This article has been included in the column of this site
Server Security Series
0. Preface
In March last year, Tencent Cloud's lightweight application server launched a free upgrade campaign, in which 1-core 2G can upgrade 2-core 4G. It just so happened that the Tencent Cloud campus event had a 1-core 2G package, so I placed the order directly for 4 years.
Tencent Cloud Campus Activities:
https://curl.qcloud.com/suZnC2jW
As we all know, the active servers of major factories are all located in mainland China. In order to meet the needs of international networking, I rented another server in Hong Kong, China.
Tencent Cloud New Customer Benefits:
https://curl.qcloud.com/zmbe5X1i
However, the minimum configuration of a server in Hong Kong, China costs 24 yuan per month, and it is too extravagant to use it only for international networking. In addition to building a mirror station, I have also used this server to reverse the generation to achieve record-free. Later, I felt that this was better, so I simply used these two servers to achieve internal and external network access.
1. Intranet server configuration
Due to tenant network isolation and related VPC configurations, even servers in different regions with the same account cannot communicate with each other on the intranet, and the communication between intranet and intranet servers can only be done on the public network.
Therefore, the following configuration needs to be performed on the intranet server:
- Bt panel security defense
- Port open and close configuration
- Local DNS server configuration
1.1, Bt panel security defense
The previous article has already explained it in detail, so I won't repeat it here.
"Server Security (1) Bt Panel Defense" article link:
https://blog.tsinbei.com/archives/125/
1.2, port configuration
Note: Since some configurations of Docker will conflict with firewalld, it is recommended to configure firewalld to open all TCP and all UDP, and configure firewall rules in the server console!
Server Firewalld configuration:
Server console configuration:
illustrate:
- Open login port: open the Bt login port, phpMyAdmin port, SSH port (Note: Do not use the default port for SSH port!)
- Open all TCP: open all IPs to the specified IP (external network server), which is convenient for subsequent configuration
- Open data transmission port: Frp Server is built, and this port segment is required to transmit data
- Open mail port: set up mail service
Port scan results after configuration:
Ports 2000 and 5060 cannot be closed and can be ignored.
1.3, local DNS server configuration
1.3.1, install Dnsmasq
Install Dnsmasq using a script:
1 | yum install - y dnsmasq systemctl start dnsmasq |
1.3.2, configure Dnsmasq
exist
/etc/dnsmasq.conf
Edit Dnsmasq configuration:
Comment first then view it after your comment is approved. Join QQ Group to display all hidden texts.
exist
/etc/dnsmasq.d/address.conf
Edit pan-parsing configuration:
Comment first then view it after your comment is approved. Join QQ Group to display all hidden texts.
Parse *.tsinbei.com to local.
use
1 | systemctl restart dnsmasq |
Restart Dnsmasq for the configuration to take effect.
1.3.3, modify the local DNS server
exist
/etc/resolv.conf
TOP Add DNS server 127.0.0.1:
1 | ; generated by /usr/sbin/dhclient-script nameserver 127.0.0.1 nameserver 183.60.83.19 nameserver 183.60.82.98 |
2, external network server configuration
In order to prevent intrusion, the external network server also needs to be configured with security.
- Reverse proxy
- Port Configuration
- Local DNS server configuration
2.1, reverse proxy
Take the Bt panel as an example.
Install Bt 7.7.0 Enterprise Edition Tutorial:
https://blog.tsinbei.com/archives/7/
Bind the same domain name as the intranet server on the Bt panel of the external network server.
And configure the reverse proxy with the same domain name:
2.2, port configuration
If there is no need for other services such as mail, you can only open ports 80 and 443.
Also open all ports in Firewalld, and open 80 and 443 in the console.
Port scan result:
2.3, local DNS server configuration
The installation part refers to the first section, the difference is in
/etc/dnsmasq.d/address.conf
resolves the domain name to the public IP of the intranet server.
1 | address=/tsinbei.com/x.x.x.x address=/xxx.xxx/x.x.x.x |
Note: Many tutorials are configured directly in /etc/dnsmasq.conf, and only one domain name can be added in this way. If you need to configure multiple domain names, you can only configure them in address.conf.
3. Domain name resolution configuration
All the domain names are resolved to the IP of the external network server to complete the configuration.
4. Summary
In fact, the local DNS part can also be implemented using Tencent Cloud's PrivateDNS private domain resolution. Using the above method will cause local verification to fail when verifying SSL, but it will not affect the certificate application.
purchase address:
https://cloud.tencent.com/product/privatedns
The configuration cost of using internal and external network servers is high, which will cause some troubles in daily use, but the improvement in server security is significant. Therefore, this part can be configured according to budget and personal habits.
Server security (2) Internal and external network defense
Comments