How to build a secure SSH server in Centos5 environment

Source: Internet
Author: User
Tags ssh server
In fact, there are many vulnerabilities in the original SSH server settings, but network administrators generally like this default setting and think that everything is okay as long as the root password is saved. When I used to integrate with insurance companies, I once saw their internal engineers always Export A. ppk file at the end when installing an SSH server for the system,

In fact, there are many vulnerabilities in the original SSH server settings, but network administrators generally like this default setting and think that everything is okay as long as the root password is saved.


When I used to integrate with insurance companies, I once saw their internal engineers always export the last one when installing an SSH server for the system. the ppk file is the key of the SSH server. Baidu only knows that the key is not available on the Internet, even if you know the root password in the network environment. If you don't believe it, try it.


1. platform selection: many of the company's machines use NT2003 and BSD. in order to conduct an experiment, I installed Centos5.0 on my testing machine.

After the installation is complete by default, use VI to open/etc/ssh/sshd_config and modify several lines of content.

# Uncomment ServerKeyBits 768 and change 768 to 1024

# PermitRootLogin yes: the comment is canceled. change yes to no to prohibit root login.

# PermitEmptyPasswords no cancel comments and disable empty password logon

# PasswordAuthentication no. cancel the comment. password logon is forbidden. Who else should use the password if there is a key?

Note: Before centos5.0, you must specify the version of the SSH service. # Protocol cancels the preceding annotation and select the desired version.

Save and exit. If you want to maximize the security connection, you can consider setting up only allow Intranet connections to SSH on the server with dual NICs. the method is very simple, in/etc/hosts. add the sshd: ALL statement to the last line of the deny file and then add it to/etc/hosts. add the sshd: 192.168.0 to the last row of allow. save and exit.

Restart SSH service sshd restart.

2. create a key

Switch to a common user in the wheel Group and enter ssh-keygen-t rsa.


The first step will let you first confirm the key file name. Keep the default value. Enter the password for this key and then confirm it again.

Then cd ~ /. Ssh check whether all the keys have been created. Change the public key name and delete it.

Cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys

Rm-rf ~ /. Ssh/id_rsa.pub. do not delete the key by mistake.

Change the public key file property to 400 to prohibit tampering

Chmod 400 ~ /. Ssh/authorized_keys

There is nothing left. COPY the key to the USB flash disk, transfer it to the FTP server, or COPY it to the disk.

Test whether the service can be connected normally.

Open puttygen-x86.exe in the program under the selection of SSH-2 (RSA) key strength to 1024, and then click "Load"

Select the private key generated by the server (select "All Files" for the file type). If the file name is not changed, we should select the id_rsa file and start to convert the private key, enter the password used to create the private key on the server. Enter the password in the text box to start conversion, and save the converted private key to the appropriate location (the converted private key will be used as the private key when PuTTY logs on to the server ). Click "Save private key" and select an appropriate location to Save the private key.

PUTTY is estimated to be familiar to all the network management friends. I don't need to talk nonsense. I can't download the information provided in my Attachment. I feel that this weapon is absolutely essential to everyone. double-click to start PuTTY, find the Auth (authentication method) item on the left side, click Browse, and select the private key that has just been converted using PuTTYGen. Click Session on the left side to return to the settings of host connection information. I won't be arrogant about the rest. just try it on your own.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.