing, we can often hear such tragedies:
"The server I just bought was implanted with a mining trojan before I ran my business. The CPU is 100 every day!"
"The database was blackmailed by hackers and asked to pay bitcoin to unlock the file. What should I do?"
A lot just finished.
Purchase with an Alibaba Cloud account
Novices often put all their energy on deploying websites and configuring codes, but throw the server directly on the public network like a "naked baby.
You should know that there are countless hackers on the Internet 24 hours a day in the crazy scanning of public IP. Once you find that your server password is too simple, or the vulnerability is not filled, the port is open, within half an hour, your server will become someone else's broiler.
There are no small matters when it comes to safety. Today's in-depth practical exercise tutorial will teach you hand in hand without counting words and in pure vernacular.
5 Alibaba Cloud ECS security protection settings that must be enabled immediately
. As long as it takes 10 minutes to cover these five "iron cloth shirts", you can help you block 99% of brainless hacker attacks.
Core Defense Guide: What are the dead corners of your server?
A hacker attacks a server, like a burglary. They usually pass.
Blasting Code (Gate)
Exploitation of system vulnerabilities (window prying)
Or
Monitor the transmission data (halfway robbery) to achieve the purpose.
The five major protections we set up today are to help your Aliyun ECS weld the gates to death and install anti-theft nets on the windows.
Setting 1: Refine "Security Group" Rules-Close High-Risk Ports (Take Good Control of Security Doors)
In a word:
Don't open all the doors and windows in your home, only open a crack for those who are allowed in and out.
In order to save trouble, many novices directly added a "release" when setting up security groups.
1/65535
Port "rule, this is equivalent to directly to the security door to remove.
How do I do it?
Log in to the Alibaba Cloud console, go to [Cloud Server ECS]-> [Instance], and click the server name.
Switch to the [Security Group] tab and click the security group ID to go to the configuration page.
Check the [Inbound Direction] rule and delete all "Release All (0.0.0.0/0 and Port ALL)" rules without any movement.
Correct posture: adopt the principle of "open what with what. If it is a Linux server, only allow port 22 (remote connection). If you are creating a website, only port 80(HTTP) and port 443(HTTPS) are allowed. Advanced move: change the "authorized object" of port 22 from 0.0.0.0/0 (owner) to the fixed public network IP of your company or home. In this way, in addition to you, the whole Internet no one can connect to this door.
Setting 2: Disable Root user login and enable SSH key pair (replace old door lock)
In a word:
Hackers use password dictionary to guess you every day
root
The password of the account. Then we’ll go straight to it.
to put
root
Hide it and are not allowed to log in with a password. You must brush your "badge" (key) to enter.
The default highest administrator for a Linux server is called
root
. When the hacker blasted the server, 100% of the account name was written dead
root
, just go crazy to guess the password.
How do I do it?
Create a key pair: In the left-side menu of the ECS console, find [Network and Security]-> [Key Pair] and click Create. The system will automatically generate a private key file in. pem format and download it to your computer. (This document is your electronic badge, don't lose it!)
Bind key pair: Return to the instance list, check the server, and select [Key Pair]-> [Bind Key Pair] to bind the newly created key. Note: After binding, the server needs to be restarted to take effect.
Completely disable password login: after logging in to the server with the key, modify the SSH configuration file: Bashvi /etc/ssh/sshd_config find the PasswordAuthentication yes and change yes to no. At the same time, find the PermitRootLogin yes and change it to no (or keep allowing only key login). After saving, restart the SSH service (systemctl restart sshd).
Since then, the hacker's password blasting script has been completely obsolete. Because your server now "only recognizes the key but not the password", without that license file, even if the password is right, you can't take a step forward.
Setting 3: Modify the default remote connection port (disguise the gate)
A sensible sentence:
The default remote port for Linux is
22
, the Windows is
3389
. This is just like everyone knows that thieves will pick the cat's eye at the main entrance, so let's move the doorbell to the ceiling.
Scanners of the whole network are facing all public network IP's every day.
22
and
3389
Port crazy strafing. We changed the port to an unpopular number (e. g.
56789
), can directly let 95% of brainless scanners go home empty-handed.
How do I do it?
Change from Linux
56789
Port for example:
First go to the Aliyun security group, add an inbound rule, and release the 56789 port. (Remember: You must release it first, or you will lose your connection after changing the port!)
Log in to the server and modify the configuration file: Bashvi /etc/ssh/sshd_config find# Port 22, delete the comment# and add a line of Port 56789 below.
Save the exit and restart the SSH service. Attempt to reconnect with the new port 56789.
After the connection is successful, return to the configuration file and delete Port 22, and go to the Aliyun security group to delete the release rule of port 22.
Setting 4: Turn on the free "full automatic snapshot policy" immediately"
(Buy a lifetime worry-free insurance)
A sensible sentence:
As long as there is a backup, even if the server is set on fire by hackers, you can turn back the clock with one click and revive with full blood.
A lot of people are doing
Purchase with an Alibaba Cloud account
ignores the importance of data backup. When encountering blackmail virus or deleting the database by mistake (the legendary rm -rf /*), no backup means complete bankruptcy.
How do I do it?
In the left-side menu of the ECS console, find [Storage and Snapshot]-> [Automatic Snapshot Policy]].
Click Create Policy and give it a name (e. g. "Daily Core Backup").
Policy settings: It is recommended to set the automatic execution at 2:00 or 3:00 a.m. every day (during the business downturn), and set the retention time to 7 days or 14 days.
Click [Application Instance] and check the system disk and data disk you are running.
Now, Ariyun silently takes a "full-body photo" of your hard disk every night ". In case the server really overturns one day, you just need to go to the console and click [Roll Back Cloud Disk], and all the data will come back intact within 5 minutes.
Setting 5: Activate the cloud security center (install a 24-hour online bodyguard)
A sensible sentence:
Aliyun officials have given away a "cloud 360" free of charge, which can help you monitor whether anyone is violently cracking passwords and whether Trojan horses are running.
Alibaba Cloud embeds a lightweight security component in all ECS instances by default. The corresponding console product is called
Cloud Security Center
(The basic version is completely free.).
How do I do it?
In the search bar at the top of the Alibaba Cloud official website, enter Cloud Security Center to enter the console.
In the Asset Center, make sure that your ECS instance is in the Protected state.
Enter [Security Alarm Processing], where you can clearly see which overseas IP is trying to blow up your password and how many interceptions have been triggered in the past few days.
Turn on notification: It is strongly recommended to enter the settings and bind your mobile phone number or WeChat/DingTalk. Once the server logs on from another place or detects a malicious script running, Aliyun will send you a text message to alert you within seconds, so that you can go online and cut off the network and stop loss at the first time.
Summary: Novice Anti-rollover Formula
Security is not a once-and-for-all technology, but a good operation and maintenance habits. Completed
Purchase with an Alibaba Cloud account
After that, please remember these five safe actions like the multiplication formula:
Security groups should be streamlined and high-risk ports should never be opened;
Root account to hide, login all rely on password lock (key);
The default port must be changed. Hacker scanning cannot find it;
Automatic snapshot every day open, overturned can also take regret medicine;
The security center often looks at it, and the remote login is cut off immediately.
Take ten minutes to configure these five protections, and your cloud server will be like a solid fortress, sitting firmly on the Diaoyutai. Go and check your Aliyun console!

