CentOS Study Notes-SSH, centos-ssh
Configure SSH
If the network SSH service is enabled by default, you can test it on the client. If not, run the following command:
[Root @ www ~] #/Etc/init. d/sshd restart stopping sshd: [OK] Activating sshd: [OK] # You can also use service sshd restart
(The following is from the Linux private house dish of laruence-Chapter 11th of the Server installation directory, remote online server SSH/XDMCP/VNC/RDP)
Sshd server detail settings
Basically, the detailed settings of all sshd servers are placed in/etc/ssh/sshd_config! However, the preset settings for each Linux distribution are not the same, so it is necessary to understand the meaning of the entire set value! At the same time, please note that in the preset file, as long as it is a preset value that appears and is annotated (add # before the set value), it is the "Default Value !』, You can modify it based on it.
[Root @ www ~] # Vim/etc/ssh/sshd_config #1. the overall setting of the SSH Server includes the port used, and the password calculation method # Port 22 # SSH uses the 22 port by default. You can also use multiple ports, that is, the port setting item is reused! # For example, if you want to enable sshd in 22 and 443, add "Port 443" # and Restart sshd! However, it is not recommended to modify the port number! Protocol 2 # select the SSH Protocol version, which can be 1 or 2, and CentOS 5.x supports only V2 by default. # To support earlier versions of V1, you must use "Protocol. # ListenAddress 0.0.0.0 # listener host adapter! For example, if you have two IP addresses: 192.168.1.100 and #192.168.100.254, if you only want 192.168.1.100 to listen to sshd, write as follows: # The default value of "ListenAddress 192.168.1.100" is to listen to SSH requirements for all interfaces # PidFile/var/run/sshd. pid # You can store the sshd pid file! The above is the default value # LoginGraceTime 2 m # After the user connects to the SSH server, the password input screen appears, # How long will it take to force a disconnection if the SSH server is not connected successfully! If no unit exists, the default time is second! # Compression delayed # specify when the compressed data mode is used for transmission. Yes, no and log on before data compression (delayed) #2. describes the Private Key file of the host. You can use the following file by default! # HostKey/etc/ssh/ssh_host_key # private key used by SSH version 1 # HostKey/etc/ssh/ssh_host_rsa_key # RSA private key used by SSH version 2 # HostKey/etc/ssh/ ssh_host_dsa_key # DSA private key used by SSH version 2 # Remember what we talked about in the host's SSH online process, here is the Host Key ~ #3. Information about the logon file is stored with the daemon name! SyslogFacility AUTHPRIV # when someone uses SSH to log on to the system, SSH will record information. What daemon name should this information be recorded under? The default value is set by AUTH, that is, in/var/log/secure! What? Forgot! # Go back to Linux basics. Other available daemon names are: DAEMON, USER, AUTH, # LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, # LogLevel INFO # logon record level! Hey! Any message! Similarly, if you forget it, go back to the reference! #4. Security Settings! Very important! #4.1 Logon Settings # PermitRootLogin yes # allow root login! The default value is allowed, but it is recommended to set it to no! # StrictModes yes # Whether to enable sshd to check the permission data of the user's home directory or related files. # This is to worry that the user may set the permission of some important files wrong, which may cause some problems. # For example, the user's ~. When the ssh/permission is set incorrectly, users are not allowed to log on in some special circumstances # PubkeyAuthentication yes # AuthorizedKeysFile. ssh/authorized_keys # whether to allow users to log on to a pair of key systems by themselves, only for version 2. # The self-made public key data is stored in PasswordAuthentication yes in. ssh/authorized_keys in the user's home directory # password verification is required of course! So here, write yes! # PermitEmptyPasswords no # If the above item is set to yes, it is best to set this item to no. # whether the project allows logging in with an empty password! Of course not! #4.2 authentication part # RhostsAuthentication no # the local system does not use. rhosts, because it is too insecure to use. rhosts only, so it must be set to no # IgnoreRhosts yes # whether to cancel use ~ /. Ssh/. rhosts for authentication! Of course! # RhostsRSAAuthentication no # this option is used exclusively for version 