Shulou(Shulou.com)05/31 Report--

This article mainly introduces "what are the skills of configuring Linux server SSH security access". In daily operation, I believe that many people have doubts about the skills of configuring Linux server SSH security access. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the questions of "what are the skills of configuring SSH security access of Linux server?" Next, please follow the editor to study!

Linux ssh security strategy 1: shut down extraneous ports

Most of the hosts captured on the network are targeted by hackers who scan widely with scanning tools. Therefore, in order to avoid being scanned, all the necessary ports, such as web, ftp, ssh, etc., should be closed. It is worth mentioning that I strongly recommend shutting down the icmp port and setting rules to discard icmp packets. In this way, other people can't ping your server, and the threat will naturally be reduced by more than half. You can add the following entry to iptables to discard icmp packets:

The copy code is as follows:

-an input-p icmp-j drop

Linux ssh security policy 2: change the ssh port

The default ssh port is 22. It is strongly recommended that it be changed to more than 10000. In this way, the probability of others scanning to the port is also greatly reduced. Modify method:

The copy code is as follows:

# Edit / etc/ssh/ssh_config

Vi / etc/ssh/ssh_config

# under host *, add a new port value. Take 18439 as an example (the same below):

Port 22

Port 18439

# Edit / etc/ssh/sshd_config

Vi / etc/ssh/sshd_config

# add a new port value

Port 22

Port 18439

# after saving, restart the ssh service:

Service sshd restart

I have set up two ports here, mainly to prevent the ssh from being unable to log on due to modification errors. Change the connection port of your ssh client (e.g. putty), test the connection, and if the new port connects successfully, edit the above two files to delete the configuration of port 22. If the connection fails, use port 22 to connect and then reconfigure.

After the port is set successfully, note that you should also delete port 22 from iptables, add the newly configured 18439, and restart iptables.

If the ssh login password is a weak password, you should set a complex password. There is an article on google blog that emphasizes password security: does your password pass the test?

Linux ssh security policy 3: restrict ip login

If you can connect to your server with a fixed ip, you can set to allow only a specific ip to log on to the server. For example, I logged in to the server through my own vpn. The settings are as follows:

# Edit / etc/hosts.allowvi / etc/hosts.allow# for example, only 123.45.67.89 is allowed to login to sshd:123.45.67.89linux ssh security policy 4: log in to ssh using certificate

Using a certificate is more secure than logging in with a password. Tap Water Coffee has written a detailed tutorial, with its consent, reproduced as follows:

Configure ssh certificate login authentication for centos

Source:

In the afternoon to help the company network management remote detection of the mail server, a centos 5.1, using openssh remote management.

When I checked the security log, I found that a bunch of ip came to guess the password almost every day these days. It seems that it is better to change the login authentication method to certificate verification.

In case, temporarily start a vnc, lest the configuration is not finished, a happy restart sshd will be troublesome. (it turns out to be superfluous, as long as you open a putty in advance and don't turn it off.)

Here are the simple steps:

1) first add a maintenance account: msa2) and then su-msa3) ssh-keygen-t rsa after specifying the key path and entering the password, that is, generate the public key and private key in / home/msa/.ssh/: id_rsa id_rsa.pub4) cat id_rsa.pub > > authorized_keys as to why the file is generated, because this is what is written in sshd_config. Then chmod 400authorized_keys, a little protection. 5) use psftp to pull id_rsa back to the local location, and then kill id_rsa and id_rsa.pub on the server. 6) configure / etc/ssh/sshd_configprotocol 2serverkeybits 1024permitrootlogin no # forbids root login, which has nothing to do with this article, and is more secure. There is nothing to change in the following three lines. Just remove the default # comment rsaauthentication yespubkeyauthentication yesauthorizedkeysfile .ssh / authorized_keyspasswordauthentication nopermitemptypasswords no7) restart sshd/sbin/service sshd restart8) convert the certificate format, accommodate putty to run puttygen Convert id_rsa to putty ppk certificate file 9) configure putty to log in to connection--ssh--auth, click browse, and select the certificate you just converted. Then fill in the auto login username in connection-data, for example, mine is msa, fill in the ip address of the server in session, if you like, you can save 10) when you solve a little trouble and do this, you are likely to be happy, and you will log in excitedly, maybe not: no supported authentication methods available can modify sshd_config at this time, change passwordauthentication no temporarily to: passwordauthentication yes and restart sshd so that you can log in successfully. After logging out, change the value of passwordauthentication to no again, and restart sshd. After logging in, you will normally ask for the password of your key file, and if you answer correctly, you will be able to log in happily. As for the psftp command, add a-I parameter to specify the path to the certificate file. At this point, the study on "what are the skills for configuring SSH secure access to Linux servers" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.