SSH Security note

SSH security mainly corresponds to personal VPS. There is no front-end hardware firewall for small-scale operating servers, or small-scale enterprise servers. Summative articles can be searched on the Internet.

1) prohibit root Login
Vi/etc/ssh/sshd_config

PermitRootLogin yes
Change
PermitRootLogin no

Restart the ssh service

Log on as a common user, and then use sudo to access the root user.

PS: by default, root login is disabled on FreeBSD.

2) After root login is prohibited, password login is also prohibited. Only ssh key authentication is allowed for login.
Vim/etc/ssh/sshd_config

PasswordAuthentication yes
Change
PasswordAuthentication no

By default, the key is used for login, And the password is not allowed.

3) the ssh key authentication method is widely used!

A. generate an RSA public KEY in the token
# Ssh-keygen-t rsa

B. Copy the generated id_rsa.pub to a remote machine and name it authorized_keys.
Scp/root/. ssh/id_rsa.pub root@x.x.x.x:/root/. ssh/authorized_keys

C. Modify permissions on remote services
Chmod 600 ~ /. Ssh/authorized_keys

4) use pkill to kill ssh users
If it is discovered that the server has been intruded, but it is not recommended to restart ssh or restart the server at this time, use the following methods to kill other users

[Root @ localhost tmp] # w
03:40:28 up 71 days, 51 min, 1 user, load average: 0.00, 0.00, 0.00
User tty from login @ IDLE JCPU PCPU WHAT
Root pts/1 192.168.0.1 0.00 s 0.09 s 0.01 s w

[Root @ localhost tmp] # pkill-kill-t pts/1

5) use TCP-wrapped (host. allow & host. deny) to control logon Permissions

[Root @ localhost ~] # Ldd/usr/sbin/sshd | grep wrap
Libwrap. so.0 =>/lib64/libwrap. so.0 (0x0000002a9566c000)
[Root @ localhost ~] #

Use ldd to check whether tcp-wrap can be used. That is, the service can use/etc/hosts. allow and/etc/hosts. deny. If the output does not contain libwrap, it cannot be used.

Edit/etc/host. allow, host. deny
.
Allow access to sys.com domain

Cat host. allow
Sshd: .sys.com

Cat host. deny
ALL: ALL

Allow access from sysv.com and 192.168.1.x, but not from stu1 or stu2 hosts.

Cat host. allow
Sshd: .sys.com, 192.168.1., destination t stu1, stu2

There are many other ways to use man.

Some Supplements:

A) It is often said that modifying the default ssh port 22 can ensure certain security.
Almost useless. You can use the port scanning tool nmap to find the modified Shenma port! If the port is changed to another port, it may conflict with the port of other applications.

B) passwords are more secure than keys. You can avoid brute-force cracking by setting complex and rule-free passwords.
Head shoot ideas
The ssh key authentication mechanism is safer than the password. The password will be visible to others and may be transmitted over the network.
The key is equivalent to the key of your house. Who will give your key to others? If you are not at ease, you can also set a passphrase. In this way, it is useless for others to obtain the ssh key.

In windows, keys can also be used for putty connections. Use puttygen.exe for conversion. for google, refer to the following article.

C) who is better at iptables and key authentication.
Use iptable to specify that only a fixed IP address is allowed for access control. The disadvantage is that if iptables crashes or you forget to start it, there will be no preventive effect.
For iptables, the fewer rules, the better the efficiency.
However, you can use the script method and iptables to restrict the IP addresses that attempt to log on multiple times. This can prevent brute-force attacks, or disable logon for a period of time after the password is configured in the ssh config.

Netstat-an | grep-v LISTEN | awk '{print $5}' | grep-v 127.0.0.1 | grep-v local ip | sed "s/: ffff: // g "| awk 'in in {FS =": "} {Num [$1] ++} END {for (I in Num) if (Num [I]> 8) {print I} '| grep' [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \} '| xargs-I [] iptables-I INPUT-s []-j DROP