Shulou(Shulou.com)06/01 Report--

Most people do not understand the knowledge points of this article "how to strengthen SSH security under Linux", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "how to strengthen SSH security under Linux" article.

1. Enhanced password login

Password login is convenient because you can log in from any machine anywhere. But they are also vulnerable to violent attacks. Try the following strategy to strengthen your password login:

(1) use a password generation tool, such as pwgen. Pwgen has several options, the most useful of which is the password length option (for example: generate a 12-character password pwgen 12) (2) do not reuse the password. Ignore all the advice not to write down your password, and then write down all your login information in a notebook. If you don't believe my advice, you can always trust the security authority Bruce Schneier. If you are careful enough that no one can find your laptop, then you can avoid the attacks on the network. (3) you can add some additional protection to your login notepad, such as replacing it with characters or adding new characters to mask the login password on your notebook. Use a simple and easy-to-remember rule, such as adding two extra random characters to your password, or replacing it with a single simple character, such as # with *. (4) Open a non-default listening port for your SSH service. Although it is an old-fashioned suggestion, it is really effective. Check your login, it is likely that port 22 is the port that is commonly attacked, while other ports are rarely attacked. (5) use Fail2ban to dynamically protect your server from violent attacks. (6) use an uncommonly used user name. Never allow root to log in remotely and avoid the user name "admin". two。 Resolve Too Many Authentication Failures error report

When my ssh login fails and displays the error message "Too many authentication failures for carla", we should not be discouraged. Pain will not solve the problem. The solution is to set a mandatory password login in your (client's) ~ / .ssh/config file. If this file does not exist, first create a ~ / .ssh / directory.

$mkdir ~ / .ssh$ chmod 700 ~ / .ssh

Then create the ~ / .ssh/confg file in a text editor, enter the following line, and replace HostName with your own remote domain name.

HostName remote.site.comPubkeyAuthentication=no

(LCTT translation note: this error occurs when you use a Linux machine to log in to another server using ssh, and too many private key files are stored in your .ssh directory. When you do not specify the-I option, the ssh client will try to log in to the remote server using these private keys one by one by default. If these private keys do not match the remote host, it will obviously trigger such an error. Or even refuse to connect. So this article is to force password login by disabling the local private key-obviously this is not desirable, and if you do want to avoid logging in with the private key, you should log in with the-o PubkeyAuthentication=no option. Obviously this and the next two contradict each other, so please ignore this article. )

3. Use public key authentication

Public key authentication is much more secure than password login because it is not affected by brute force password attacks, but it is not convenient because it relies on RSA key pairs. First, you need to create a public / private key pair; next, place the private key on your client computer and copy the public key to the remote server you want to log in to. You can only log in to the remote server from a computer that has a private key. Your private key is as sensitive as your home key; anyone who gets the private key can get your account number. You can add some enhanced protection rules by adding a password to your private key. Using RSA keys is a good way to manage multiple users: when a user leaves, simply delete his public key from the server to cancel his login.

The following example creates a new 3072-bit key pair that is more secure than the default 2048-bit key pair and gives it a unique name so you can know which server it belongs to.

$ssh-keygen-t rsa-b 3072-f id_mailserver

Create two new keys below, id_mailserver and id_mailserver.pub, and id_mailserver is your private key-don't propagate it! Now use the ssh-copy-id command to safely copy your public key to your remote server. You must make sure that there is a SSH login method available on the remote server.

$ssh-copy-id-I id_rsa.pub user@remoteserver/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key (s), to filter out any that are already installeduser@remoteserver's password:Number of key (s) added: 1Now try logging into the machine, with: "ssh 'user@remoteserver'" and check to make sure that only the key (s) you wanted were added.

Ssh-copy-id will ensure that you do not inadvertently copy your private key; copy the login command from the above output and remember to test your new key login with single quotes.

$ssh 'user@remoteserver'

It will log in with your new key, and if you set a password for your private key, it will prompt you for it.

4. Cancel password login

Once you have tested and verified that your public key can log in, you can cancel the password login so that your remote server will not be attacked by brute force passwords. Set up the / etc/sshd_config file for your remote server as follows.

PasswordAuthentication no

Then restart the SSH daemon on the server.

5. Set aliases-it's quick and has a B box.

You can set a common alias for your remote login instead of the commands you enter at login, such as:

Ssh-u username-p 2222 remote.site.with.long-name

You can use ssh remote1. The ~ / .ssh/config file on your client machine can refer to the following settings

Host remote1HostName remote.site.with.long-namePort 2222User usernamePubkeyAuthentication no

If you are logging in with a public key, you can refer to this:

Host remote1HostName remote.site.with.long-namePort 2222User usernameIdentityFile ~ / .ssh/id_remoteserver above is about the content of this article on "how to strengthen SSH Security under Linux". I believe everyone has a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to learn more about related knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.