Remotely enable the ssh port and change the ssh root directory in Linux

Source: Internet
Author: User
Tags ssh iptables ssh port

Remote to open SSH port temporarily

Nux servers, we are typically remotely managed via the SSH channel, which requires us to open SSH ports, such as 22. But open ports have the risk of being violently cracked, and you would say that you can set complex passwords or use certificates to avoid them. Even if the password can not be cracked, but OpenSSH may also have a loophole, you would say that you could change the SSH port, but it is still possible to be scanned out. There is also a choice, we can only specify IP access SSH, through the VPN login Management Server, but the limitations are obvious, in case of emergency VPN login does not go up. Here is a personal feeling more satisfied with the solution, that is, the use of iptables recent module, temporarily open the SSH port through the show. Of course, the case needs to be kept in good control to prevent leakage.
1. Iptables Rule Setting
The #指定78字节的icmp数据包 (containing 20 bytes of IP headers, ICMP Head 8 bytes) is added to the Sshopen list.

The code is as follows:
Iptables-a input-p ICMP--icmp-type 8-m length--length 78-m recent--set--name sshopen--rsource-j ACCEPT
#检查sshopen列表是否存在你的来源IP, if present, the SSH Port 22 is opened 15 seconds from the first use of the set, the port is automatically closed for more than 15 seconds, no new connections are allowed, and the connected is not disconnected.

The code is as follows:
Iptables-a input-p TCP--dport--syn-m recent--rcheck--seconds--name sshopen--rsource-j
2, temporarily open the SSH port
Linux under:

The code is as follows:

Ping-s Host
3, I currently use the Iptables rules

The code is as follows:

-A input-m state--state related,established-j ACCEPT

-A input-p tcp-m tcp--dport 80-j ACCEPT
-A input-p tcp-m tcp--dport 443-j ACCEPT
-A input-p tcp-m tcp--dport 123-j ACCEPT
-A input-p icmp-m ICMP--icmp-type 8-m length--length 50-m recent--set--name sshopen--rsource-j ACCEPT
-A input-p tcp-m TCP--dport--syn-m recent--rcheck--seconds--name sshopen--rsource-j ACCEPT
-A input-i lo-j ACCEPT
-A input-p icmp-m ICMP--icmp-type 8-j ACCEPT
-A input-p icmp-m ICMP--icmp-type 11-j ACCEPT
-A output-m state--state related,established-j ACCEPT
-A output-o lo-j ACCEPT
-A output-p tcp-m tcp--dport 80-j ACCEPT
-A output-p tcp-m tcp--dport 443-j ACCEPT
-A output-p icmp-m ICMP--icmp-type 8-j ACCEPT
-A output-p icmp-m ICMP--icmp-type 11-j ACCEPT

To change the SSH user root directory using Jailkit chroot
Install Jailkit

The code is as follows:

Cd/tmp

wget http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.gz
Tar xzf jailkit-2.16.tar.gz
CD jailkit-2.16
./configure
Make
Make install
CP Extra/jailkit/etc/init.d/jailkit
chmod U+x/etc/init.d/jailkit
Chkconfig Jailkit on
Initializing chroot Environment

The code is as follows:
Jk_init-v-j/home/chroot sftp SCP jk_lsh netutils Extendedshell
Service Jailkit Start
New Www.jb51.net User

The code is as follows:
Useradd www.jb51.net-m
echo Www.jb51.net:password | chpasswd
Chroot users

The code is as follows:
Jk_jailuser-m-n-j/home/chroot--shell=/bin/bash www.jb51.net

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.