Ssh security protection under FreeBSD

& Nbsp; when viewing freebsd logs, it is inevitable to view the logs in auth. A large number of ssh user names are found in logs. To be honest, these people are boring. even if my user name and password have told him that they cannot log in, why? This article will talk about what we can do with ssh security under freebsd. Follow the instructions in this article and dare not say your ss

When viewing freebsd logs, it is always unavoidable in auth. A large number of ssh user names are found in logs. To be honest, these people are boring. even if my user name and password have told him that they cannot log in, why? This article will talk about what we can do with ssh security under freebsd. As per this article, I dare not say that your ssh is 100% secure, but at least we can be more secure. Below is a piece of log:

Dec 13 10:16:30 ddd sshd [46500]: Invalid user raimundo from 59.124.60.69
Dec 13 10:17:49 ddd sshd [46512]: Invalid user Alexander re from 59.124.60.69
Dec 13 10:20:18 ddd sshd [46523]: Did not receive identification string from 59.124.60.69
Dec 13 10:21:10 ddd sshd [46524]: Invalid user a from 59.124.60.69
Dec 13 10:22:06 ddd sshd [46541]: Invalid user mercedes from 59.124.60.69
Dec 13 10:23:26 ddd sshd [46545]: Invalid user raimundo from 59.124.60.69
Dec 13 10:23:36 ddd sshd [46547]: Invalid user raimundo from 59.124.60.69
Dec 13 10:23:40 ddd sshd [46549]: Did not receive identification string from 59.124.60.69
Dec 13 10:23:49 ddd sshd [46550]: Invalid user raimundo from 59.124.60.69
Dec 13 10:24:25 ddd sshd [46552]: Invalid user raimundo from 59.124.60.69
Dec 13 10:24:33 ddd sshd [46554]: Invalid user raimundo from 59.124.60.69
Dec 13 10:24:37 ddd sshd [46556]: Did not receive identification string from 59.124.60.69
First, if you use the default authentication (pam) logon method and allow the root user to log on, if you do not use other security protection, your server is very likely to be attacked. There are a lot of brute-force cracking software. think about how long do you think it can be calculated based on the efficiency of your computer and passwords of less than 10 characters? In addition, many users do not have dozens of passwords.

1. in any case, I suggest you enable the firewall ipfw and iptables on the fb server. Take ipfw as an example: in my principle, all useless ports are closed, and all incoming links are restricted. for example, ssh only allows one link for the same ip address, this reduces the speed of brute-force cracking and saves server resources:

01500 allow tcp from any to me dst-port 22 in via em0 setup limit src-addr 1

2. prohibit root login

# Ee/etc/ssh/sshd_config

Port 22 # The Port here can be modified as needed, but note that the firewall should also enable its Port
Protocol 2
PermitRootLogin no # this will disable direct root login
# Authentication:
PermitRootLogin no # keys in the same color are allowed for verification.
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile. ssh/authorized_keys
# Change to yes to enable built-in password authentication.
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable PAM authentication

3. Use a key to log on

This should be done with caution so as not to concern yourself with the outside. In principle, disable the pam login mode after the key is successfully logged on (the default openssh authentication method ). The key creation process is as follows:

Switch to the username you need to log on to the server and run the following command:

# Ssh-keygen-t rsa-B 1024
After executing the preceding command, you will be asked about the key storage location and password. At last, a public key (id_rsa.pub) and a private key (id_rsa) will be generated under. ssh/in the user's home directory)
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ezool/. ssh/id_rsa ):
Enter passphrase (empty for no passphrase ):
Enter same passphrase again:
Your identification has been saved in/home/ezool/. ssh/id_rsa.
Your public key has been saved in/home/ezool/. ssh/id_rsa.pub.

In the above process, you can log on to the server as long as you load the key without entering the password, but it is not recommended to do that. After generation, you need to switch to the ssh key directory to modify the public key file name
# Cd/home/test/. ssh # Change "test" to the user name that generates the key.
# Cat id_rsa.pub> authorized_keys # You can also use mv id_rsa.pub authorized_keys to directly modify the file name.
# Chmod 600 authorized_keys # read and write only for me
# Rm id_rsa.pub # Remove the generated public key file

Then you need to download the private key:
# Cat id_rsa>/www/myweb/mykey. ppk # pay attention to the path strength. here, the user is still in the. ssh directory because the above is accepted.
# Rm id_rsa
Download the key through ftp. Note that the key downloaded here cannot be directly used for PuTTY, and must be converted using puttygen.

Enable putty key generator and click load to load the private key that has just been downloaded. then, he will prompt the conversion, as long as the private key is saved, so that the file can be used.

When logging on, pay attention to the Auth under ssh on the left. load the private key through this, and then you can log on. If the login succeeds, you can disable the default pam authentication method.

# Ee/etc/ssh/sshd_config modify the following two lines
ChallengeResponseAuthentication no
UsePam no
#/Etc/rc. d/sshd restart # restart sshd to make the configuration take effect
4. prohibit ssh Brute force cracking

After using the key verification method, you don't have to worry about it unless your private key, user name, and password are leaked. The only unpleasant thing is that someone scans every day, which greatly wastes server resources. we can use software to prohibit others from scanning for no reason. The basic working principle is:
Read auth. log file that matches the user login failure. if the login fails several times in a row, add the ip address to the denyhost or firewall, or disconnect the ip address, this makes his scan unable to continue. Related software such as fail2ban, Sshguard, and DenyHosts will be introduced in detail later