1. The rhosts file is used for authentication in/etc/hosts. equiv # in combination with the RSA algorithm! Don't use it! # HostbasedAuthentication no # This project is similar to the above project, but it is used for version 2! # IgnoreUserKnownHosts no # Whether to ignore ~ in the Home Directory ~ /. Ssh/known_hosts the host content recorded in this file? # Of course, do not ignore it, so here is no! ChallengeResponseAuthentication no # Any password authentication is allowed! Therefore, any authentication method specified by login. conf can be applied! # However, we prefer to use the PAM module to manage the authentication, so this option can be set to no! UsePAM yes # using PAM to manage user authentication has many advantages that can be recorded and managed. # So we recommend that you use UsePAM and set ChallengeResponseAuthentication to no #4.3 Kerberos-related parameter settings! Because we do not have a Kerberos host, we do not need to set it below! # Define custom uthentication no # define osorlocalpasswd yes # define osticketcleanup yes # define ostgtpassing no #4.4 the settings for use under X-Window are described below! X11Forwarding yes # X11DisplayOffset 10 # X11UseLocalhost yes # More importantly, the X11Forwarding project allows window data to be transmitted through the ssh channel! # Later in this chapter, we will discuss more advanced ssh usage methods. #4.5 after login, the project: # PrintMotd yes # Is there any information displayed after login? For example, the time and location of the Last login. The default value is yes #, that is, the content of the/etc/motd file is printed. However, you can change it to no for security purposes! # PrintLastLog yes # display the Last login information! Yes! Yes, too! # TCPKeepAlive yes # When the connection is established, the server will always send TCP packets to the client to determine whether the correct method has always been online. # However, if the middle vro temporarily stops service for several seconds during the online operation, it will also interrupt the online operation! # In this case, SSH can immediately know when any end is dead! No zombie programs will happen! # However, if your network or router is often unstable, you can set it to no! UsePrivilegeSeparation yes # whether a program with lower permissions provides user operations. We know that sshd is started at port 22, # The started program belongs to the root identity. After student is logged on, this setting value # will generate a sshd program belonging to sudent for use by sshd. It is safer for the system. MaxStartups 10 # How many online images have not been logged on at the same time? When we connect to SSH without entering the password, # This is what we call online! In this online screen, to protect the host, # You need to set a maximum of ten online images, those that have already been established online do not count in these 10 cases #4.6 set items for user resistance: DenyUsers * # Set names of users who are blocked. If they are all users, that's all blocking! # For some users, enter this account! For example! DenyUsers testDenyGroups test # Same as DenyUsers! Only a few groups are supported! #5. About SFTP and other configuration items! Subsystem sftp/usr/lib/ssh/sftp-server # UseDNS yes # generally, to determine whether the client source is normal and valid, therefore, DNS is used to reverse query the host name of the client # However, if the connection is established on the Intranet, setting this item to no will make the online connection faster.
Basically, the preset sshd service in CentOS is safe, but not enough! We recommend that you (1) cancel the root logon permission; (2) set the ssh version to 2. Set other values according to your preferences. It is generally not recommended to make any changes! In addition, if you have modified the file above (/etc/ssh/sshd_config), you must restart the sshd daemon once!
Simple Security Settings
To be honest, everyone is cheated by "SSH is a secure service! In fact, sshd is not safe! Looking at the history of openssh, there are indeed many people who exploit the ssh program vulnerability to gain the root permission of the remote host, further hacking the host of the other party! So it's not safe to tell the truth!
The so-called "security" of sshd actually refers to the fact that "sshd's data is encrypted, so it is safer to transmit its data over the Internet. As for the sshd service, it is not that secure! Therefore, it is not necessary to allow the sshd to access the Internet. Try to restrict the sshd to a few small IP addresses or host names! This is important!
