Four tips for configuring Linux server SSH security access _linux

I take CentOS as an example and simply summarize how to configure SSH security access.
Linux SSH Security Policy One: close unrelated ports
Most of the hosts captured on the network were targeted by hackers scanning the tools in large areas. So, to avoid being scanned, all but the necessary ports, such as Web, FTP, SSH, and so on, should all be turned off. It is worth mentioning that I strongly recommend shutting down the ICMP port and setting the rules to discard the ICMP packets. So that others can not Ping your server, the threat will naturally reduce the majority of the. Discard ICMP packets in iptables, add one of the following:

Copy Code code as follows:

-A input-p icmp-j DROP

Linux SSH Security Policy Two: Change the SSH port
The default SSH port is 22. It is strongly recommended to change to more than 10000. So the probability of others scanning to the port is also greatly reduced. To modify the method:

Copy Code code as follows:

# Edit/etc/ssh/ssh_config
Vi/etc/ssh/ssh_config
# under Host *, add a new Port value. Take 18439 as an example (hereinafter):
Port 22
Port 18439

# Edit/etc/ssh/sshd_config
Vi/etc/ssh/sshd_config
#加入新的 Port Value
Port 22
Port 18439

# After saving, restart the SSH service:
Service sshd Restart

I've set up two ports here, mainly to prevent errors from being modified so that SSH is no longer logged on. Change your SSH client (for example: PuttyConnection port, test the connection, If the new port can be successfully connected, edit the top two files and remove the port 22 configuration。 If the connection fails, the Port 22 is connected and then reconfigured.

After the port setting is successful, note that you should also remove Port 22 from Iptables, add a new configuration of 18439, and restart Iptables.

If the SSH login password is a weak password, you should set up a complex password. Google Blog has an article emphasizing password security: Does your password pass the test?

Linux SSH Security Policy three: Restrict IP logon

If you can connect your server in a fixed IP way, you can set up a specific IP login server. For example, I log on to the server through my own VPN. The settings are as follows:

# edit/etc/hosts.allow
vi/etc/hosts.allow
# For example, only allow 123.45.67.89 login
sshd:123.45.67.89

Linux SSH security Policy four: Login SSH with certificate

Using a certificate is more secure than using a password to log on. tap water for coffee has written a detailed tutorial, with its consent, reproduced as follows:

Configuring SSH Certificate logon authentication for CentOS

Source: Tap water for coffee

Afternoon to help the company network management remote detection mail server, a CentOS 5.1, using OpenSSH remote management.

Check the security log, found that these days almost every day a bunch of IP to guess the password. It seems that we have to modify the login authentication mode, and change to certificate verification.

In case, temporarily kai a vnc, lest not configured, a happy to restart the sshd on the trouble. (later found to be redundant, as long as the first open a putty do not close the line)

Here's a simple procedure:

1) First add a maintenance account: MSA 2 and then SU-MSA 3) ssh-keygen-t RSA to specify the key path and enter the password, that is, to generate the public and private key in/home/msa/.ssh/: Id_rsa id_rsa.pub 4) Cat Id_rsa
. pub >> Authorized_keys As to why this file was generated, because that's what Sshd_config wrote.

Then chmod Authorized_keys, a little protection.
5) with Psftp to pull Id_rsa back to the local, and then the server Id_rsa and Id_rsa.pub kill 6) configuration/etc/ssh/sshd_config Protocol 2 serverkeybits 1024
Permitrootlogin no #禁止root登录而已, with nothing to do with this article, plus a bit of security #以下三行没什么要改的, remove the default # comment Rsaauthentication Yes pubkeyauthentication Yes Authorizedkeysfile. Ssh/authorized_keys passwordauthentication no permitemptypasswords No 7) Restart Sshd/sbin/service sshd R Estart 8 Convert certificate format, indulge Putty run Puttygen, convert id_rsa Putty certificate file 9) Configure PPK Login in putty, click Browse,
Select the certificate that you just converted. Then fill in the Connection-data Auto login username, for example, my MSA in the session to fill out the server's IP address, happy words can save 10 to solve a little trouble to do this step, it is likely to be empty happy one,
At this time on the excitedly login, may not login: No supported authentication methods available at this time can modify the Sshd_config, passwordauthentication no temporary change to: Passwordauthentication Yes and restart sshd so you can log on successfully, log out, and then reset the value of PasswordauthenticationFor no, restart sshd.

Log in later will normally ask you the key file password, the right answer can be happy to log in. As for the psftp command, add a-i parameter, specify the certificate file path.

If you are a remote operation server to modify the above configuration, remember that each step should be prudent, not error. If the configuration error causes the SSH connection to be not on, then a cup.

Basically, after the above four points configured, Linux under the SSH access, is more secure. Of course, security and insecurity are all relative, you should regularly check the server log, timely detection of hidden dangers and eliminate.