One of the security: SSH settings

Source: Internet
Author: User
Tags ssh server


Basic setup note generate key pair

Port 22

#RSAAuthentication Yes # using pure RSA authentication!? For version 1 only!

Pubkeyauthentication Yes # Does it allow public Key? Of course! Only version 2

Authorizedkeysfile. Ssh/authorized_keys # above this in the settings to use the password login without the account, then the account's storage file name!

Passwordauthentication Yes do you want to allow public Key? Of course! Only version 2

#PermitRootLogin Yes to allow root login! Presets are allowed, but are recommended to be set to no!









# 1. About the overall settings of SSH Server, including the use of port, and the use of the password calculation method

Port # SSH Presets Use 22 of this port, you can also use multiple ports!

# that is, re-use port this setting item!

Protocol 2,1 # Select the SSH protocol version, which can be 1 or 2,

# If you want to support both, you have to use 2,1 this separation!

#ListenAddress 0.0.0.0 # Monitor the host adapter card! For example, if you have two IPs,

# are 192.168.0.100 and 192.168.2.20, so just want to

# When you open 192.168.0.100, you can write the following style:

ListenAddress 192.168.0.100 # only listens for SSH online from 192.168.0.100 this IP.

# If you do not use the settings, then all interfaces are pre-accepted SSH

Pidfile/var/run/sshd.pid # can place sshd this PID file! Left column default value

Logingracetime 600 # When the user connects to SSH server, a screen will appear with the password entered.

# in this screen, for how long did not successfully connect to the SSH server,

# It's disconnected! Time is seconds!

Compression Yes # can I use compression instructions? Of course you can!

 

# 2. Description of the host's Private Key placed files, presets to use the following files can!

Hostkey/etc/ssh/ssh_host_key # SSH version 1 using the private key

Hostkey/etc/ssh/ssh_host_rsa_key # RSA private key used by SSH version 2

Hostkey/etc/ssh/ssh_host_dsa_key # The DSA private key used by SSH version 2

# 2.1 Some settings for version 1!

Keyregenerationinterval 3600 # The instructions on the front line can tell that version 1 uses

# Server public Key, then if this public

# If Key is stolen, is it not finished? So it takes every little bit of time

# to rebuild it once! The time here is seconds!

Serverkeybits 768 # YES! This is the length of the Server key!

# 3. Information about the login file is placed with the daemon name!

Syslogfacility AUTH # When someone uses SSH to log into the system, SSH logs

# News, what is this information to record under what daemon name?

# presets are set by AUTH, which is/var/log/secure

Inside What the? Forget it! Go back to the Linux Foundation and flip it.

# The other available daemon name is: Daemon,user,auth,

# LOCAL0,LOCAL1,LOCAL2,LOCAL3,LOCAL4,LOCAL5,

LogLevel INFO # login Record level! Hey! Any message!

# The same, forget to go back to the reference!

# 4. Security Settings Items! Extremely important!

# 4.1 Log in to the Settings section

Permitrootlogin No # allows root login! Presets are allowed, but are recommended to be set to no!

Userlogin No # under SSH will not accept login this program login!

Strictmodes Yes # when the user's host key changes, the Server does not accept the online

# can withstand part of the Trojan program!

#RSAAuthentication Yes # using pure RSA authentication!? For version 1 only!

Pubkeyauthentication Yes # does it allow public Key? Of course! Only version 2

Authorizedkeysfile. Ssh/authorized_keys

# The above is set to use an account that does not require a password to log in, then the

# The name of the file where the account is stored!

# 4.2 Certification Section

Rhostsauthentication No # The native system uses more than. Rhosts, because only the. rhosts is used.

# It's not safe, so be sure to set it to No!

Ignorerhosts Yes # whether to cancel using ~/.ssh/.rhosts as certification! Of course it is!

Rhostsrsaauthentication No # This option is specifically for version 1, using the Rhosts file in

#/etc/hosts.equiv with RSA calculus method to authenticate! Do not use

Hostbasedauthentication No # This project is similar to the above project, but is used for version 2!

Ignoreuserknownhosts No # Whether to ignore ~/.ssh/known_hosts in the home directory this file is recorded

# The host content? Of course don't ignore, so here is no!

Passwordauthentication Yes # password verification is of course required! So write Yes here!

Permitemptypasswords No # If the above item is set to Yes, this one is best set

# for No, this item is allowed to log in with an empty password! Of course not!

Challengeresponseauthentication Yes # Challenge any password Authentication! So, any login.conf

# The stipulated authentication method, all can apply!

#PAMAuthenticationViaKbdInt Yes # If other PAM modules are enabled! Enabling this module will

# cause passwordauthentication settings to fail!

 

# 4.3 parameter settings related to Kerberos! Because we don't have a Kerberos host, there's no setting underneath!

#KerberosAuthentication No

#KerberosOrLocalPasswd Yes

#KerberosTicketCleanup Yes

#KerberosTgtPassing No

 

# 4.4 Below is a set of related settings for use under X-window!

x11forwarding Yes

#X11DisplayOffset 10

#X11UseLocalhost Yes

# 4.5 Entries After login:

PRINTMOTD No # Do you see any information when you log in? For example, the last time you logged in, the location, etc.

# Wait, the preset is yes, but if for security, consider changing to No!

Printlastlog Yes # Displays the last login information! Yes, you can! Presets are YES!

KeepAlive Yes # in general, if you set this project, then SSH Server will send

# KeepAlive message to client side to make sure both are online properly!

# in this case, any end of the dead, SSH can immediately know! And not

# There's a zombie program happening!

Useprivilegeseparation Yes # User's permission to set the item! Just set it to Yes!

Maxstartups 10 # Allow several online images that are not yet logged in? When we connect to SSH,

# But when the password has not been entered, this is what we call the online screen!

# in this online screen, in order to protect the host, so you need to set the maximum value,

# presets up to 10 online screens, while already set up online not counting in these 10

# 4.6 for user-resistant settings items:

Denyusers * # Set the name of the subject to be resisted, if it's all the users, that's all

# Stop it! If you are a part of the user, you can fill in this account! For example, the following!

Denyusers Test

Denygroups Test # is the same as Denyusers! Resist just a few groups!

# 5. Setting items for SFTP service!

Subsystem Sftp/usr/lib/ssh/sftp-server


This article is from the "16 Stage One Pit" blog, please be sure to keep this source http://tlinux.blog.51cto.com/7288656/1746361

One of the security: SSH settings

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.