Server Rieng Tu: Cau Hinh An Danh Toi Da
Co duoc VPS offshore chi la buoc dau tien. De bien may chu thanh mot server that su rieng tu va an toan, can thuc hien mot loat cau hinh ky thuat. Bai huong dan nay chi dan tung buoc cu the de xay dung may chu an danh toan dien tren nen tang VPS offshore cua AnubizHost tai Iceland.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
SSH Hardening: Bao Mat Ket Noi Quan Tri
SSH la cong vao duy nhat de quan tri VPS. Bao vet no la uu tien so 1:
Doi cong SSH mac dinh: Cong 22 la muc tieu cua hang tram ngan bot quet tu dong moi ngay.
nano /etc/ssh/sshd_config
Port 2222 # Doi sang cong khac (1024-65535)
PermitRootLogin no # Khong cho dang nhap truc tiep voi root
PasswordAuthentication no # Bat buoc dung SSH key
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 20
X11Forwarding no
AllowTcpForwarding no
systemctl restart sshTao va cai dat SSH key:
# Tren may tinh ca nhan cua ban (KHONG tren VPS)
ssh-keygen -t ed25519 -C "my-anon-server" -f ~/.ssh/anon_key
# Sao chep public key len VPS
ssh-copy-id -i ~/.ssh/anon_key.pub -p 22 root@your-vps-ip
# Sau do ket noi bang key
ssh -i ~/.ssh/anon_key -p 2222 root@your-vps-ipFirewall UFW: Kiem Soat Tat Ca Ket Noi
Firewall quyet dinh port nao duoc phep truy cap tu ben ngoai. Nguyen tac la: chan tat ca, chi mo nhung gi can thiet.
apt install -y ufw
# Chan tat ca ket noi vao mac dinh
ufw default deny incoming
ufw default allow outgoing
# Chi mo cong SSH da doi
ufw allow 2222/tcp comment 'SSH custom port'
# Mo cong web neu can
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
# Bat firewall
ufw enable
ufw status verboseNeu chi dung VPS de chay VPN rieng, chi can mo cong SSH va cong WireGuard:
ufw allow 51820/udp comment 'WireGuard VPN'Kiem tra cac cong dang mo tren VPS:
ss -tlnp # Tat ca cong TCP dang lang nghe
ss -ulnp # Tat ca cong UDP dang lang ngheFail2ban: Tu Dong Chan IP Tan Cong
Fail2ban giam sat log he thong va tu dong chan cac IP co hanh vi tan cong (brute force SSH, thu nhieu mat khau...):
apt install -y fail2ban
nano /etc/fail2ban/jail.local[DEFAULT]
bantime = 3600 # Chan IP trong 1 gio
findtime = 600 # Thoi gian tinh to
maxretry = 3 # So lan thu toi da
ignoreip = 127.0.0.1/8
[sshd]
enabled = true
port = 2222 # Phai khop voi cong SSH da thay doi
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400 # Chan SSH 24 giosystemctl enable fail2ban
systemctl start fail2ban
# Kiem tra trang thai
fail2ban-client status
fail2ban-client status sshdDe xem cac IP dang bi chan:
fail2ban-client status sshd | grep "Banned IP"Giam Thieu Thong Tin Lo Ra Ben Ngoai
May chu an toan khong chi chong tan cong tu ngoai ma con giam thieu thong tin lo ra:
An version phan mem trong HTTP headers:
# Nginx
server_tokens off;
# Apache
ServerTokens Prod
ServerSignature OffTat dich vu khong can thiet:
# Xem tat ca dich vu dang chay
systemctl list-units --type=service --state=running
# Tat va vo hieu hoa dich vu khong dung
systemctl stop bluetooth
systemctl disable bluetooth
systemctl stop avahi-daemon
systemctl disable avahi-daemonCau hinh DNS rieng tu: Thay vi dung DNS mac dinh cua ISP dat tai may chu, cau hinh DNS ma hoa:
apt install -y resolvconf
echo "nameserver 1.1.1.1" > /etc/resolvconf/resolv.conf.d/head
echo "nameserver 9.9.9.9" >> /etc/resolvconf/resolv.conf.d/head
resolvconf -uAnubizHost VPS tai Iceland la nen tang tot nhat de xay dung may chu rieng tu - ket hop phap ly bao mat, cau hinh ky thuat cung co va co so ha tang on dinh.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.