SSH access control all tips

First, set Hosts.allow Hosts.deny permissions

1. Add the host IP that requires SSH access to the server to Hosts.allow.

Modify the/etc/hosts.allow file
#
# Hosts.allow This file describes the names of the hosts which is
# allowed to use the local INET services, as decided
# by the '/USR/SBIN/TCPD ' server.
#
Sshd:210.13.218.*:allow
Sshd:222.77.15.34:allow

Sshd:192.178.23.12,21.32.31.43,172.20.20.45:allow

2. Then modify the/etc/hosts.deny

[[email protected]_node ~]# cat /etc/hosts.deny ## hosts.deny     This file contains access rules which are used to#         deny connections to network services that  Either use#        the tcp_wrappers library or  that have been#        started through a  tcp_wrappers-enabled xinetd.##        The rules  in this file can also be set up in#         /etc/hosts.allow with a  ' Deny '  option instead.##         See  ' man 5 hosts_options '  and  ' man 5 hosts_ Access ' #        for information on rule syntax.#         See  ' MAN TCPD '  for information on tcp_wrappers#sshd:all

Of course Hosts.allow Hosts.deny These two files are not just for the sshd service, but can also be used to set other service access rights. These are the gods who have consulted the information on their own.

Second, the use of scripting tools, anti-violence hack, direct IP

1. System Centos7

2, Description: In the directory/var/log/there are many log files about the system, where secure record login system Access data files, such as POP3, SSH, Telnet, FTP, etc. will be recorded, we can use this file to find the insecure login IP.

[[email protected]_node log]# cat secure | grep failednov 10  15:07:35 localhost sshd[29424]: failed password for root from  172.20.22.23 port 58810 ssh2nov 10 15:07:42 localhost sshd[29424]:  Failed password for root from 172.20.22.23 port 58810 ssh2nov 10  15:07:46 localhost sshd[29424]: Failed password for root from  172.20.22.23 port 58810 ssh2nov 10 15:07:51 localhost sshd[29424]:  Failed password for root from 172.20.22.23 port 58810 ssh2nov 10  15:08:15 localhost sshd[29447]: Failed password for root from  172.20.22.23 port 58811 ssh2nov 10 15:08:19 localhost sshd[29447]:  Failed password for roOt from 172.20.22.23 port 58811 ssh2 

The login failed IP address can be counted and then added to the access blacklist.

3, the first to always allow the IP to fill in the/etc/hosts.allow, this is very important! Like what:
Sshd:19.16.18.1:allow
Sshd:19.16.18.2:allow

Ensure that these IPs are always ssh to the server.

4. Scripting/root/secure_ssh.sh

[[email protected]_node scripts]# cat secure_ssh.sh  #!/bin/bashcat /var/log/secure|awk  '/failed/{print $ (NF-3)} ' |sort|uniq -c|awk  ' {print $2 "=" $;} '  > /home/scripts/secure_ssh.txtdefine= "5" for i in  ' cat  /home/scripts/ Secure_ssh.txt ' do   ip= ' echo  $i  | awk -F=  ' {print $1} '     num= ' echo  $i  | awk -F=  ' {print $2} '    if [   $NUM  -gt  $DEFINE  ];then      grep  $IP  /etc/ hosts.deny > /dev/null      if [ $? -gt 0  ];then        echo  "sshd: $IP:d eny"  >> /etc/ Hosts.deny      fi   fidone 

5, the secure_ssh.sh script into cron scheduled tasks, every 1 minutes to execute.
# CRONTAB-E
*/1 * * * * sh/root/secure_ssh.sh

6. Testing

Open two terminal windows, one SSH connected to the server, and the other with the wrong password to connect the server several times.

Soon, there are already records in the blacklist file on the server:
[[Email protected] ~]# $ cat/root/black.txt
13.26.21.27=3

And look at the Hosts.deny on the server.
[Email protected] ~]# Cat/etc/hosts.deny
Sshd:13.7.3.6:deny
Sshd:92.4.0.4:deny
Sshd:94.10.4.2:deny
Sshd:94.4.1.6:deny
Sshd:11.64.11.5:deny

7. Continue the "brute force" connection of the server from another terminal window.

Look at the blacklist file on the server:
[email protected] ~]# cat Black.txt
13.26.21.27=6

And look at the Hosts.deny on the server.
[Email protected] ~]# Cat/etc/hosts.deny
Sshd:13.7.3.6:deny
Sshd:92.4.0.4:deny
Sshd:94.10.4.2:deny
Sshd:94.4.1.6:deny
Sshd:11.64.11.5:deny
Sshd:13.26.21.27:deny

IP has been added to the server's Hosts.deny, and then connected to the server with the correct password, is denied:
$ SSH [email protected]-P 2333
Ssh_exchange_identification:connection Closed by remote host

Third, modify the SSH default port

Most attackers only use the default port of 22 when they are on the SSH server, if we change the SSH port.

First modify the configuration file Vi/etc/ssh/sshd_config

Find #port 22, uncomment, here is the identity by default using 22 port, modified as follows:

Port 22

Port 50000 and then save exit

Executing/etc/init.d/sshd Restart such SSH ports will work concurrently with 22 and 50000.

Now edit the firewall configuration: vi/etc/sysconfig/iptables

Enable Port 50000. Execute/etc/init.d/iptables Restart

Now, use the SSH tool to connect to port 50000 to test for success. If the connection is successful, edit the Sshd_config settings again and delete the Port22 inside.

The reason is set to two ports, test success and then close a port, is in order to modify the Conf in the process, in case of falling off, network, misoperation and other unknown circumstances, but also through another port connection debugging to avoid the connection must send people to the computer room, resulting in more complex problems

SSH access control all tips