Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to remotely open the ssh port and change the ssh user root directory in the Linux environment". In the daily operation, it is believed that many people have doubts about how to remotely open the ssh port and change the ssh user root directory in the Linux environment. The editor consulted all kinds of materials and sorted out a simple and useful operation method. I hope it will be helpful to answer the question of "how to remotely open the ssh port and change the ssh user root directory in the Linux environment"! Next, please follow the editor to study!

Remote password temporarily opens the ssh port

Nux server, we usually manage remotely through the ssh channel, which requires us to open the ssh port, such as 22. But opening the port has the risk of being cracked by force, you will say that you can set a complex password or use a certificate to avoid. Even if you can't crack the password, there may be vulnerabilities in openssh. You will say that you can change the ssh port, but it is still possible to be scanned. Another option is that we can only allow the specified IP to access ssh and log in to the administrative server through vpn, but the limitation is obvious, in case of emergency vpn login is not available. Here is a solution that I feel satisfied with. Even if I use the recent module of iptables, I will temporarily open the ssh port by secret order. Of course, the secret order needs to be kept well to prevent leakage.

1. Iptables rule setting

# specifies that 78-byte icmp packets (including 20 bytes of IP headers and 8 bytes of ICMP headers) are added to the sshopen list.

The code is as follows:

Iptables-An INPUT-p icmp--icmp-type 8-m length-- length 78-m recent-- set-- name sshopen-- rsource-j ACCEPT

# check whether your source IP exists in the sshopen list. If so, open ssh port 22 within 15 seconds from the first use of the password, and automatically close the port for more than 15 seconds. New connections are no longer allowed, and the connected ones will not be disconnected.

The code is as follows:

Iptables-An INPUT-p tcp-dport 22-- syn-m recent-- rcheck-- seconds 15-- name sshopen-- rsource-j ACCEPT

2. Temporarily open ssh port secret order

Under linux:

The code is as follows:

Ping-s 50 host

3. The iptables rules I currently use

The code is as follows:

-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

-An INPUT-p tcp-m tcp-- dport 80-j ACCEPT

-An INPUT-p tcp-m tcp-- dport 443-j ACCEPT

-An INPUT-p tcp-m tcp-- dport 123-j ACCEPT

-An INPUT-p icmp- m icmp--icmp-type 8-m length-- length 50-m recent-- set-- name sshopen-- rsource-j ACCEPT

-An INPUT-p tcp-m tcp-- dport 22-- syn-m recent-- rcheck-- seconds 15-- name sshopen-- rsource-j ACCEPT

-An INPUT-I lo-j ACCEPT

-An INPUT-p icmp- m icmp--icmp-type 8-j ACCEPT

-An INPUT-p icmp- m icmp--icmp-type 11-j ACCEPT

-An OUTPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

-An OUTPUT-o lo-j ACCEPT

-An OUTPUT-p tcp-m tcp-- dport 80-j ACCEPT

-An OUTPUT-p tcp-m tcp-- dport 443-j ACCEPT

-An OUTPUT-p icmp- m icmp--icmp-type 8-j ACCEPT

-An OUTPUT-p icmp- m icmp--icmp-type 11-j ACCEPT

Change the ssh user root using jailkit chroot

Install jailkit

The code is as follows:

Cd / tmp

Wget http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.gz

Tar xzf jailkit-2.16.tar.gz

Cd jailkit-2.16

. / configure

Make

Make install

Cp extra/jailkit / etc/init.d/jailkit

Chmod uplix / etc/init.d/jailkit

Chkconfig jailkit on

Initialize the chroot environment

The code is as follows:

Jk_init-v-j / home/chroot sftp scp jk_lsh netutils extendedshell

Service jailkit start

Create a new www.yisu.com user

The code is as follows:

Useradd www.yisu.com-m

Echo www.yisu.com:password | chpasswd

Chroot user

The code is as follows:

Jk_jailuser-m-n-j / home/chroot-- shell=/bin/bash www.yisu.com

At this point, the study on "how to remotely open the ssh port and change the ssh user root directory in the Linux environment" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.