CentOS Modify the SSH remote port/default port method

Linux Server:centos 6.2

Desktop system Environment: Windows 7

Connection tool: Putty

1. Modify SSH configuration file

Vi/etc/ssh/sshd_config Modify port, disable root login, add limit user

The code is as follows	Copy Code
Port 2345 Permitrootlogin No Allowusers Gino2. Modify Iptables

Vi/etc/sysconfig/iptables Copy 22 Port Accept Rule

-A input-m state--state new-m tcp-p TCP--dport 2345-j ACCEPT3. Modify Port contexts (critical) and need to modify the context

Semanage port-a-t ssh_port_t-p TCP 23454. Reboot SSH Service

/etc/init.d/sshd Restart at this point the SSH service has migrated to Port 2345, and only Gino users can access it to enhance security.

Appendix: Semanage

1. Install Semanage, by default, CentOS does not have this command, need to see who will provide this command

Yum Provides/usr/sbin/semanage and then install

Yum-y install Policycoreutils-python2.semanage use for prot context, such as viewing SSH ports

Semanage Port-l | grep SSH should have the following results:

ssh_port_t TCP 2345, 22 can also be validated with Netstat

NETSTAT-TULPN | grep 2345 At this point, SSH adjustment is complete, contexts mechanism is not very situation, need further in-depth study

Modifying the remote port and default port methods

Implementation Objective: To modify the SSH default remote connection port to 2222
The method is as follows:
1, edit firewall configuration: Vi/etc/sysconfig/iptables
Firewall adds new port 2222
-A input-m state--state new-m tcp-p TCP--dport 2222-j ACCEPT
======================================================================
# Firewall configuration written by System-config-firewall
# Manual Customization of this file is not recommended.
*filter
: INPUT ACCEPT [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]
-A input-m state--state established,related-j ACCEPT
-A input-p icmp-j ACCEPT
-A input-i lo-j ACCEPT
-A input-m state--state new-m tcp-p TCP--dport 22-j ACCEPT
-A input-m state--state new-m tcp-p TCP--dport 2222-j ACCEPT
-A input-j REJECT--reject-with icmp-host-prohibited
-A forward-j REJECT--reject-with icmp-host-prohibited
COMMIT
Reboot the firewall for the configuration to take effect:
/etc/init.d/iptables restart
Service Iptables Restart
=======================================================================
2, Backup SSH port configuration file
Cp/etc/ssh/ssh_config/etc/ssh/ssh_configbak
Cp/etc/ssh/sshd_config/etc/ssh/sshd_configbak
To modify the SSH port: 2222
Vi/etc/ssh/sshd_config
Add Port 2222 under #port 22
Vi/etc/ssh/ssh_config
Add Port 2222 under #port 22
Reboot:/etc/init.d/sshd Restart
Service sshd Restart
after using 2222 ports to connect normally, return to repeat the steps above. Disable the 22 port, SSH will only be connected with 2222 ports! Enhances the security of the system.

=======================================================================
3, prohibit the root through SSH remote login
Vi/etc/ssh/sshd_config
Find Permitrootlogin, change the following yes to No, and remove the previous comment # so that root cannot log on remotely!
You can log in with a regular account and use the command SU root to switch to root when using root
=======================================================================
4, restrict the user SSH access
Let's say we just need root,user1 and user2 users to be able to use the system via SSH to add to the Sshd_config configuration file
Vi/etc/ssh/sshd_config
Allowusers Root user1 User2
=======================================================================
5. Configure idle timeout to exit time interval
Users can log on to the server via SSH, and you can set an idle timeout interval.
Open the Sshd_config configuration file, set to the following.
Vi/etc/ssh/sshd_config
Clientaliveinterval 600
Clientalivecountmax 0
The above example sets an idle timeout interval of 600 seconds, or 10 minutes,
after this time, the idle user will be automatically kicked out (can be understood as exiting login/logoff).

=======================================================================
6, limit only one IP to telnet to the server
Vi/etc/hosts.deny #在其中加入sshd: All
Vi/etc/hosts.allow #在其中进行如下设置: sshd:192.168.1.1 # (Allow only 192.168.1.1 this IP telnet server)
finally reboot SSH service:/etc/init.d/sshd restart

Modify normal user with root permissions

1 into Super User mode. That is, the input "Su-", the system will let you enter the superuser password, enter the password after entering the Super User mode. (Of course, you can also use root directly)
2 Write permission to add files. That is, the input command "chmod u+w/etc/sudoers".
3) Edit the/etc/sudoers file. That is, enter the command "Vim/etc/sudoers", enter "I" into edit mode, find this line: "Root all= (All)" in the following add "XXX all= (All) all" (Here xxx is your username), Then save (just click the ESC key and enter ": Wq") to exit.
4 Revoke file Write permission. That is, the input command "chmod u-w/etc/sudoers".