CentOS Learning Note--ssh

Configuring SSH

With the network SSH service is open by default, you can test with the client, if not open using the following command:

[[Email protected] ~] # /etc/init.d/sshd Restart stopping sshd:                         [  OK  ] activating sshd:                         [  OK  ]# can also use service sshd restart

(The following is taken from the bird Brother's Linux private dishes-Server Erection Chapter 11th, remote online server SSH/XDMCP/VNC/RDP)

sshd Server Detail Settings

Basically, all the sshd server details are placed in the/etc/ssh/sshd_config! However, the default settings for each Linux distribution are not the same, so it is necessary to understand the meaning of the whole set value! Also note that in a preset file, as long as it is a preset to appear and the annotated Set value (set value preceded by #), that is "default value!" "You can modify the mile according to it."

[[Email protected] ~]#Vim/etc/ssh/sshd_config#1. About the overall settings of SSH Server, including the use of the port, and the use of the password calculation method#Port#SSH Presets Use 22 This port, you can also use multiple ports, that is, re-use port this setting item! #For example, if you want to open sshd at 22 and 443, add a line with the following: "Port 443"#then restart sshd so that's good! However, it is not recommended to modify port number! Protocol2#Choose the SSH protocol version, either 1 or 2, and the CentOS 5.x presets are only supported for V2. #If you want to support older versions of V1, you'll need to use "Protocol 2,1". #listenaddress 0.0.0.0#Monitor the host adapter! For example, if you have two IPs, 192.168.1.100 and#192.168.100.254, let's say you just want 192.168.1.100 to be able to listen to sshd, so write:#the "listenaddress 192.168.1.100" default is the SSH requirement to listen on all interfaces#Pidfile/var/run/sshd.pid#can place SSHD this PID file! The above is the default value#Logingracetime 2m#when the user connects to SSH Server, a screen for entering the password will appear, in which#How long does it take to connect to SSH server without success? If no unit then the default time is seconds! #Compression Delayed#specifies when to start the transfer using compressed data mode. Yes, no and data compression only after login (delayed)#2. Description of the host's Private Key placed files, preset to use the following files can! #Hostkey/etc/ssh/ssh_host_key # SSH version 1 using the private key#Hostkey/etc/ssh/ssh_host_rsa_key # RSA private key used by SSH version 2#Hostkey/etc/ssh/ssh_host_dsa_key # The DSA private key used by SSH version 2#remember what we talked about in the SSH online process of the host, this is host Key ~#3. The name of the message data placed with daemon on the login file! syslogfacility Authpriv#when someone uses SSH to log into the system, SSH logs the information, which is to be recorded in what daemon name#underneath? Presets are set by AUTH, that is,/var/log/secure inside! What the? Forget it! #go back to the Linux basics and flip it over. The other available daemon name is: Daemon,user,auth,#LOCAL0,LOCAL1,LOCAL2,LOCAL3,LOCAL4,LOCAL5,#LogLevel INFO#log in to record level! Hey! Any message! The same, forget to go back to the reference! #4. Security Settings Items! Extremely important! #4.1 Log in to the Settings section#Permitrootlogin Yes#allow root to log in! Presets are allowed, but are recommended to be set to no! #Strictmodes Yes#whether to let sshd to check the user home directory or the relevant file permissions data,#This is to worry that the user will be wrong about the permissions of certain important files, which may cause some problems. #For example, the user's ~.ssh/permission is set wrong, in some special cases will not allow users to login#pubkeyauthentication Yes#authorizedkeysfile. Ssh/authorized_keys#allows users to log on themselves using a paired key system for version 2 only. #As for the home-made public key data is placed in the user's home directory. Ssh/authorized_keys insidepasswordauthentication