Remote access Security-ssh
How can I make SSH more secure?
SSH security and configuration best practices:
* restrict the root account to console access only and do not allow SSH login
# Vim/etc/ssh/sshd_config
Permitrootlogin No
# systemctl Restart Ssh.service
* Configure TCP Wrappers, access control for remote hosts, modify/etc/hosts.deny deny all remote hosts access to sshd service, and modify/etc/hosts.allow to allow only specific hosts/network segments to use the SSHD service
# Vim/etc/hosts.deny
sshd Service for SSH all for all addresses
Sshd:all
# Vim/etc/hosts.allow
Allow only 192.168.1.x network segment access
sshd:192.168.1.
* on the workstation or laptop, close the SSH service and uninstall the SSH server package, the workstation or notebook is not used as a server segment, so the server segment SSH uninstall, only the client ssh.
# Systemctl Stop Ssh.service
# yum-y Remove Openssh-server
* restrict access to SSH by controlling the user account
# Vim/etc/ssh/sshd_config
Add the following two lines at the end of the file
Allowusers Admin Xiaodong//allowed users
Denyusers Xiaohong [email protected]//disable Xiaohong login, and prohibit Xiaofang using 192.168.5.10 IP address
# systemctl Restart Ssh.service//restart SSH service
* forced use of SSH Protocol2 (version 1 insecure):
# Vim/etc/ssh/sshd_config
Protocol 2
# systemctl Restart Ssh.service
* idle sessions are not supported and the idle Logout Timeout interval is configured:
Edit the following two lines
# Vim/etc/ssh/sshd_config
Clientaliveinterval 600//600 is seconds, that is, after 600 seconds no action will automatically disconnect
Clientalivecountmax 3
# systemctl Restart Ssh.service//restart SSH service
* Disable login with blank password and set maximum number of attempts to log in
Edit the following three lines
# Vim/etc/ssh/sshd_config
Permitemptypasswords No
Passwordauthentication Yes
Maxauthtries 6//number of attempts 6 times
# systemctl Restart Ssh.service
* Disable host-based authentication
# Vim/etc/ssh/sshd_config
Hostbasedauthentication No
# systemctl Restart Ssh.service
* Disable the user's. rhosts file
# Vim/etc/ssh/sshd_config
Ignorerhosts Yes
# systemctl Restart Ssh.service
* restrict SSH, will listen to bind to the specified available network interface and port
# Vim/etc/ssh/sshd_config
ListenAddress 172.168.8.5
Port 56175//can modify SSH ports
* always keep the ssh patch version up-to-date (can be set to the task plan)
# Yum Update Openssh-server OpenSSH openssh-clients-y
SSH security settings for Linux