Linux Remote access control

Last Update:2018-02-26 Source: Internet

Author: User

Tags openssh server

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

ssh is a kind of secure channel protocol, which is mainly used to realize the functions of remote login and long-distance copying of character interface. The SSH protocol encrypts the data transmitted by both parties, including the user password entered when the user logs in. OpenSSH is an open source software project that implements the SSH protocol and is suitable for a variety of Linux operating systems.

The OpenSSH server is provided by software packages such as OpenSSH, Openssh-server, and the "service sshd start" command to start the SSHD service by default configuration, and most users, including root, can log in to the system remotely.

The default port used by the SSHD service is 22, it is recommended to modify this port number if necessary, and specify the specific IP address of the listener to improve the concealment in the network. In addition, the version of the SSH protocol is more secure than the V1, and disabling DNS reverse resolution can improve the responsiveness of the server V2.

1, service monitoring related options

[Email protected] ~]# Vim/etc/ssh/sshd_config

#Port 22//Listening port

Port 25532

#AddressFamily any

#ListenAddress 0.0.0.0//Listening address

#ListenAddress 192.168.200.101

#ListenAddress::

# Activation of Protocol 1

Protocol 2//using SSH V2 protocol

124 #UseDNS Yes

Usedns No//disable DNS reverse resolution [[email protected] ~]# service sshd Reload

[[Email protected] ~]# service sshd Reload

2. User Login Control

The sshd service allows the root user to log on by default, which is very insecure. A common practice is to use the SU command to switch to the root user as needed, after logging in to the secure shell environment with a normal user.

For the user Login control of the SSHD service, it is generally forbidden to log in with the root user or the user with the password blank. You can also limit the time of logon verification and the maximum number of retries, and disconnect if you fail to log on after the limit is exceeded.

[Email protected] ~]# Vim/etc/ssh/sshd_config

2m//Login verification Time #LoginGraceTime

2m logingracetime

#PermitRootLogin Yes

Permitrootlogin No

#StrictModes Yes

#MaxAuthTries 6//Maximum retry count

3 maxauthtries

#PermitEmptyPasswords no//prohibit blank password user Login

Permitemptypasswords No

[[Email protected] ~]# service sshd Reload

When you want to allow only certain users to log on, you can use the Allowusers or denyusers configuration, but do not use both. For example, if only test and admin users are allowed to log on, and the Admin user can only telnet from a host with IP address 192.168.200.1, you can configure the following:

[Email protected] ~]# Vim/etc/ssh/sshd_config

146 allowusers Test [email protected]

[[Email protected] ~]# service sshd Reload

3. Login Verification Method

For remote administration of the server, the login verification method is also important. The SSHD service supports two types of authentication methods: Password authentication and key pair verification, which can be set up in two ways.

1> Password Authentication: Authenticate with the login name and password of the local system user in the server. This is easiest to use, but from the client's point of view, the server being connected can be spoofed, and from a server point of view, the defenses are weaker when a brute force attack is encountered.

2> Key pair verification: a matching key information is required to be validated. Typically, you create a pair of key files in the client computer and then place the public key file at the specified location on the server. When remote login, the system will use the public key, the private key for encryption/decryption association authentication, greatly enhance the security.

When password authentication and key pair validation are enabled, the server takes precedence over key pair validation. For servers with high security requirements, it is recommended that you disable password authentication.

[Email protected] ~]# Vim/etc/ssh/sshd_config

#PasswordAuthentication Yes

Passwordauthentication No//disable password verification

#PubkeyAuthentication Yes

Pubkeyauthentication Yes//enable key pair verification

#AuthorizedKeysFile. Ssh/authorized_keys

Authorizedkeysfile. Ssh/authorized_keys//Specify Public key data file

[[Email protected] ~]# service sshd Reload

Linux Remote access control

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More