Guide to ssh security settings in Linux

Article Title: Guide to setting up ssh security in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

If you still use telnet instead of ssh, you need to change the reading method of this Manual. ssh should be used to replace all telnet Remote logins. It is quite easy to obtain the plaintext password through sniffing Internet communication at any time. You should use the encryption algorithm protocol. Now, execute apt-get install ssh on your system.

All users on your system are encouraged to use ssh instead of telnet, Or, further, uninstall telnet/telnetd. in addition, you should avoid using ssh to log on as root. The alternative method is to convert su or sudo to root user. Finally, the sshd_config file under the/etc/ssh directory should be modified as follows to enhance security:

ListenAddress 192.168.0.1

So that ssh only listens to one specified interface. If you have multiple (do not want to obtain the ssh service on it) interfaces, or a new NIC will be added in the future (but you do not want to connect to the ssh service through it ).

PermitRootLogin no

Root Login is not allowed in any case. If someone wants to become root through ssh, two logins are required, and the root password cannot be cracked through SSH.

Listen 666.

Change the listening port so that the intruder cannot fully determine whether the sshd daemon is running (warn beforehand, this is fuzzy security ).

PermitEmptyPasswords no

Empty passwords are a ridicule of system security.

AllowUsers alex ref me @ somewhere

Only some users are allowed to access the host through ssh. user @ host can also be used to restrict access by a specified user through the specified host.

AllowGroups wheel admin

Only allow members of a group to access the host through ssh. AllowGroups and AllowUsers have the same effect on rejecting access to the host. Do not be surprised when they are called "DenyUsers" and "DenyGroups.

PasswordAuthentication yes

This is entirely dependent on your choice. Users are only allowed to use ~ The ssh-keys in the/. ssh/authorized_keys file is safer to log on to the host. To achieve this effect, set it to "no ".

Disable all the authentication methods you do not need. If you do not use them, such as RhostsRSAAuthentication, HostbasedAuthentication, authentication uthentication, or RhostsAuthentication (for example), you should disable them, even if they are the default settings (see the online help sshd_config (5 )).

Protocol 2

The version 1 Protocol is disabled because of its design flaws, and the password is easily hacked. For more information, see the ssh protocol issue report or Xforce announcement.

Banner/etc/some_file

Add a title (which will be read from a file) to connect to the ssh server. In some countries, give unauthorized or user monitoring warning information before logging on to the given system, will be protected by law.