If a server is directly put on the Internet, ssh password is not secure, and there will always be some people who break the password, and there will always be some ways to steal the password. Today, I read the log, and only two days ago, there were so many attempts to guess the password.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://img1.51cto.com/attachment/201011/200551810.jpg "/>
It seems that public key authentication is required. The public key and private key are a long string. The Public Key is placed on the server, and the private key is placed on the client.
When the client connects to the server, if the private key is connected to the public key, it passes authentication.
Ubuntu is used for the experiment. Start a new virtual machine.
First, the installation of the ssh server on the ubuntu server is not mentioned)
Sudo apt-get install openssh-server
After installation, you can use putty or SecureCRT and other software to log on with a password.
The following describes how to configure certificate logon. You can use the server to generate a key pair, or use Putty or SecureCRT to generate a key pair.
I chose SecureCRT. Select create public key
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41M120-1.jpg "/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41K548-2.jpg "/>
Select RSA
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41GD3-3.jpg "/>
The password is provided with another protection, even if it is unfortunately stolen.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41JG8-4.jpg "/>
The number of encrypted digits. The default value is enough.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41L426-5.jpg "/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41L328-6.jpg "/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41LS4-7.jpg "/>
Click Finish to generate two files. The default names are identity and identity. pub.
You can see that identity. pub is the public key used for the server.
Upload to server, copy ~ /. Ssh directory. If no directory exists, create a new one.
Mkdir. ssh
Sudo chmod 700. ssh
Mv Identity. pub. ssh
Then convert the uploaded Public Key to the Public Key format that can be recognized by Openssh.
Ssh-keygen-I-f. ssh/Identity. pub>. ssh/authorized_keys. For the reason why is this file name, see the sshd. config file in sshd)
Then you need to change the authorized_keys permission of the file so that other users do not have any permissions.
Sudo chmod 600. ssh/authorized_keys650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41H2C-8.jpg "/>
Then, change the ssh logon mode, enable the certificate, and disable the password.
Sudo vim/etc/ssh/sshd_config
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41M0J-9.jpg "/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41HM5-10.jpg "/>
Restart ssh and test it on the client.
Sudo/etc/init. d/ssh restart
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0Z41Ja2-11.jpg "/>
Also, prohibit public network users from pinging me
Echo 1> icmp_echo_ignore_all: change the content of the icmp_echo_ignore_all file to 1 to prevent ping
But I don't know why. ubuntu says I have no permissions, so I can't start using root first.
Sudo passwd root
Su
Then echo 1> icmp_echo_ignore_all again
Disable root
Sudo passwd-l root
This article is from the "Recording learning" blog. For more information, contact the author!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