Yes#password verification is of course needed! So write Yes here! #Permitemptypasswords No#If the above item is set to Yes, this one is best set to No,#This item is allowed to log in with an empty password! Of course not! #4.2 Certification Section#rhostsauthentication No#the native system does not use the. rhosts because only the. Rhosts is not safe, so be sure to set it to no#ignorerhosts Yes#do you want to cancel using ~/.ssh/.rhosts for certification? Of course it is! #rhostsrsaauthentication No ##This option is intended for version 1, using the rhosts file in/etc/hosts.equiv#with RSA calculus method to authenticate! Do not use Ah! #hostbasedauthentication No#this project is similar to the above project, but it is used for version 2! #ignoreuserknownhosts No#do you want to ignore the contents of the host in the home directory ~/.ssh/known_hosts this file? #of course don't ignore, so here is no! challengeresponseauthentication No#Allow any password authentication! Therefore, any login.conf stipulated authentication method, all can apply! #But at the moment we prefer to use the PAM module to help manage certification, so this option can be set to No Oh! Usepam Yes#using PAM to manage user authentication has many benefits that can be documented and managed. #So here we suggest you use Usepam and challengeresponseauthentication set to No 　 #4.3 parameter settings related to Kerberos! Because we don't have a Kerberos host, there's no setting underneath! #kerberosauthentication No#kerberosorlocalpasswd Yes#Kerberosticketcleanup Yes#kerberostgtpassing No 　 #4.4 Below is the relevant settings for use under X-window! x11forwarding Yes#X11displayoffset Ten#X11uselocalhost Yes#The more important is the X11forwarding project, he can let the window data through the SSH channel to transmit Oh! #This is discussed later in this chapter to compare advanced SSH usage methods. #4.5 Post-entry items:#PRINTMOTD Yes#does it show some information after logging in? For example, the last time you logged in, the location, etc., the preset is Yes#That is to print out the contents of the/etc/motd file. However, if you want to be safe, consider changing to No! #Printlastlog Yes#show the last login information! Yes, you can! Presets are YES! #tcpkeepalive Yes#when the connection is reached, the server will always send a TCP packet to the client to determine whether the other type has been online. #However, if the middle router temporarily stops the service for a few seconds when it is online, it will also let the online interrupt Oh! #in this case, any end of the dead, SSH can immediately know! And there's no zombie program happening! #But if your network or router is often unstable, you can set it to No! useprivilegeseparation Yes#whether a lower-privileged program provides user action. We know that sshd is booting in Port#so the program that starts is the identity of root. So when the student is logged in, this setting value#will let sshd produce an sshd program belonging to Sutdent to use, the system is more securemaxstartups10#also allow several online images that are not yet logged in? When we connect to SSH but have not yet entered the password,#This time is what we call the online screen! In this online screen, in order to protect the host,#so you need to set the maximum value, preset up to 10 online screen, and has been established online not counting in these 10#4.6 setting items for user resistance:Denyusers *#set the name of the user who is being resisted, and if it is all the users, that is all the stops! #If you are a part of the user, you can fill in this account! For example, the following! denyusers testdenygroups Test#Same as Denyusers! Resist just a few groups! #5. About the SFTP service and other setting items! Subsystem sftp/usr/lib/ssh/sftp-Server#Usedns Yes#in general, in order to determine the client source is normal and legitimate, it will use DNS to reverse the client's host name#However, if it is interconnected in the intranet, this project is set to No will make online faster. 

