As the scale of digital business continues to expand, more and more business systems are migrated to the cloud, and core businesses increasingly rely on the stable operation of IT systems. At this time, common security risks are gradually revealed. This article mainly summarizes some defensive measures based on this pain point.
1. Anti-scanning, shielding commonly used ports
1. For the mainstream server panel Pagoda on the market, the default port after installation is 8888. If the password is cracked, the entire website will be exposed, so try to change it to an uncommon port after installing other server panels or software such as Pagoda.
2. Modify the SSH port number. Port 22 is so common that hackers can invade your website without cracking it.
3. Modify the FTP port. It is generally recommended that the cloud server try not to open the default port 21. It should be enough to use only SFTP and SSH connection uploads. It is recommended to use FTP to modify it to other port numbers.
4. Shield and delete mysql port 3306, avoid mysql remote connection as much as possible, and use local connection as much as possible
In short, try not to keep the default port as much as possible, and change it to a port number that is not commonly used and is not easy to crack.
2. Timely backup of the website
1. Generally, cloud service providers can provide server snapshots. This kind of service, using snapshot backup is relatively comprehensive. It directly backs up the hard disk data and system configuration of the server. It should be noted that snapshots are basically paid.
2. You can also use management software such as third-party panels to perform backups. For example, there is a scheduled task in the pagoda panel. Pull down the shell script and choose to back up the server and database. Remember that these two files must be backed up once, and the execution cycle is generally OK. Choose to update once every 3 days, according to the update frequency of the website. If the update frequency is high, you can back up on a daily basis. The backup time is at midnight when there are few visits, because executing scripts will definitely consume CPU and memory.
3. Add a guest user and prohibit remote login using the ROOT account
Modify your sshd_config file to change PermitRootLogin yes to PermitRootLogin no, and ROOT is not allowed to log in remotely. Because the ROOT account has the highest authority, it prevents hackers from cracking the account violently and exposing the entire server
4. Install a firewall
Install a website firewall. The server firewall can effectively block some common scanning and brute force attacks. The advanced version can also regularly scan the server, scan and clean up Trojan horse viruses, such as security dogs and other defense software
5. Regularly update patches
Regular updates to apps and patches are critical to keeping your operating system secure. The role of operating system patches includes solving new security vulnerabilities, integrating new functions, solving specific errors and defects, improving the stability of the operating system and software, and installing new drivers. An unpatched server operating system is one of the easiest points of entry for hackers to gain network access