Method One:
The password is complex enough
The length of the password is greater than 8 bits, preferably greater than 14 bits. The complexity of a password is a combination of numbers, uppercase and lowercase characters, and a special character as much as possible.
Modify the default SSH port
Use Iptables to close ports that you do not need to use
sshd default port number: 22
Vim/etc/ssh/sshd_config
#Port 22
Port 81
Service sshd Restart
3. Use the scan tool to see which ports are open to the host.
Yum Install Nmap
Nmap 192.168.103.117
4. Do not log in with the root user name, so that hackers can not guess your user name, you will not be able to brute force
Do not use the root user, but need to have root privileges, there are two ways:
If the root user is not logged on, the root user's/bin/bash is changed to/sbin/nologin
(1) Bob User's UID and GID are changed to 0, so that Bob user has root privileges. So Bob user also has root privileges, but the difference with root itself is that their home directory is not the same, log in is a #, permissions are the same.
(2) can also give users sudo permission
Visudo or Vi/etc/sudoers
Root all= (All) all
Bob All= (All) all
5. User login allows them to log on with the key, and the password is also set on the key.
Use the method in my blog to find.
6. Preventing violent cracking
Case: Recently, the company network has been a violent crack sshd service password, although not successful, but will lead to high system load, because in the time of brute force, the system will continue to authenticate users, thereby increasing the system resources additional costs, resulting in a slow company network.
Tool Description: Fail2ban can monitor your system log, but match the log error information (regular matching) to perform the corresponding shielding action (usually a firewall), and I can send an email notification system administrator, the function is very powerful.
Fail2ban operation mechanism: simple to say its function is to prevent brute force, working principle is through the analysis of the relevant service log within a certain time, will meet the action of the relevant IP use iptables added to the Dorp (discard) list for a certain time.
Set conditions: SSH telnet for 5 minutes 3 times password Authentication failed, the user IP is forbidden to access the host 1 hours, 1 hours after the limit is automatically lifted.
Package Download:
Https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz
Installation steps:
wget https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz
Tar zxvf 0.9.4.tar.gz
CD fail2ban-0.8.14
General installation steps can be found in readme.md.
Vim readme.md
To install, just do:
Tar xvfj fail2ban-0.9.4.tar.bz2
CD fail2ban-0.9.4
Python setup.py Install
The python development environment needs to be installed, and the version is greater than 2.4
View Python version
Python-v
Installation:
Phthon setup.py Install
Vi/etc/fail2ban/jail.conf
..... Cond
This article is from the "It po" blog, please be sure to keep this source http://907832555.blog.51cto.com/4033334/1876691
Linux system security