Several shortcuts to improve SSH security

The Secure Shell Protocol (SSH) is now almost an essential choice for remote login operations. There are many ways to enhance the security of SSH, but which method is simple and effective? Let's get to know each other.

Now, the Secure Shell protocol is almost entirely a necessary choice for remote login operations. For many administrators, using it already belongs to the default requirements. But the point is that the situation is not as sure as you think, and the security provided by the Secure Shell protocol also needs to be set up. Now, there are a number of ways to elevate security to a higher level, but which are the easiest to deploy and the most secure? Below, let's get to know each other.

Key authentication based on SSH

No matter how often users reduce the frequency of use, but as long as the use of passwords to log in, it can be cracked. This is a permanent security vulnerability. However, by using SSH based key authentication, the problem can be resolved. As long as you set a key and then copy the key to the specified machine, you can complete the setup, and the following is a specific implementation step (note: These steps are for Ubuntu clients and servers):

Local System

Open a terminal window and enter the command ssh-keygen-t DSA. The command generates a public key, and the next step is to copy it to the server using the ssh-copy-id-i ~/.ssh/id_dsa.pub user name @ Destination address command, where the user name refers to the user name that is actually used on the remote computer. The destination address refers to the actual address of the remote computer.

Now, when a consumer tries to log on using a remote computer, it is required to provide a certificate instead of a user password.

For users using a graphical interface system, you can choose to click on the Open System | preferences | Password and encryption key settings. Select the personal key bar from the graphical interface (see Figure A), click File | new | Secure Shell protocol key entry, complete the setup as prompted by the Create guide.

Figure A

The tool can manage all passwords and private keys.

Once the key is created, the Security Shell protocol key can be set up by right-clicking to open it. In a new window, the user can type the name of the computer (the remote system) and the login name. Note: Before doing so, it is important to ensure that the login name already exists on the remote computer.

If the user is using Windows to log on to the SSH feature server, you can choose to use the key pair build tool Puttygen. Download and start the Puttygen, click the Generate button, move the mouse to another location (during the creation phase), save the public key, and copy it to the SSH server.

Please note: For the sake of precaution, everyone should choose to always enforce password protection on the key. Because if you choose to allow key authentication mode at set time, you may find that some users choose to create a password-free key (based on usability considerations). This approach is unsafe.

Block access to the root

Allowing access based on secure shell protocols is one of the keys for all systems. Open file/etc/ssh/sshd_config to find this line:

Permitrootlogin

Make sure the line above is set to negative. The correct line should be:

Permitrootlogin No

Once you have completed the change and save operation on the file, you can enter the command:

Sudo/etc/init.d/ssh restart

Now, if there is an attempt to log on to the server using SSH as the root user, the access will be rejected directly.

Adjust port number

I believe that blurring security will not bring real security. However, for the security shell Protocol, the more security is set. Therefore, I am very supportive of adjusting the default 22nd port of the security shell protocol to a non-standard port. To do this, you need to open/Etc/ssh/sshd_config the file and find this row (near the top):

Port 22

Adjust the port number to another non-standard port that is not in use. It is to be noted that all users connected to the system should be aware of the port number adjustments. After tuning, you will also need to restart the SSH service.

Using the command line to connect non-standard port times, you need to use this command:

Ssh-p Port _ Digital-v-l user Name network address

Here the port _ number is a non-standard port, the user name is the user name used to connect, the network address is the address of the remote system.

The last Thought

In general, secure shell protocols are a fairly secure way of connecting to remote systems. However, as long as the default on the basis of a small adjustment, you can achieve a very safe state ... It takes a little time to get a great boost in security. As an important experience for a standard, users should keep in mind that in any case, root logins should be blocked ... All acts exceeding this limit are known as sweetener.