Security Configuration of SSH login Entry-enterprise security Practice

Catalog

0 . Introduction 1 . Modify the SSH port 2 . Disable root remote SSH login 3 . Use only SSH v2 4 . Restrict SSH access for users 5 . Disable the. rhosts file 6 . Disabling host-based authentication 7  8. Linux SSH Configuration baseline check

0. Introduction

About Enterprise IT system construction security issues at any time will not become an outdated topic, enterprises in the construction of their own business needs of the IT system at the beginning and the entire IT system life cycle, the security of the system is a very important work, security and health checkup mainly focus on the server entrance security, The SSH service is one of the most widely used remote secure login services on UNIX-like systems, with the default port being TCP 22. Because of the need of remote management, many firewalls are open to 22 ports, which makes SSH service easy to be the target of hackers. To avoid hacking the system's SSH service, we need to perform some hardening of the SSH service to ensure the security of the server.

Relevant Link:

http://xjsunjie.blog.51cto.com/999372/691330http://security.zdnet.com.cn/ security_zone/2009/1214/1556391.shtmlhttp://blog.chinaunix.net/uid-25723371-id-4542221.html http://www.cyberciti.biz/faq/ssh-passwordless-login-with-keychain-for-scripts/http:   heyihome.blog.51cto.com/2657805/480885

1. Modify the SSH port

The default port for SSH is TCP 22, which, from a best practice perspective, modifies the SSH ingress port to a nondefault value, helping to prevent hackers from malicious scanning attacks

1. vim/etc/ssh/sshd_config211220  //Ssh_config and Sshd_ Config must be changed to 11220 at the same time, restart the SSH service (restart) to take effect

2. Disable root remote SSH login

From a best practice standpoint, the entry point's identity authorization should follow the "minimize permission principle", that is, the user should be able to accurately identify their business needs, create and give the account to minimize just enough permissions to use this account to login

1. vim/etc/ssh/sshd_config2. Modify Permitrootlogin No3. Restart SSHD service: #servicesshd restart

There is no need to use the root user ssh remote login, ordinary users can be Su or sudo (recommended) to obtain root level access, so you can get the full audit information, who through sudo on the system to execute the privileged command will be clear

3. Use only SSH v2

The first version of the SSH protocol (SSH v1 or SSH-1) has a man-in-the-middle attack problem and security vulnerability that has been invalidated and should be avoided using SSH v1

1. vim/etc/ssh/sshd_config22

This will only use the second version of the SSH protocol (SSH v2 or SSH-2) when the sshd is started.

4. Restrict SSH access to users

By default, all system users can telnet via SSH with their password or public key, but sometimes the Unix/linux users you create are for FTP or email purposes, and if unrestricted, these users can also log on to the system using SSH

1. vim/etc/ssh/sshd_config2. Add allowusers root vivek Jerry// only allow Root, Vivek, and Jerry to SSH in

5. Disable the. rhosts file

Do not read the user's ~/.rhosts and ~/.shosts files, update the Sshd_config configuration file with the following settings

1. vim/etc/ssh/sshd_config2. Ignorerhosts Yes

SSH can simulate the behavior of outdated rsh commands, and RSH is recognized as an insecure remote access protocol, so it must be disabled

Relevant Link:

HTTPS://www-uxsup.csx.cam.ac.uk/doc/remote_access/rhosts.htmlhttp://  Www-01.ibm.com/support/knowledgecenter/ssepgg_9.7.0/com.ibm.db2.luw.qb.server.doc/doc/t0007952.html?lang=zh http://www.mcsr.olemiss.edu/unixhelp/tasks/3.6.1.2.htmlhttp://  Www.cnblogs.com/itech/archive/2012/09/09/2678097.html

6. Disable host-based authentication

Disable host-based authentication and update the Sshd_config configuration file with the following options

