2018-10-11
1. SSH Disable root login
Modify the SSH configuration file/etc/ssh/sshd_config
vim/etc/ssh/Sshd_configpermitrootlogin Yes #去掉前面的 # and change Yes to no
Restart SSH
Systemctl Restart sshd
2. New addition of ordinary users and authorized
Create a user group
Groupadd GroupName
Add users and specify user groups
USERADD-G groupname username
Or use the default user
Useradd username
Modify User Password
passwd username
Restrict user permissions
Visudo
Last line add
Username all= (Root)/usr/bin/*,!/usr/bin/passwd [a-za-z]*
Note: all= (root) is that SU can only switch to the root user, followed by a comma separated by the user's permissions,/usr/bin/* that can execute basic commands,/usr/local/elasticsearch-2.4.4/* Is my own Elasticsearch file path under all permissions,!/usr/bin/passwd [a-za-z]* means that you cannot modify the password for all users except yourself
3, user login n times, lock the user, a period of time to prohibit user login
Under #%pam-1.0, that is, the second line, add content, must be written in front, if written in the back, although the user is locked, but as long as the user entered the correct password, or can log in!
vim/etc/pam.d/sshd#%pam-1.0 auth required pam_tally2.so deny=3 unlock_time= even_deny_root root_unlock_time=
Explanation of each parameter
Even_deny_root also restricts root users;
Deny sets the maximum number of consecutive error logins for regular users and root users, and the maximum number of times that the user is locked
Unlock_time set the normal user lock, how much time after unlocking, Unit is seconds;
Root_unlock_time set the root user lock, how much time after the unlock, the unit is seconds;
The Pam_tally2 module is used here, and if Pam_tally2 is not supported, the Pam_tally module can be used. In addition, different Pam version, the settings may be different, specific use, you can refer to the use of the relevant module rules
Once you are done, you can log on to the server with a normal user and the server security level is relatively elevated
CentOS 7 SSH Login security issue