SSH security thinking and configuration, SSH security thinking Configuration
I have previously written an article on Oracle RAC equivalence configuration at http://blog.csdn.net/jacson_#/article/details/42673;
This is just the tip of the iceberg used by ssh, password-free login;
1. How do I decide whether to log on with a password or a key?
Oracle DBA often uses a password to log on to the same LAN as Oracle;
When managing thousands of Linux Hosts in a cluster, I usually select a key to log on to and use one key to log on to any host.
2. Who is more secure to log on with the key and password?
For external attacks, the key security is undoubtedly much higher than the password;
For actual operations, the loss caused by operator errors is much greater than that caused by attacks.
3. How to Make password login more secure?
(1). Change the default SSH port;
(2). Disable direct root login. {Add a common user and use the root permission before switching}
(3). Only users and IP addresses are allowed to log on to the host.
Method 1:
<Pre name = "code" class = "SQL"> in/etc/hosts. allow adds sshd: 10.10.10.88: allow (here 10.10.10.88 is the ip address you want to allow access to ssh, or a network segment 10.10.10.88/24) in/etc/hosts. added sshd: ALL to deny (it indicates that ALL ip addresses except the ones allowed above refuse to log on to ssh)
Method 2: Modify the sshd_config Parameter
The format is as follows:
Allowusers root@10.10.10.88 root@10.10.10.89 oracle@10.10.10.89
Note: 1. Multiple hosts or users are separated by spaces.
2. In this case, non-10.10.10.88 connections can also be established, and you cannot log on with the correct password.
(4) use the system-layer protection software fail2ban and iptables
Not complete ......