SSH security tips

I. Preface

I don't need to talk about the benefits of ssh?

In short, the previous rpc command and telnet are all replaced by ssh.

For example, the following common functions:

-Remote Logon

Ssh user@remote.machine

-Remote Execution

Ssh user@remote.machine command...

-Remote replication

Scp user@remote.machine:/remote/path/local/path

Scp/local/path user@remote.machine:/remote/path

-X forward

Ssh-X user@remote.machine

Xcommand...

-Tunnel/Portforward

Ssh-L 1234: remote. machine: 4321 user@remote.machine

Ssh-R 1234: local. machine: 4321 user@remote.machine

Ssh-L 1234: other. machine: 4321 user@remote.machine

As for the detailed usage, I will not mention it. Please study it on your own.

What I want to talk about here is to introduce some security skills for the ssh service. I hope you can feel at ease.

II. Implementation

(RedHat 9 is used as an example)

1) prohibit root Login

# Vi/etc/ssh/sshd_config

PermitRootLogin no

2) Cancel Password Logon and force RSA Authentication (assume that the ssh account is user1)

# Vi/etc/ssh/sshd_config

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile. ssh/authorized_keys

PasswordAuthentication no

# Service sshd restart

# Su-user1

$ Mkdir ~ /. Ssh 2>/dev/null

$ Chmod 700 ~ /. Ssh

$ Touch ~ /. Ssh/authorized_keys

$ Chmod 644 ~ /. Ssh/authorized_keys

--------------------------------------------------

To the client:

$ Ssh-keygen-t rsa

(You do not need to set a password when you press enter three times, unless you use ssh-agent .)

$ Scp ~ /. Ssh/id_rsa.pub user1@server.machine: id_rsa.pub

(For windows client, puttygen.exe can be used to generate a public key,

Copy it to the server and modify it to make the content a single line .)

---------------------------------------------------

Return to the server:

$ Cat ~ /Id_rsa.pub> ~ /. Ssh/authorized_keys

$ Rm ~ /Id_rsa.pub

$ Exit

3) restrict the su/sudo list:

# Vi/etc/pam. d/su

Auth required/lib/security/$ ISA/pam_wheel.so use_uid

# Mongodo

% Wheel ALL = (ALL) ALL

# Gpasswd-a user1 wheel

4) restrict the ssh user list

# Vi/etc/pam. d/sshd

Auth required pam_listfile.so item = user sense = allow file =/etc/ssh_users onerr = fail

# Echo user1>/etc/ssh_users

5) block ssh connection and switch to web Control List

# Iptables-I INPUT-p tcp -- dport 22-j DROP

# Mkdir/var/www/html/ssh_open

# Cat>/var/www/html/ssh_open/. htaccess <

AuthName "ssh_open"

AuthUserFile/var/www/html/ssh_open/. htpasswd

AuthType basic

Require valid-user

END

# Htpasswd-c/var/www/html/ssh_open/. htpasswd user1

(It is better to set up SSL, or connect to https only. I have skipped SSL settings here. Please complete the settings yourself .)

(If you need to control the online source, add the Allow/Deny project again, and the reader needs to make up for it .)

# Cat>/var/www/html/ssh_open/ssh_open.php <

　　

// Set dir path for ip list

$ Dir_path = ".";

// Set filename for ip list

$ Ip_list = "ssh_open.txt ";

// Get client ip

$ User_ip = $ _ SERVER [REMOTE_ADDR];

// Allow specifying ip if needed

If (@ $ _ GET [myip]) {

$ User_ip = $ _ GET [myip];

}

// Checking IP format

If ($ user_ip = long2ip (ip2long ($ user_ip ))){

// Put client ip to a file

If (@! ($ File = fopen ("$ dir_path/$ ip_list", "w + ")))

{

Echo "Permission denied !! ";

Echo "Pls Check your rights to dir $ dir_path or file $ ip_list ";

}

Else

{

Fputs ($ file, "$ user_ip ");

Fclose ($ file );

Echo "client ip ($ user_ip) has put into $ dir_path/$ ip_list ";

}

} Else {

Echo "Invalid IP format !! Ssh_open.txt was not changed .";

}

?>

END

# Touch/var/www/html/ssh_open/ssh_open.txt

# Chmod 640/var/www/html/ssh_open /*

# Chgrp apache/var/www/html/ssh_open /*

# Chmod g + w/var/www/html/ssh_open/ssh_open.txt

# Chmod o + t/var/www/html/ssh_open

# Service httpd restart

# Mkdir/etc/iptables

# Cat>/etc/iptables/sshopen. sh <

#! /Bin/bash

PATH =/sbin:/bin:/usr/sbin:/usr/bin

List_dir =/var/www/html/ssh_open

List_file = $ list_dir/ssh_open.txt

Chain_name = ssh_rules

Mail_to = root

# Clear chain if exits, or create chain.

Iptables-L-n/bin/grep-q "^ Chain $ chain_name "&&{

Iptables-F $ chain_name

True

}{

Iptables-N $ chain_name

Iptables-I INPUT-p tcp -- dport 22-j $ chain_name

}

# Clear chain when needed

["$1" = clear] & {

Iptables-F $ chain_name

Exit 0

}

# Do nothing while list is empty

[-S $ list_file] exit 1

# Add rule

Iptables-A $ chain_name-p tcp -- dport 22-s $ (<$ list_file)-j ACCEPT &&

Echo "ssh opened to $ (<$ list_file) on $ (date)" mail-s "sshopen" $ mail_to

END

# Chmod + x/etc/iptables/sshopen. sh

# Echo-e sshopen1234/tcp>/etc/services

# Cat>/etc/xinetd. d/sshopen <

Service sshopen

{

Disable = no

Socket_type = stream

Protocol = tcp

Wait = no

User = root

Server =/etc/iptables/sshopen. sh

}

# Iptables-I INPUT-p tcp -- dport 1234-j ACCEPT

# Cat>/etc/cron. d/sshopen <

*/5 * root/etc/iptables/sshopen. sh clear

END

---------------------------

To the client

In the browser URL, enter:

Http://server.machine/ssh_open/ssh_open.php? Myip = 1.2.3.4

(If not specified? Myip = 1.2.3.4 is based on the client's current IP address. If no proxy is used .)

In this way, the ssh_open.txt file on the server only has a single record and is written each time.

Next:

$ Telnet server. machine 1234

Then you can use ssh to connect to the server for up to 5 minutes!

---------------------------

The basic concept of this step is as follows:

5.1) block all firewall of sshd online.

5.2) then set a directory in httpd, which can be set to ssl + htpasswd + allow/deny control,

Write a php file in the directory and record the browser ip in A. txt text file.

Depending on your transcription capability, You can automatically capture the IP address of the browser, or let the browser input parameters to specify.

A text file only has a single record and is written each time.

5.3) Modify/etc/services, add a new project (such as xxx), and specify a new port (such as 1234)

5.4) use xinetd to listen to the port, start to make a script, set iptables, get the IP address from the list in step 2, and open ssh online for it.

5.5) set crontab to clean up iptables ssh online rules in each score. This does not affect the existing connection. If it is re-connected during compaction, repeat the above.

6) if the previous step is not set, you may worry too many people will try your ssh service:

# Cat>/etc/iptables/s