Shulou(Shulou.com)06/01 Report--

This article shows you how to do SSH security hardening in SUSE LINUX. The content is concise and easy to understand. It will definitely make your eyes shine. I hope you can gain something through the detailed introduction of this article.

When logging into a remote host (suse linux system) with ssh, the following problems occur:

ssh_exchange_identification: Connection closed by remote host

This problem is caused by SSH security restrictions. Although very good solution, but need to go to the computer room site (because of safety regulations do not open VNC). The specific solution: modify the/etc/hosts.allow file, add sshd: ALL: ALLOW, and then wq save and restart the sshd service.

To sum up the SSH security hardening issues in SUSE LINUX with respect to this small issue:

Note: The following configuration items are modified in the/etc/ssh/sshd_config file

1. Change the default port of SSH

Look for the following line in the/etc/ssh/sshd_config file:

Port 22

Change port 22 to another port, such as 10326.

After saving, restart SSHD service: service sshd restart

It is recommended to change to more than 10000. This way the probability of someone scanning the port will be greatly reduced.

2. Limit ROOT remote landing

Look for the following line in the/etc/ssh/sshd_config file:

PermitRootLogin yes

For yes read no.

After saving, restart SSHD service: service sshd restart

When you enable this option, you can only log in as a normal user and then su to root.

3. Modify default login time

Look for the following line in the/etc/ssh/sshd_config file:

LoginGraceTime 2m

When you connect to SSH, the default is 2 minutes for you to enter your account and password to log in. You can modify this time to 1 minute or 30 seconds.

4. Upgrade the old version

Upgrade older Openssh versions because earlier Openssh versions had security vulnerabilities. For a newly configured Openssh server, it is wise to use the latest stable version. The source code can be downloaded from http://www.openssh.com for compilation.

5. Disconnection when the user is inactive

Look for the following line in the/etc/ssh/sshd_config file:

ClientAliveCountMax 3

ClientAliveInterval 0

Make the following modifications:

ClientAliveInterval 600ClientAliveCountMax 0

ClientAliveCountMax 600: Disconnects automatically when the user is inactive for 10 minutes.

ClientAliveCountMax: Default is 3, which means SSH Server sends three checkalive messages when SSH has no activity.

ClientAliveCountMax: Default is 0, which means that after a few seconds, SSH Server will send a message asking the user to respond (0 means never send), otherwise it will be disconnected.

6. Modify the encryption protocol version

Look for the following line in the/etc/ssh/sshd_config file:

#Protocol 2,1

The default is that both 1 and 2 are OK, change it to Protocol 2

After saving, restart SSHD service: service sshd restart

Unlike version 1, version 2 no longer generates a server key, so when the Client connects to the Server, both will generate a shared Key by using the Diffie-Hellman key algorithm, and then both will decrypt synchronously by using the Blowfish-like algorithm!

7. Limit IP login

If you connect to your server with a fixed IP, you can set up to allow only certain IPs to log on to your server. For example, I log in to the server through a specific Bastion Host. Settings are as follows:

Edit/etc/hosts.allow

vi /etc/hosts.allow

For example, only 124.45.67.52 is allowed to log in

sshd：124.45.67.52：ALLOW

After saving, restart SSHD service: service sshd restart

8. Allow or prohibit specified users and groups from logging in

Allow logins only for specified users and groups

AllowUsers john jason Specify the user

AllowGroups sysadmin dba specifies a group

Disable logins for specified users or groups

DenyUsers corn apath

DenyGroups devers qa Specify groups

After saving, restart SSHD service: service sshd restart

Note: Allow and Deny can be used in combination, and their processing order is: DenyUsers, AllowUsers, DenyGroups, AllowGroups

9. Limit IP monitoring

If you have multiple network cards and IPs on your server, you can restrict certain IPs from listening to SSH and only allow login through certain IPs.

For example, you have four network cards.

eth0 - 192.168.10.200eth2 - 192.168.10.201eth3 - 192.168.10.202eth4 - 192.168.10.203

If you only want users to log in via 200, 202, then do the following

Look for the following line in the/etc/ssh/sshd_config file:

#ListenAddress 0.0.0.0, modify as follows

ListenAddress 192.168.10.200ListenAddress 192.168.10.202

10. Modify the attributes of the configuration file last to prevent unauthorized users from modifying the configuration file

#chmod 644 /etc/ssh/sshd_config

Also note that the file under/etc/ssh cannot be set to 777 permissions, because ssh is originally a safe login mode, if set to 777 (everyone can access and modify at will), what security is there?

Summary: Every small problem, after careful consideration and summary, you will find a lot of useful details.

The above is how to do SSH security hardening in SUSE LINUX. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.