Shulou(Shulou.com)06/01 Report--

Reason:

There is a friend who plays games, he told me that their company has five layers of verification about ssh security! Well, maybe for some operation and maintenance partners who don't pay much attention to safety, why is it so complicated? Some companies even log in directly to root, and even some ssh default ports are not changed. I personally think that it may not be safe to do so much (of course, it should be determined according to the specific environment of the company's business), but at least some basic security aspects should be done in place!

Here are some of my personal summaries to share with you!

Common security measures:

1. Hard firewall.

The acl policy also determines whether a host can be accessed through the hardware firewall.

2. Soft firewall

For example, iptables,tcpwrappers, protection software, etc. further restrictions on the host are imposed internally.

3. Modify the default ssh port

The default is 22, and it is recommended to change it to five.

4. The password should meet the complexity requirements to prevent violent cracking.

To avoid ssh brute force cracking, it is recommended that the password is slightly more complex, in line with the 3/4 principle!

5. Disable root login

Disable root remote ssh login

In / etc/ssh/sshd_config setting: PermitRootLogin no:

Disable root local login (depending on the environment, this is not necessary)

Change auth required pam_succeed_if.so user! = root quiet

Add to the first line of the / etc/pam.d/login file

6. Forbid password login

Delete unnecessary accounts and prohibit users from logging in with passwords

7. Public key and private key authentication

Through the public key and private key rsa2048, and set the complexity password

8. Unified authentication and login by LDAP, etc.

Through centralized management of ssh accounts, security is further improved.

9. Cut the secure log, filter the unsafe access to ip and give an alarm through script.

The secure log records the information of users logging in remotely, and you can check this log for unsafe factors.

10. Set up a log server to monitor secure logs. Check for unsafe factors

A good log server can greatly reduce the work of administrators and facilitate management.

.

Summary:

The above is only some personal problems encountered in the production environment and personal summary, of course, there are many ways to improve its security, according to their own structural environment, choose their own security measures is the king!

If you have any questions, please contact the author!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.