Harden Linux SSH to ensure server security

SSH is one of the most widely used remote secure login services on unix-like systems. The default port is tcp 22. Due to the need for remote management, many firewalls have opened port 22 to the outside, which makes the SSH service vulnerable to hacker attacks. You can view the security logs of unix-like systems, A large number of illegal connections targeting tcp port 22 can be found. To avoid hacker attacks on the SSH service of the system, we need to perform some reinforcement operations on the SSH service to ensure the security of the server.

The following uses centos6.2 as an example:

The operating system to be installed is centos6.2 minimal version, that is, the minimum installation version. This version is the easiest to install based on the requirements of the server. After installing the operating system, perform the following operations.

1. Modify the ssh port

Modify ssh port 22 in Linux

Vi/etc/ssh/ssh_config

Vi/etc/ssh/sshd_config

Then, change the value to port 8888.

Service sshd restart, ssh_config, and sshd_config must be modified to 8888 at the same time as the root user to take effect.

2. Disable remote root

# Vi/etc/ssh/sshd_config

Set PermitRootLogin yes

Change to PermitRootLogin no

Restart sshd service

# Servicesshd restart

3. Create a common user

# Useradduser199

# Passwduser199

4. Enable user199 to execute all root executable commands through sudo.

First # yun install sudo

Open the configuration file with mongodo as root and you can see the following lines:

# Runas alias specification

# User privilege specificationroot ALL = (ALL) ALL

User199 ALL = (ALL) ALL

To ensure better security, make the following settings:

Modify the vi/etc/ssh/sshd_config file

1) PermitEmptyPasswords no # Do not allow empty passwords. login is only a plaintext password, not a certificate ).

2) RSAAuthentication yes # enable RSA Authentication.

3) PubkeyAuthentication yes # enable public key authentication.

4) PasswordAuthentication no # password authentication is prohibited.

Supplement: Modify the global configuration file of the vi/etc/ssh/ssh_config file)

RSAAuthentication yes

# Allow RSA private key authentication.

PasswordAuthentication no #. Do not log on with the plaintext password. Here is the key)

Generate the configuration public key and Private Key

Mail:/$ ssh-keygen-t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/. ssh/id_rsa):/home/user/. ssh/id_rsa

(The location where the private key and public key are stored. The account under which the operation is used)

Enter passphrase (empty for no passphrase): Enter the password

Enter same passphrase again: Enter the password again

Your identification has been saved in/home/user/. ssh/id_rsa. (generated private key)

Your public key has been saved in/home/user/. ssh/id_rsa.pub. (generated public key)

The key fingerprint is:

76: 04: 4d: 44: 25: 37: 0f: b1: a5: b7: 6e: 63: d4: 97: 22: 6b

Copy the generated public key I d _ r s a. p u B and rename it authorized_keys TO THE. ssh directory in the master folder of the server user.

Copy the generated private key id_rsa to the client that needs to initiate a remote connection.

Start the client connection software using Private Shell as an example), click the Advanced option, select User Keys, and click Import Key. In the pop-up "open", find the id_rsa file copied to the local device and open it. Enter the password set when the private key is created, enter the key name after confirmation, and then set whether to enter the password when the certificate starts a connection locally. If necessary, set the password, leave it blank if you do not need it. Click OK to complete the local certificate creation and addition.

Restart the ssh service:/etc/init. d/ssh restart.