Basically, the CentOS preset sshd service is pretty safe, but it's not enough! It is recommended that you (1) cancel the login permission of root and (2) set the SSH version to 2. Other sets of values please follow your own preferences to set. It is usually not recommended to make any changes! In addition, if you modify the above file (/etc/ssh/sshd_config), then you will need to restart the sshd this daemon!

Easy and safe setting

To be honest, everyone is deceived by "SSH is a safe service"! In fact, sshd is not how safe! Open OpenSSH's past history, it is true that many people are using the SSH program vulnerability to get the remote host root permissions, further black off the other side of the host! So it's not safe to tell the truth about this stuff!

The so-called "security" of sshd actually means "sshd data is encrypted, so his data is more secure when it is passed over the Internet." As for sshd, the service itself is not so safe! So said: "Not necessary, do not put sshd access to the Internet can be logged in, as far as possible limited to a few small range of IP or host name!" It's very important, oh!

Well, is there anything worth noting about the safety setting? Of course there is! We can suggest a few projects first! The following three aspects can be carried out separately:

• Server Software self-setting hardening:/etc/ssh/sshd_config
• Use of TCP wrapper:/etc/hosts.allow,/etc/hosts.deny
• Use of iptables: Iptables.rule, Iptables.allow

Server Software self-setting hardening:/etc/ssh/sshd_config

In general, the default project for this file is already complete! So, in fact, it is not necessary to change his! However, if you have some user concerns, then you can fix some of these problems!

• Disable Root This account use sshd service;
• Prohibit NOSSH users of this group from using SSHD services;
• Prohibit testssh This user to use SSHD service;

In addition to the above account, other users can use the system normally. Now brother Bird assumes that your system has sshnot1, Sshnot2, sshnot3 join NOSSH Group, while the system also has testssh, student and other accounts. Related account processing please refer to the basic article to set, the bottom is only to list the focus of observation:

# 1. Would you like to see if the required accounts exist? [[email protected] ~]# for user in sshnot1 sshnot2 sshnot3 testssh student; Do > ID $user | Cut-d '-f1-3; doneuid=507 (SSHNOT1) gid=509 (sshnot1) groups=509 (SSHNOT1), 508 (NOSSH) uid=508 (sshnot2) gid=510 (sshnot2) groups=510 ( SSHNOT2), 508 (NOSSH) uid=509 (SSHNOT3) gid=511 (SSHNOT3) groups=511 (SSHNOT3), 508 (NOSSH) uid=511 (testssh) gid=513 ( TESTSSH) groups=513 (TESTSSH) uid=505 (student) gid=506 (student) groups=506 (student) # If the above account does not exist on your system, please build it yourself! Uid/gid and bird Brother's different also does not matter! # 2. Modify sshd_config and restart sshd! [[email protected] ~]# vim/etc/ssh/sshd_configpermitrootlogin no <== about on line 39th, please take out the annotations and modify them so denygroups Nossh < = = Underneath these two lines can be added to the last side of the file denyusers testssh[[email protected] ~]#/etc/init.d/sshd restart# 3. Test and observe the relevant account log in the situation! [[email protected] ~]# ssh [email protected] <== and please enter the correct password [[email protected] ~]# tail/var/log/ Securejul 13:14:05 www sshd[2039]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root# you will find this error message, not password input error. [[email protected] ~]# ssh [email protected] <== and please enter the correct password [[email protected] ~]# tail/var/log/ Securejul 13:15:53 www sshd[2061]: User sshnot1 from localhost not allowed Becausea group are listed in Denygroups[[emai L protected] ~]# ssh [email protected] <== and please enter the correct password [[email protected] ~]# Tail/var/log/securejul 25 13:17:16 www sshd[2074]: User testssh from localhost to allowed because listed in Denyusers

From the above results, you will find that different login accounts will produce the same results. Therefore, when you are always unable to use SSH login to a certain host, remember to go to the server to check the login file, it might be a smooth way to let you solve the problem! On top of our test machine, please release root login!

/etc/hosts.allow and/etc/hosts.deny

For example, if your sshd only wants to log on to the host source in the local and local network, then do this:

Iptables Packet filtering Firewall

Several layers of protection is also very good! So you can also use Iptables Oh! Reference: The Nineth chapter, the firewall and the NAT server in the actual script, you should in the Iptables.rule Port 22 release function to cancel, and then to iptables.allow inside add this line:

[Email protected] ~]# vim/usr/local/virus/iptables/iptables.allowiptables-a input-i $EXTIF-S 192.168.1.0/24-p TCP-- Dport 22-j acceptiptables-a input-i $EXTIF-S 192.168.100.0/24-p TCP--dport 22-j accept[[email protected] ~]#/usr/l Ocal/virus/iptables/iptables.rule

When the above method is finished, if you are still a test machine, then remember to restore the set value back yo! Finally, "Brother Bird appealed to everyone, do not open SSH login permissions to all the Internet host ~" This is very important oh ~ because if the other side can SSH into your host, then ... It's too dangerous ~

Source: >

CentOS Learning Note--ssh