5 ways to improve SSH server security

Yesterday from OneNote turned out after the installation of VirtualBox ... Also by the way of marking this article, today, edited to share with you:

1, prohibit sshd listening port

2, prohibit root login, limit only certain accounts can log in

3. Use denyhosts or Fail2ban to protect sshd services

4. Use secret key to sign in

5, not every server is open sshd port

Operating Environment: Redhat/centos/fedora

1. Change the sshd listening port

I. Modifying the configuration file implementation

The code is as follows	Copy Code
[root@itchenyi-01~] #cat/etc/ssh/sshd_config|grep "#Port" #Port22222 [root@itchenyi-01~] #servicesshdrestart Stoppingsshd:[ok] Startingsshd:[ok]

Second, modify the firewall portforwarding settings

1. Log in to the Firewall Web admin interface, or go through the Telnet protocol

2. Modify the nat/portforwarding settings, change the Publicport to 22222,privateport is still 22

3. Save Rules

Note: This law is based on NAT, its port number can be freely selected, not conflict, which is to avoid harassment of a very effective way.

2, prohibit root login, limit only some account can log in

The code is as follows	Copy Code
[root@itchenyi-01~] #vi/etc/ssh/sshd_config Permitrootloginno Allowuserschenyiitchenyichenyia

#完事重启服务即可

Note: To avoid the root account is cracked, the general need to form a "general account login" habit; only allow SSH operation of the account to join more secure, but note that multiple account needs to be separated between the space, the wrong can only console to the physical machine up to play.

3. Use denyhosts or Fail2ban protection sshd service

Install the denyhosts on the CentOS6

The code is as follows	Copy Code
#略过具体演示 Step1. Install epelrepos# Step2. [root@itchenyi-01~] #yum-yinstalldenyhosts Step3. [root@itchenyi-01~] #chkconfigdenyhostson &&servicedenyhostsstart

Configuration file path:/etc/denyhosts.conf,/etc/sysconfig/denyhosts

Install the Fail2ban on the CentOS6

The code is as follows	Copy Code
Step1. Install Epelrepos Step2. [root@itchenyi-01~] #yum-yinstallfail2ban Step3. [root@itchenyi-01~] #chkconfigfail2banon &&servicefail2banstart Configuration file path:/etc/fail2ban/*

Note: If you have changed the sshd port, you need to change the PORT=SSH to a custom port in the/$fail 2ban (Path)/jail.conf, and the denyhosts and Fail2ban of the default settings are for sshd.

4. Use secret key to sign in

Configuration file:

The code is as follows	Copy Code
#vi/etc/ssh/sshd_config #禁止密码登入 Passwordauthenticationno or www.111cn.net #限制某些账户必须使用秘钥登录 Passwordauthenticationyes Matchuserusera,userb Passwordauthenticationno

Using secret key to avoid password leakage and safe, but need to take good care of the private key

Reference article: Configuring Linux server SSH remote key login

5, do not give every server to open the sshd port

Even if you change the sshd listening port, there is a risk of intrusion as long as it is exposed to the Internet, so unless necessary, it is not recommended that each server open the Internet login sshd, open only one server as a springboard, restrict the link logon IP source, or VPN service, are more of a safe approach.