Home > Cloud Computing > Cloud Security

Seven Tips for enhancing SSH Security

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

OpenSSH is used as the SSH server on most Linux servers. Therefore, this article only applies to OpenSSH. In fact, these skills are very basic, but if you can use them well, it can indeed effectively improve the security of SSH.

# The following configuration items are all modified in the/etc/ssh/sshd_config file.

1. Disable root Login
PermitRootLogin no
After you enable this option, you can only log on with a common user, and then use su or sudo to switch to the root account.

2. Only specified users and groups are allowed to log on.
Specified user

AllowUsers ramesh john jason

Specified group

AllowGroups sysadmin dba

3. Prohibit specified users or groups from logging on
Specified user

DenyUsers cvs apache jane

Specified group

DenyGroups developers qa

Note: Allow and Deny can be used in combination. The processing sequence is: DenyUsers, AllowUsers, DenyGroups, and AllowGroups.

4. Modify the SSH listening port
Change the SSH listening port to 222

Port 222

5. Modify the default Logon Time
After you connect to SSH, the default time is 2 minutes for you to enter your account and password to log on. You can change this time to 1 minute or 30 seconds.

LoginGraceTime 1 m

6. Restrict the listening IP Address
If your server has multiple NICs and IP addresses, You can restrict some IP addresses from listening to SSH and allow only some IP addresses to log on.

For example, you have four NICs.

Eth0-192.168.10.200
Eth1-192.168.10.201
Eth2-192.168.10.202
Eth3-192.168.10.203

If you only want to allow users to log on through the two IP addresses 202,203, do the following settings:

ListenAddress 192.168.10.200
ListenAddress 192.168.10.202

7. Disconnection when the user is inactive
If the user is inactive within 10 minutes, the service is automatically disconnected.

ClientAliveInterval 600
ClientAliveCountMax 0

ClientAliveCountMax: The default value is 3, indicating that when SSH does not have any activity, the SSH Server will send three times of checking whether it is online (checkalive) messages.
ClientAliveCountMax: The default value is 0, indicating that after a few seconds, the SSH Server will send a message requesting the user to respond (0 indicates that the message will never be sent); otherwise, it will be disconnected.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More