In the actual product service publishing environment, Linux servers generally prohibit the use of remote root account login, only allow the least privileged remote account using SSH login, and then switch accounts to achieve the purpose of Management Server. Let's summarize how to create a secure SSH login account.
"Operating Environment"
Centos,openssh
1. Generate the certificate key pair on the client, the generated file by default exists in the ~/.ssh/directory, including Id_rsa and id_rsa.pub two files.
Ssh_keygen
2. From the ~/.ssh/directory, copy the contents of the Id_ras.pub file into the ~/.ssh/authorized_keys file under the server-side login account. This allows you to log on to the remote server directly from the client using the certificate.
Cat ~/.ssh/id_rsa.pub | SSH [email protected] ' cat >> Ssh/authorized_keys '
3. Configure the OPENSSH server to disable login with a password. Edit the/etc/ssh/sshd_config file on the server side, set the passwordauthentication to No, and the default is yes.
-passwordauthentication Yes+passwordauthentication No
Disables Challenge-response. Because if you use Pam's Challenge-response authentication, you will skip password authentication and log in directly.
Challengeresponseauthentication No
4. Disable login with root account, set Permitrootlogin to No, default to Yes or Prohibit-password.
-permitrootlogin Yes-permitrootlogin No
"More Secure Strategy"
With the above setting, our SSH login is basically secure. But we can take it a step further ~
1. Limit the user (user), group, and Access hosts (host).
In the Sshd_config file, the following four tags are available, allowing you to specify the allowed, forbidden users and user groups individually
- Denyusers
- Allowusers
- Denygroups
- Allowgroups
For example
allowusers [email protected] Test2allowgroup Testgroup Test2group
Only allow Testhost hosts to access via test account or test2 from any machine.
Only allow users who belong to Testgroup or Test2group
2. Modify the port of the OpenSSH.
This is not much to say, the default port 221 will be the target of the attack.
3. Restrict access to hosts and executable commands.
In the Authorized_key file, you can add options such as from,commad,no-pty,no-port-forwarding to login user restrictions, in addition to rsa_key specifying the public key.
Common settings are as follows
From= ' hostname1,hostname2, '-This certificate allows the specified IP or host to use command= ' command '-can only run the specified command after login no-pty-prohibit assignment of Pty (no interactive login allowed) No-port-forwarding-Disable port forwarding
4. Encrypt the known_hosts.
After the client has accessed the server, it will store your access records in the. ssh/directory known_hosts, including ip/hostname, encryption algorithm, and secret key. If you are using a public server or your password has been stolen. The consequences are very serious!
Ssh-keygen-h-F ~/.ssh/known_hosts
Use the above command to encrypt the contents of the known_hosts, but be aware that the original content is backed up to the Known_hosts.old file after this command executes. Erase this file!
Summary
The topic of security is usually only remembered after being hacked, but it's too late. The default configuration is always the most convenient and always known to the public, so it is worthwhile to spend some time configuring the server.
"Linux" to create a secure SSH login account