Shulou(Shulou.com)06/01 Report--

On many occasions, we have to open ssh port 22 on the public network. Take CentOS6 as an example, here are a few ways to strengthen the ssh connection

1. Limit password attempts (denyhosts)

Yum install denyhosts-enablerepo=epelchkconfig denyhosts on/etc/init.d/denyhosts start

2. Get rid of password authentication and log in with ssh key

Modify / etc/ssh/sshd_config

PasswordAuthentication no

3. Prohibition of root login

Modify / etc/ssh/sshd_config

PermitRootLogin no

4. Limit the connection frequency

/ sbin/iptables-An INPUT-p tcp-- dport 22-m state-- state NEW-m recent-- set-- name ssh-- rsource/sbin/iptables-An INPUT-p tcp-- dport 22-m state-- state NEW-m recent!-- rcheck-- seconds 60-- hitcount 2-- name ssh-- rsource-j ACCEPT

You can also use the iptables recent module to make an alternative strategy, which closes the ssh port by default and unlocks it with ping.

Iptables-An INPUT-p icmp--icmp-type 8-m length-- length 78-j LOG-- log-prefix "SSHOPEN:" # logs, prefixed with SSHOPEN:iptables-An INPUT-p icmp--icmp-type 8-m length-- length 78-m recent-- set-- name sshopen-- rsource-j ACCEPT#linux default ping packet is generally 56 bytes, plus IP head 20 bytes, ICMP head 8 bytes, a total of 84 bytes. We specify 78 bytes here and unlock it later with a specific size ping packet. Iptables-An INPUT-p tcp-- dport 22-- syn-m recent-- rcheck-- seconds 15-- name sshopen-- rsource-j ACCEPT# IP that meets sshopen will release port 22 ping-s 50 host # Linux unlock ping-l 50 host # Windows

5. Limit the source of IP

This is a little more complicated, using the geoip database to identify IP sources, such as allowing only Chinese IP access

Write a script.

#! / bin/bash# UPPERCASE space-separated country codes to ACCEPTALLOW_COUNTRIES= "CN" if [$#-ne 1] Then echo "Usage: `basename $0`" 1 > & 2 exit 0 # return true in case of config issuefiCOUNTRY= `/ usr/bin/geoiplookup $1 | awk-F ":"'{print $2}'| awk-F ","'{print $1}'| head-n 1` [[$COUNTRY= "IP Address not found" | | $ALLOW_COUNTRIES = ~ $COUNTRY] & & RESPONSE= "ALLOW" | RESPONSE= "DENY" if [$RESPONSE= "ALLOW"] then exit 0else logger "$RESPONSE sshd connection from $1 ($COUNTRY)" exit 1fi

Use tcp_wrapper to call that script

Chmod 775 / usr/bin/sshfilter.shecho "sshd: ALL" > > / etc/hosts.denyecho "sshd: 10.0.0.0 sshd 8" > / etc/hosts.allowecho "sshd: ALL: aclexec / usr/bin/sshfilter.sh% a" > > / etc/hosts.allow

6. Set timeout

Ssh session timeout should belong to the security category, which can prevent the terminal from being used by others after people leave.

Set here to 1800 seconds (30 minutes)

Method 1. Use the environment variable TMOUT

Echo "export TMOUT=1800" > / etc/profile.d/timeout.shsource / etc/profile.d/timeout.sh

Method 2. Modify sshd_config

ClientAliveInterval 60ClientAliveCountMax 30

Reference article

Http://www.axllent.org/docs/view/ssh-geoip/

Http://www.haiyun.me/archives/iptables-recent.html

Http://www.cnblogs.com/fhefh/archive/2011/10/19/2217954.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.