1. Restrict user SSH login
Only allow specified users to log in (whitelist):
Set the AllowUsers option in the /etc/ssh/sshd_config configuration file. (The SSHD service needs to be restarted after the configuration is completed.) The format is as follows:
AllowUsers aliyun [email protected] #Allow
aliyun and the test account logged in from 192.168.1.1 to log in to the system through SSH.
Deny login only to specified users (blacklist):
Set the DenyUsers option in the /etc/ssh/sshd_config configuration file. (The SSHD service needs to be restarted after the configuration is completed.) The format is as follows:
DenyUsers zhangsan aliyun #Linuxsystem account
# Deny zhangsan and aliyun accounts to log in to the system through SSH
Restart SSH
service sshd restart
2. Restrict IP SSH login
Note: The IP here refers to the client IP, not the server IP. The following example uses the configuration method of the hosts.allow file. The purpose is to be fast, but it is also inflexible. It is recommended to change to the iptables solution.
In addition to prohibiting a user from logging in, we can also prohibit logging in for a fixed IP. The Linux server can set the two files /etc/hosts.allow and /etc/hosts.deny. The hosts.allow permission is greater than hosts.deny. Restricting or allowing a certain IP address or a certain range of IP addresses to log in to the server remotely via SSH is a simple method, and it takes effect immediately after the setting. There is no need to restart the SSHD service. The details are as follows:
/etc/hosts.allow add
sshd:192.168.0.1:allow #Allow 192.168.0.1 IP address SSH login
sshd:192.168.0.:allow #Allow users from this IP address 192.168.0.1/24 to log in, multiple network segments can be separated by commas, For example, 192.168.0., 192.168.1.: allow
/etc/hosts.allow add
sshd:ALL #Allow all ssh logins to
hosts.allow and hosts.deny when two files are set at the same time, the rules in the hosts.allow file have high priority. After setting this method, the server only allows the IP address of 192.168.0.1 SSH login, other IP will be rejected.
/etc/hosts.deny add
sshd:ALL #Reject all IP
references to hosts.deny: http://www.cnblogs.com/EasonJim/p/8338931.html
Solve Host key verification failed. (Pro-test valid)
First, find the problem
The problem is as follows:
$ ssh [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:HDjXJvu0VYXWF+SKMZjSGn4FQmg/+w6eV9ljJvIXpx0.
Please contact your system administrator.
Add correct host key in /Users/wangdong/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/wangdong/.ssh/known_hosts:46
ECDSA host key for 108.61.163.242 has changed and you have requested strict checking.
Host key verification failed.
Here, there is a very important sentence.
ECDSA host key for 108.61.163.242 has changed and you have requested strict checking.
Host key verification failed.
Usually this problem is after you reset your server. This problem occurs when you try to access again.
Second, solve the problem
Solving the problem is also very simple:
ssh-keygen -R the IP address you want to access
1
For example:
ssh-keygen -R 108.61.163.242