SSH security, configuration options, and detailed case file

Others 2019-10-27 13:39:25 views: null
Disclaimer: This article is a blogger original article, follow the CC 4.0 BY-SA copyright agreement, reproduced, please attach the original source link and this statement.
This link: https://blog.csdn.net/ck784101777/article/details/102554834

Improve SSH security services

1.SSH profile

File Path : / etc / ssh / sshd_config

Option to consider:

1_ common SSH server is listening options are as follows:

1 Port 22 // listening port number is 22 
using 2 Protocol 2 // SSH V2 protocol 
address 3 ListenAdderss 0.0.0.0 // listens to all addresses 
4 UserDNS no // prohibit reverse DNS

2_ common user login control options are as follows:

1 PermitRootLogin no // prohibit root user 
2 PermitEmptyPasswords no // user login password is prohibited to 
3 LoginGraceTime 2m // login authentication time of 2 min 
4 MaxAuthTries 6 // maximum number of retries 6 
5 AllowUsers steven // only allow users steven Login 
6 DenyUsers steven // do not allow users to log steven

3_ common login authentication as follows:

1 PasswordAuthentication yes // Enable password authentication 
2 PubkeyAuthentication yes // enable verification key 
3 AuthorsizedKeysFile .ssh / authorized_keys // specify the public key database file

 

2. Modify ssh port

The modified 999 port, using the default 22 port, use the -p option to specify the port using ssh to log in. Is to 192.168.4.5 ip ssh host

  1. [root@proxy ~]# vim /etc/ssh/sshd_config
  2. Port 999
  3. [root@proxy ~]# systemctl restart sshd
  4. [root@room9pc01 ~]#ssh [email protected]
  5. ssh: connect to host 192.168.1.41 port 22: Connection refused
  6. [root@room9pc01 ~]#ssh -p 999 [email protected]

 

3. Prohibition root user login / disable user login password is empty

1) adjusting the sshd service configuration, service and overloaded

  1. [root@proxy ~]# vim /etc/ssh/sshd_config
  2. .. ..
  3. PermitRootLogin no // prohibit root logins
  4. PermitEmptyPasswords no // ban user login password is blank
  5. .. ..
  6. [root@proxy ~]# systemctl restart sshd

2) test the basic security policy

Try to log in as the root user SSH, failed:

  1. [root@proxy ~]# ssh [email protected]
  2. [email protected]'s password:
  3. Permission denied, please try again.

The server user kate (if not the account is first created) is set empty passwords, SSH login attempts will fail:

  1. [Root @ proxy ~] # passwd -d kate // clear the user password
  2. Clear user password kate.
  3. passwd: Successful operation
  4.  
  5. [root@proxy ~]# ssh [email protected]
  6. [email protected]'s password:
  7. Permission denied, please try again.

 

4. Set the whitelist and blacklist, whitelist only allows users access

For SSH access to only allow the use of the policy, the user is not explicitly listed refuse to log on

1) adjusting the sshd service configuration, add AllowUsers policy only allows users to jjh, ljz, which ljz can only log in from 192.168.4.0/24 network segment.

Note: If you do not have these users, you need to create a user in advance and set a password.

If you add a white list, then the user can access only the white list (whitelist commented on behalf of all users are allowed access), if you just want to disable access to certain users, it is recommended to use blacklist

You can also define a whitelist group, add users to a group to manage.

  1. [root@proxy ~]# vim /etc/ssh/sshd_config
  2. .. ..
  3. AllowUsers jjh [email protected]/24 // define a whitelist account
  4. ## DenyUsers USER1 USER2 // define the account blacklist
  5. ## DenyGroups GROUP1 GROUP2 // define groups blacklist
  6. ## AllowGroups GROUP1 GROUP2 // define whitelist
  7. [root@proxy ~]# systemctl restart sshd

2) verify the SSH access control, unauthorized users will be denied login.

If you do not add the root to the white list, even if it is the root can not ssh upswing

  1. [Root @ proxy ~] # ssh authorized users [email protected] // allowed to log
  2. [email protected]'s password:
  3. [useradm@proxy ~]$ exit
  4. [Root @ proxy ~] # ssh user [email protected] // unauthorized login is rejected
  5. [email protected]'s password:
  6. Permission denied, please try again.

 

5. Implement key sign in to verify login (private key password), a password-free

1) Preparation client test environment

As the root user client to establish an SSH key pair

Create a key pair using ssh-keygen, the private key password is set to null (direct Enter):

  1. [root@client ~]$ ssh-keygen
  2. Generating public/private rsa key pair.
  3. Enter file in which to save the key (/root/.ssh/id_rsa):
  4. Created directory '/root/.ssh'.
  5. Enter passphrase (empty for no passphrase): // directly enter the password set to null
  6. Enter same passphrase again: // press Enter again
  7. Your identification has been saved in /root/.ssh/id_rsa.
  8. Your public key has been saved in /root/.ssh/id_rsa.pub.
  9. The key fingerprint is:
  10. 63:6e:cf:45:f0:56:e2:89:6f:62:64:5a:5e:fd:68:d2
  11. The key's randomart image is:
  12. + - [RS 2048] ---- +
  13. | |
  14. | |
  15. | . . . |
  16. | = = |
  17. | S = B . |
  18. | o B = . o |
  19. | + + = E .|
  20. | . + + O |
  21. | the |
  22. +-----------------+
  23. [Root @ client ~] $ ls -lh ~ / .ssh / id_rsa * // confirm key documents
  24. -rw-------. 1 root root 1.8K 8月 15 10:35 /root/.ssh/id_rsa
  25. -rw-r--r--. 1 root root 403 8月 15 10:35 /root/.ssh/id_rsa.pub

2) the root user on the client's public key to the SSH server deployment

Root user login client, use ssh-copy-id command to deploy their own public key to the server:

  1. [root@client ~]$ ssh-copy-id [email protected]
  2. [email protected]'s password:
  3. Now try logging into the machine, with "ssh '[email protected]'", and check in:
  4. .ssh/authorized_keys
  5. to make sure we haven't added extra keys that you weren't expecting.

3) Confirm the client user root public key information uploaded on the server

The default deployment location for the next target user's home directory ~ / .ssh / authorized_keys file:

  1. [root@proxy ~]# ls ~/.ssh/authorized_keys
  2. .ssh/authorized_keys

4) validation test SSH key pair on the client

In the client user root environment, when a remote user to root login 192.168.4.5 hosts without authentication password to login (because the private key password is empty):

  1. [Root @ client ~] $ ssh [email protected] // avoid direct interaction Login
  2. Last login: Thu Aug 15 10:48:09 2013 from 192.168.4.100

5) After confirming key verification normal use, disable password authentication

This configuration item is used or not secret key switch

Adjustment sshd service configuration, will set no PasswordAuthentication

  1. [root@proxy ~]# vim /etc/ssh/sshd_config
  2. .. ..
  3. PasswordAuthentication no // change this line yes no
  4.  
  5. [root@proxy ~]# systemctl restart sshd

Guess you like

Origin blog.csdn.net/ck784101777/article/details/102554834
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com