Security Enhancement measure use Openssh to build a security network
Source: Internet
Author: User
Article Title: security enhancement measures use Openssh to build a secure network. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Implementation steps: On each server
1. install the software package:
Openssh-3.4pl-sol7-sparc-local
Openssl-0.96d-sol7-sparc-local
Zlib-1.1.4-sol7-sparc-local
Prngd-0.0.25-sol7-sparc-local
Egd-0.8-sol7-sparc-local
2. Install the prngd and sshd startup scripts
::::::::::::::
S98prngd
::::::::::::::
#! /Bin/sh
Pid = '/usr/bin/ps-e |/usr/bin/grep prngd |/usr/bin/sed-e's/^ * //'-e's /. *//''
Case $1 in
'Start ')
/Usr/local/sbin/prngd/var/spool/prngd/pool
;;
'Stop ')
If ["$ {pid }"! = ""]
Then
/Usr/bin/kill $ {pid}
Fi
;;
*)
Echo "usage:/etc/init. d/prngd {start | stop }"
;;
Esac
::::::::::::::
S98sshd
::::::::::::::
#! /Bin/sh
Pid = '/usr/bin/ps-e |/usr/bin/grep sshd |/usr/bin/sed-e's/^ * //'-e's /. *//''
Case $1 in
'Start ')
/Usr/local/sbin/sshd
;;
'Stop ')
If ["$ {pid }"! = ""]
Then
/Usr/bin/kill $ {pid}
Fi
;;
*)
Echo "usage:/etc/init. d/sshd {start | stop }"
;;
Esac
3. Use prngd to generate Pseudo-Random Initial Seeds
Cat/var/log/syslog/var/adm/messages>/usr/local/etc/prngd-seed
Mkdir/var/spool/prngd
/Etc/rc2.d/S98prngd start
Check whether prngd works properly:/usr/local/bin/egc. pl/var/spool/prngd/pool get
Shown as: 9151 bits of entropy in pool
4. added the sshd user
Mkdir/var/empty
Chown root/var/empty
Chgrp sys/var/empty
Chmod 755/var/empty
Groupadd sshd
Useradd? G sshd? C 'sshd privsep '? D/var/empty? S/bin/false sshd
5. Modify the tcpd control file/etc/hosts. allow and/etc/hosts. deny.
ALL: n. n # logon Host IP Address
6. Create a host key pair on the server
Ssh-keygen? T rsa1? F/usr/local/etc/ssh_host_key? N ""
Ssh-keygen? T dsa? F/usr/local/etc/ssh_host_dsa_key? N ""
Ssh-keygen? T rsa? F/usr/local/etc/ssh_host_rsa_key? N ""
Start sshd:
/Etc/rc2.d/S98sshd start
7. Disable the original telnet and ftp services
Modify the/etc/inetd. conf file, kill? HUP Disable telnet and ftp services
8. perform the following tests on the client
UNIX client:
Ssh [-l username] [-p port] // If you use the-v parameter to enter the debugging status, this is a good help tool (instead of telnet)
Sftp [-l username] [-p port] (Replacing ftp)
WINDOWS: Client
Securecrt 3.4.5 // In session configuration, authentication uses the password method
Securefx2.0.3
The above is the default installation, that is, SSH password verification.
In order to ensure the security of the only Login server, and not to restart the process after the sshd configuration is modified, it will cause the problem of Logon management failure. continue to use the telnet and ftp services, in combination with the SSHD key verification method, and in/etc/hosts. make the following settings in the allow file:
################# Internal network ##################### #
ALL: n. n # operator1
ALL: n. n # operator2
################## Out network #################### #######
Sshd: ALL # RSA auth
In this way, the administrator can easily log on to the host using the company's fixed IP address. If the IP address is not fixed at home or on a business trip, you can log on through sshd key verification.
The server configuration is as follows: /Usr/local/etc/sshd_config:
# $ OpenBSD: sshd_config, v 1.56 2002/06/20 23:37:12 markus Exp $
# This is the sshd server system-wide configuration file. See
# Sshd_config (5) for more information.
# This sshd was compiled with PATH =/usr/bin:/usr/sbin:/usr/local/bin
# The strategy used for options in the default sshd_config shipped
# OpenSSH is to specify options with their default value where
# Possible, but leave them commented. Uncommented options change
# Default value.
# HostKey for protocol version 1
HostKey/usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey/usr/local/etc/ssh_host_rsa_key
HostKey/usr/local/etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
# Obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Rhosts authentication shocould not be used
# RhostsAuthentication no
# Don't read the user's ~ /. Rhosts and ~ /. Shosts files
# IgnoreRhosts yes
# For this to work you will also need host keys in/usr/local/etc/ssh_known_hosts
# RhostsRSAAuthentication no
# Similar for protocol version 2
# HostbasedAuthentication no
# Change to yes if you don't trust ~ /. Ssh/known_hosts
# RhostsRSAAuthentication and HostbasedAuthentication
# IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
# ChallengeResponseAuthentication yes
# Kerberos TGT Passing only works with the AFS kaserver
# Define ostgtpassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'passwordauthentication'
# PAMAuthenticationViaKbdInt yes
# MaxStartups 10
# No default banner path
# Banner/some/path
# VerifyReverseMapping no
# Override default of no subsystems
Subsystem sftp/usr/local/libexec/sftp-server
The SSH password verification method is disabled here. The RSA key verification method is used. You need to first use ssh-keygen? T rsa is in the home directory. the ssh directory automatically generates key pairs, id_rsa (Private Key) and id_rsa.pub (Public Key), and then manually copies id_rsa.pub to the autohrized_keys file. and set id_rsa and id_rsa .. the pub file is saved on the client, and the id_rsa and id_rsa.pub files on the server are also deleted.
Client test: if it is a UNIX client, put id_rsa and id_rsa.pub in the user's main directory. in the ssh subdirectory, ssh and sftp can be used for testing. If it is a WINDOWS client, you can use SECURECRT to specify the authencation mode as publickey, and use identity file in session settings in properties, you can log on by specifying the File Location of id_rsa. In this way, only users with key pairs can log on. Of course, you must protect your keys from leakage. For security reasons, the server must change the keys of each user on a regular basis.
Through the above Security Configuration of intranet servers, security and convenience are integrated.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.