Well, is there anything worth noting about security settings? Of course! We recommend several projects first! The following three aspects can be used:
- Server Software Configuration enhancement:/etc/ssh/sshd_config
- Use of TCP wrapper:/etc/hosts. allow,/etc/hosts. deny
- Iptables usage: iptables. rule, iptables. allow
Server Software Configuration enhancement:/etc/ssh/sshd_config
Generally, the default project of this file is complete! So, in fact, it is not necessary to change him! However, if you have some user concerns, you can solve some problems in this way!
- Prohibit the root account from using sshd services;
- Users in the nossh group are prohibited from using sshd services;
- Disable the user testssh from using the sshd service;
In addition to the above accounts, other users can use the system normally. Now, let's assume that your system already has sshnot1, sshnot2, and sshnot3 added to the nossh group, and the system also has accounts such as testssh and student. For details about account processing, refer to the basics. The following is only the focus of the observation:
#1. First, check whether the required account exists? [Root @ www ~] # For user in sshnot1 sshnot2 sshnot3 testssh student; do \> id $ user | cut-d ''-f1-3; doneuid = 507 (sshnot1) gid = 509 (sshnot1) groups = 509 (sshnot1), 508 (nossh) uid = 508 (sshnot2) gid = 510 (sshnot2) groups = 510 (sshnot2), 508 (nossh) uid = 509 (sshnot3) gid = 511 (sshnot3) groups = 511 (sshnot3), 508 (nossh) uid = 511 (testssh) gid = 513 (testssh) groups = 513 (testssh) uid = 505 (student) gid = 506 (student) groups = 506 (student) # If Your system does not exist. Please build it yourself! UID/GID is no different from laruence! #2. Modify sshd_config and Restart sshd! [Root @ www ~] # Vim/etc/ssh/sshd_configPermitRootLogin no <= about 39th rows, remove the comment and modify it to the bottom line of DenyGroups nossh <= added to the end of the file: DenyUsers testssh [root @ www ~] #/Etc/init. d/sshd restart #3. Test and observe the Account Logon status! [Root @ www ~] # Ssh root @ localhost <= and enter the correct password [root @ www ~] # Tail/var/log/secureJul 25 13:14:05 www sshd [2039]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = localhost user = root # You will find this error message, not a password input error. [Root @ www ~] # Ssh sshnot1 @ localhost <= and enter the correct password [root @ www ~] # Tail/var/log/secureJul 25 13:15:53 www sshd [2061]: User sshnot1 from localhost not allowed becausea group is listed in DenyGroups [root @ www ~] # Ssh testssh @ localhost <= and enter the correct password [root @ www ~] # Tail/var/log/secureJul 25 13:17:16 www sshd [2074]: User testssh from localhost not allowed because listed in DenyUsers
From the above results, you will find that different login accounts will generate different login file results. Therefore, when you are always unable to log on to a host using ssh, remember to go to the server and check the logon file. Maybe it will solve the problem smoothly! On our testing machine, please allow root login!
/Etc/hosts. allow and/etc/hosts. deny
For example, if your sshd only wants to allow the host source on the local machine and in the zone network to log on, then do the following:
[root@www ~]# vim /etc/hosts.allowsshd: 127.0.0.1 192.168.1.0/255.255.255.0 192.168.100.0/255.255.255.0[root@www ~]# vim /etc/hosts.denysshd : ALL
Iptables packet filtering Firewall
A few more layers of protection is also good! So you can also use iptables! Refer to Chapter 9. For the actual script programs in the firewall and NAT server, you should cancel the port 22 release function in iptables. rule, and then add this line to iptables. allow:
[root@www ~]# vim /usr/local/virus/iptables/iptables.allowiptables -A INPUT -i $EXTIF -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPTiptables -A INPUT -i $EXTIF -s 192.168.100.0/24 -p tcp --dport 22 -j ACCEPT[root@www ~]# /usr/local/virus/iptables/iptables.rule
After the above method is processed, if you are still a test machine, remember to restore the set value! Finally, "laruence urges everyone not to grant SSH logon permissions to all hosts on the Internet ~』 This is very important ~ Because if the other party can access your host through ssh, it is too dangerous ~
Source: http://vbird.dic.ksu.edu.tw/linux_server/0310telnetssh_2.php>