CentOS SSH Configuration method under the detailed

Source: Internet
Author: User
Tags sessions ssh centos port number ssh port dns spoofing


SSH is an abbreviation for secure Shell, developed by the IETF Network Working Group (Network Working Group), SSH for security protocols based on the application and transport layers.

Traditional network service programs, such as FTP, pop, and telnet, are inherently unsafe because they transmit data, user accounts, and user passwords in clear text on the network, and are vulnerable to man-in-the-middle (man-in-the-middle) attacks. Is that there is another person or a machine posing as a real server to receive data from a user to the server, and then passing the data to the real server as a user.

SSH is now a more reliable protocol for providing security for Telnet sessions and other network services. The SSH protocol can effectively prevent the information leakage problem in the process of remote management. Through SSH, all transmitted data can be encrypted, as well as to prevent DNS spoofing and IP spoofing.

System and Version: CentOS release 5.3 (Final)

Installing SSH

Yum Install SSH

Start SSH

Service sshd Start
To set up the startup operation


Chkconfig sshd on

Modification of SSH related configuration file

First modify the SSH configuration file. As follows:


[Root@sample ~]# vi/etc/ssh/sshd_config← to open SSH configuration file with VI

#Protocol 2,1← Find this line to remove the wardrobe "#" and then delete the end of ", 1", only allow the SSH2 way of the connection
 
Protocol 2← changed to this state, using only SSH2

#ServerKeyBits 768← Find this line, remove the "#" from the beginning and change 768 to 1024.
 
Serverkeybits 1024← changed to this state, the Serverkey strength changed to 1024 bits

#PermitRootLogin yes← Find this line, remove the "#" from the beginning and change Yes to No
 
Permitrootlogin no← changed to this state, not allowed to log on with root

#PasswordAuthentication yes← Find this line, change Yes to No
 
Passwordauthentication no← changed to this state, password not allowed to login

#PermitEmptyPasswords no← found this line to remove the "#" of the wardrobe, do not allow null password login
 
Permitemptypasswords no← changed to this state, no null password to log on

Then save and exit. (vi Save the Exit command for ZZ)

Because we just want SSH services to be convenient for the management system, in the case of remote management system without the extranet, only intranet clients are allowed to log on to the server via SSH to minimize unsafe factors. Set the method as follows:


[Root@sample ~]# vi/etc/hosts.deny← Modify the Mask rule to add the corresponding line at the end of the text

#
# Hosts.deny This file describes the names of the hosts which are
# *not* allowed to with the local INET services, as decided
# by the '/USR/SBIN/TCPD ' server.
#
# The Portmap line is redundant, but it are left to remind
# The new secure Portmap uses Hosts.deny and Hosts.allow. In particular
# You should know that NFS uses portmap!

sshd:all← Add this line to mask all SSH connection requests

[Root@sample ~]# vi/etc/hosts.allow← Modify the Allow rule to add the corresponding line at the end of the text

#
# Hosts.allow This file describes the names of the hosts which are
# allowed to with the local INET services, as decided
# by the '/USR/SBIN/TCPD ' server.
#

sshd:192.168.0. ← Add this line, only allow SSH connection requests from intranet

NETSTAT-TUNLP View the running port number!vim/etc/ssh/sshd_config This file, here is the #port 22 this field in front of the # Remove, and then change 22 to their own port on the line, and then restart the SSH service. /etc/init.d/sshd Restart if you want to restrict SSH login IP, you can do the following: Modify the/etc/hosts.deny, in which add Sshd:all Modify:/etc/hosts.allow, in which the following settings : sshd:192.168.0.24 This will limit the 192.168.0.241 IP access to the Linux machine via SSH

SSH Remote Connection Configuration


1. Configure IP

#setup

Select Network Configuration

Select Device Configuration

Select Eth0

Use DHCP [*] to [] with the space bar will * remove

Static IP Input 192.168.1.112

Netmask input 255.255.255.0

Default Gateway IP Input 192.168.1.1

Primary DNS Server Input 192.168.1.1


2. Change SSH port

Vim/etc/ssh/sshd_config

#Port 22

Go to # Note Change 22 to 2200 (2000 above)

3. Reboot SSH

/etc/init.d/sshd restart

4. Restart Network

Service Network restart

Or

/etc/init.d/network restart

5. View Port

Netstat-lnp|more

6. Off the firewall

/etc/init.d/iptables stop

Start SSH

/etc/init.d/sshd start

SSH is now ready to connect.

Enter Connection IP

Configure related parameters

Select Utf-8 Support Chinese display

Automatically enter login user root

You can connect to the server after you enter a user name

But at present our SSH connection also needs to enter the password, below will introduce uses the key to connect, eliminates the input password the annoyance:

1, in the management of the machine to produce the key

[Root@localhost ~]# Mkdir/root/.ssh
[Root@localhost ~]# ssh-keygen-t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): # #直接回车默认路径
Enter passphrase (empty for No passphrase): # #输入密码短语
Enter same passphrase again: # #重复密码短语
Your identification has been saved In/root/.ssh/id_rsa. # #如果在这里报错是因为SeLinux引起的按照Policy: Yum install Selinux-policy
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
aa:76:71:1e:51:fe:3b:4c:51:30:b2:90:55:e9:58:7c Root@localhost.localdomain
The key ' s Randomart image is:
+--[RSA 2048]----+
| . ooo+o |
| ... o+. E |
| o.+ O |
| . o O |
| S. ... |
| .. o O |
| .+ .   O. |
|   ... . +    |
|   ...       . |
+-----------------+

2, Putty production key

Open Puttygen, if not the program can be downloaded to the official website of Putty.

Click the Generate button after the following figure, in the red box constantly moving the mouse know key generation complete

Click the Generate button after the following figure, in the red box constantly moving the mouse know key generation complete

The red box above is our generated public key, which is used on the managed server, and the private key on its own machine.

Key comment is a memo information, if it is an enterprise environment then there will be a lot of public key on a machine, in order to identify the words will generally according to each person to define a note.

You can use the mailbox or work number, input key comment First copy the public key, and click on the Saved and Saved Private key to save two keys

Then open the key Agent tool Pageant.exe (also available on Putty's website), using Pageant.exe has a great advantage, if you also need to use the other putty tools so they can share key authentication, without the need to repeatedly set the key.

The taskbar's Pageant.exe icon right-click the view keys to open the following window.

Click Add key to add the private key you just saved.

3. Managed secret key deployment

Copy the id_rsa.pub just produced on the management machine into Authrized.keys

[Root@localhost. ssh]# CP id_rsa.pub Authrized.keys
[Root@localhost. ssh]# chmod Authrized.keys # #这一步是必须的, otherwise the connection is not modified Vi/root/.ssh/authrized.keys delete the original key, add Puttygen.exe The production key (that is, the previously replicated public key)


Sh-rsa aaaab3nzac1yc2eaaaabjqaaaieah+gdpvsniwbhzvmhs240aouenhigdhhczq/fhin/ idaqvdh7ovw2pnj4sd6so0kqcizsu7fou2rvak7vhc3qrrymeqn94v595pyglnmcbted7onew47tu8wjtdldbc7liemktvidkcbbrzqa372/ U2lsjkldu2buixkevlngnuc= Hellwen.wu
~
~
~
~ Save exit.

4, open Putty Login

Pay attention to the red part of the picture, if you are often connected to the machine. It is recommended to enter IP and configure to saved sessions and then enter the identification name and click the Save button, so in the list box will retain the server's connection configuration for a long time.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.