The reason why I put these two together is because I was sanctioned by the firewall of centOS. I first changed the SSH default port and then changed the domain name. As a result, all domain names cannot be accessed.
Example Change the default SSH port
Reference: www.liberiangeek.net/2014/11/cha…
Buy a cloud play, every SSH login will see a prompt to say how many failed login, respectively from different IP. Port 22 is the type that is often scanned, and weak passwords are easy to brute force.
The easiest way to prevent this is to find an unpopular port and change SSH to that port.
The most secure approach would be to use certificates and asymmetric encryption for password-less logins, allowing only the computer with the secret key to log in remotely. For example, the SSH Key that is essential every time you set up GitHub for a new computer
Another approach is to use the server’s firewall to whitelist allowed computer IP addresses. Tencent cloud security group can be used in this way, before the port was not modified, I simply banned port 22, to use the login to open the background. But this approach assumes that the IP stays the same. IPv4 addresses are exhausted, and most networks in China use NAT. Our public address is completely determined by the operator, so it is difficult to maintain a fixed IP address.
The following is how to modify the port:
- Back up the SSH configuration file. If a critical error occurs, perform the following operations
sshd_config.bak
Restoring the Configuration
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Copy the code
- Modifying a Configuration File
sshd_config
sudo vi /etc/ssh/sshd_config
Copy the code
- The modifications are as follows:
Since Port 22 is the default SSH Port, some configuration files will display a line # Port 22, so don’t worry about it.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 2244
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Copy the code
:wq Save the file, remember not to disconnect the login at this time, and open another terminal window after the complete modification.
- SELinux only allows port 22 to SSH, we need to change SELinux
#Check the SELinux running status
sestatus
#Check out the ports SELinux opens for SSH
#The output should be ssh_port_t TCP 22
semanage port -l | grep ssh
#SELinux adds port 2244 for SSH
sudo semanage port -a -t ssh_port_t -p tcp 2244
#To delete a port, run the SELinux SSH command to delete port 2244
sudo semanage port -d -t ssh_port_t -p tcp 2244
Copy the code
- Checking the Firewall
#Allow 2244 to pass the firewall
sudo firewall-cmd --permanent --zone=public --add-port=2244/tcp
#If the firewall is not enabled, you can enable it
systemctl enable firewalld
systemctl start firewalld
#Checking the Firewall Status
systemctl status firewalld
#Reload the firewall
sudo firewall-cmd --reload
Copy the code
Note: If you have not configured the firewall before, the firewall is not started, but the Web service is running. After the firewall is started, the page may be inaccessible. Therefore, you need to configure the firewall again.
- Restarting the SSH Service
sudo systemctl restart sshd.service
Copy the code
- Check the new SSH port
# # to check the SSHD state systemctl status SSHD. Service check to see if the SSH port on the new running ss - TNLP | grep SSHCopy the code
- Try a new port
You can exit the connection, but I recommend creating another account, opening a new terminal window to test, and immediately changing it if you can’t connect remotely.
- Disable the default port 22
Tencent cloud and Ali cloud have security group Settings, you can directly disable port 22 through the security group. The Settings are as follows
::/0 TCP:22 Rejected 0.0.0.0/0 TCP:22 RejectedCopy the code
Apache configures subdomain names
Once we have a second level domain name, we can configure it with many third level domains for different functions.
mod_rewrite.so
# edit the httpd.conf file in /etc/httpd/conf and check whether it is commented. Is to see the next step LoadModule rewrite_module modules/mod_rewrite. So # if HTTPD conf no configuration # is in the/etc/HTTPD/conf. Modules. D to create a new *. The conf file Conf LoadModule rewrite_module modules/mod_rewrite.soCopy the code
- Modify httpd.conf and add the following information
<VirtualHost *:80> ServerAdmin [email protected] DocumentRoot "var/ WWW/HTML "ServerName abc.com ServerAlias www.abc.com DirectoryIndex index.php index.html index.htm </VirtualHost> # Subdomain <VirtualHost *:80> ServerAdmin [email protected] DocumentRoot "var/www/a" ServerName a.abc.com DirectoryIndex index.php index.html index.htm </VirtualHost>Copy the code