1. vim/etc/ssh/sshd_config2. Hostbasedauthentication No

7. Certificate login based on public private key

0x1: Steps for certificate logon

1The client generates the certificate: the private key and the public key, and then the private key is placed on the client, properly saved, generally for security, will set a password, each time you log in to the SSH server, the client will have to enter the password to unlock the private key ssh-keygen-t RSA/*RSA is a cryptographic algorithm, there is a DSA, certificate login is commonly used RSA generating public/private RSA key pair. Enter file in which to save the key (/root/.ssh/id_rsa):/home/user/.ssh/id_rsa (Generate the private key and public key storage location, which account to use which account operation is placed below) enter Passphrase (empty for no passphrase): Enter password enter same passphrase again: Enter password again your identification has been saved In/home/us Er/.ssh/id_rsa. (Generated private key) Your public key has been saved in/home/user/.ssh/id_rsa.pub. (Generated public key) The key fingerprint is:76:04:4d:44:25:37:0f:b1:a5:b7:6e:63:d4:97:22:6b*/2The server adds a credit public key: Uploads the public key generated by the client to the SSH server, adds the generated public key id_rsa.pub to the specified file, and renames the Authorized_keys in the Server User home folder. SSH Directory//Assuming that the client wants to log on to another SSH server via the private key, it is possible to upload the public key to another SSH server3. To restart the SSH service:/etc/init.d/ssh Restart4. Simplify client putty, Xshell configuration start the Client connection software, click the Advanced option, select User Keys, click Import Key, in the pop-up "open" to find the Id_rsa file just copied to the local and open. Enter the password that is set when making this private key, after entering OK to name the key, determine whether to set up this certificate in the local connection when the need to enter a password, if required to set, do not need to leave empty, finally click OK, the local certificate to add the completion of the production

Real work: Employees generate good private keys and public keys (always remember to set the private key password), and then send the public key to operations personnel, operations and maintenance personnel will register your public key, for you to open one or more server permissions, and then employees can through a private key, log on to his authorized server to do system maintenance work, so, The employee is responsible for protecting his private key.
0X2:SSH Configuration Hardening

 sshd_config  2  . Permitemptypasswords no #不允许空密码用户login (only plaintext password, non-certificate)  3  . Rsaauthentication Yes #启用RSA认证  4   5   //  add: Modify the Vi/etc/ssh/ssh_config file (global configuration file)  1  . Rsaauthentication Yes # allows RSA private key authentication  2 . Passwordauthentication No #禁止明文密码登陆 

Relevant Link:

http://www.edu.cn/jm_9957/20120508/t20120508_774165.shtmlhttp://  www.jb51.net/LINUXjishu/72805.htmlhttp://www.cnblogs.com/ggjucheng/archive/2012/08/19/ 2646346.html

8. Linux SSH Configuration baseline check

All baseline checks are from/etc/ssh/sshd_config

1. Port1) Expectedvalue: Non-2) Vul: Default (#), or explicitly configured as3discription: It is recommended to change the SSH default port to a non-default port after 9999 to prevent malicious scanning by hackers2. Permitrootlogin1) Expectedvalue:no2) Vul: Default (#), or explicitly configured to Yes3discription: There is no need to use the root user ssh remote login, ordinary users can be Su or sudo (recommended) access to the root level3. Protocol1) Expectedvalue:2     2) Vul: explicitly configured to 13) The first version of the DISCRIPTION:SSH protocol (SSH v1 or ssh-1There is a man-in-the- middle attack problem and security vulnerability that has been invalidated and should be avoided using SSH v14. Ignorerhosts1) Expectedvalue:yes2) Vul: explicitly configured as no2DISCRIPTION:SSH can simulate the behavior of outdated rsh commands, and RSH is recognized as an unsafe remote access protocol, so it must be disabled5. Hostbasedauthentication1) Expectedvalue:no2) Vul: explicitly configured to Yes3) Discription: We recommend disabling host-based authentication

Copyright (c) Littlehann All rights reserved

Security Configuration of SSH login Entry-enterprise security Practice