SSH Service Optimization point 1, do not use the default port 2, prohibit the use of protocol version 13, restrict the login user allowusers-->> Whitelist 4, set idle session timeout length 5, Use the firewall to set up SSH access policy 6, only listen to specific IP address (intranet IP) 7, password-based authentication, use strong password policy 8, use key-based authentication 9, prohibit root user direct login 10, limit SSH access frequency and concurrent online 11, do log, often analyze
OpenSSL three components OpenSSL: Multi-purpose command-line tool Libcrypto: Implementation of cryptographic Decryption Library LIBSSL:SSL protocol pki:public Key Infrastructure CA -- >> issued RA -->> Register CRL-->> logout Certificate Access Library
certificate application and signing procedure 1. Generate application request (e.g. bank order) 2, RA verification 3, CA sign 4, obtain certificate (obtain certificate from CA Access library)
How to create a private CA OpenCA openssl**
How to create a private CAOpenSSL configuration file/etc/pki/tls/openssl.cnf1. Create the required filesTouch Index.txt Echo >seial2. CA self-Visa certificate(Umask 077;openssl genrsa-out private/cakey.pem 2048) OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pe M-days 7300-out/etc/pki/ca/cacert.pem-new: Generate a new certificate signing request-x509: For the CA to generate the self-visa book-key: Generate the public key from the private key -out: Saved location/etc/pki/tls/openssl.conf defined path3. Issuing certificate1) The host requesting the certificate generates a certificate request (Umask 077;openssl genrsa-out/path/to/file.key 2048) OpenSSL Req-new-key /PATH/TO/FILE.KEY-OUT/ETC/FILE.CSR 2) Transfer the request file to the CA SCP FILE.CSR [email protected ]:/tmp 3) Sign the certificate and send the certificate to the requestor, OpenSSL ca-in/tmp/file.csr-out/etc/pki/ca/certs/file.crt-days 30 0 4) Revoke the certificate ...
02, Linux under the sshd and OpenSSL knowledge points