1. Prohibit root login
# /etc/ssh/sshd_config
PermitRootLogin no2. It is forbidden to log in with a password
# /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey3. Modify the default port
# /etc/ssh/sshd_config
Port 324564. Restrict access to sources
Use TCP Wrapper and firewall to control the source network and IP that can access the OpenSSH server to avoid illegal access. For example, add trusted IP list in /etc/hosts.allow
# /etc/hosts.allow
sshd: 192.168.0.0/255.255.255.0
sshd: 10.0.0.0/255.255.255.05. Enable session timeout
Enabling SSH session timeout is a very good protection method. In the sshd_config file, set the ClientAliveInterval property to 300 and the ClientAliveCountMax property to 0
# /etc/ssh/sshd_config
ClientAliveInterval 300
ClientAliveCountMax 06. Configure the SSH security protocol
The version number of the SSH security protocol will affect the actual security, so it is necessary to configure it according to the actual situation. In sshd_config, add the following properties:
# /etc/ssh/sshd_config
Protocol 2
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected],[email protected]
其中,Protocol 属性设置为 2,表示只使用 SSH 协议版本 2。KexAlgorithms 属性设置加密算法,Ciphers 属性设置数据加密算法,MACs 属性设置完整性算法,以上设置可以根据实际的需求和算法的安全性进行选择。other instructions
安装最新的补丁:及时安装最新的安全补丁,修复已知的漏洞和安全问题。同时,使用最新的操作系统和软件版本,可以提升 OpenSSH 服务的安全性。
其他措施:在 OpenSSH 服务器上定期监测系统日志,及时处理异常情况。同时,提高用户或管理员的安全意识,避免密码泄露或疏忽造成的安全漏洞。