SSH learning 4 OpenSSH Security

OpenSSH is an encrypted communication software for Linux/Unix. It is also an essential software for remote control of Linux/Unix servers. For Linux and Unix distributions of different versions, the configuration file locations of OpenSSH are different. For example, the OpenSSH configuration file in Ubuntu is in/etc/ssh/sshd_config.

OpenSSH Security Options: Port 22 // The Port opened by OpenSSH: LoginGraceTime 120 // The number of seconds after the client successfully connects to the server and does not log on to the server, it is forced to close the connection to PermitRootLogin yes // whether to allow the Root user to log on, yes indicates yes, and no indicates no. For security reasons, we recommend that you change it to no to prevent brute-force cracking of AllowUsers webgod. // users allowed to log on, allowGroups webgod does not exist by default. The user group that allows logon is not allowed. DenyUsers webgod does not exist by default. DenyGroups webgod does not exist by default.

To ensure security, you can change the default port 22 to another idle port number (such as 435) to prevent scanning. At the same time, you also need to define the ssh port in the/etc/services file:

Ssh 22/tcp

Ssh 22/udp

In addition, you can use AllowUsers, AllowGroups, DenyGroups, and DenyUsers to configure parameters or their combinations to limit the access permissions of users or user groups. For example, to limit that only webgod users can access the system, you can add the following configuration parameters in the/etc/ssh/sshd_config configuration file.

AllowUsers webgod

After sshd is restarted, except for webgod users, the system will reject logon requests from other users and output Access Denied error messages.

After modifying the OpenSSH configuration file, you need to restart the sshd daemon to make the new settings take effect.

$ Sudo/etc/init. d/ssh restart

Appendix: SSH-related configuration files:

OpenSSH configuration files and main files are stored in the/etc/ssh/directory, which includes the following files:

/Etc/ssh/sshd_config: setting file of the sshd server

/Etc/ssh/ssh_config: setting file of the ssh client

/Etc/ssh/ssh_host_key: RSA private key for SSH1

/Etc/ssh/ssh_host_key.pub: RSA public key for SSH1

/Etc/ssh/ssh_host_rsa_key: RSA private key used by SSH2

/Etc/ssh/ssh_host_rsa_key.pub: RSA public key used for SSH2

/Etc/ssh/ssh_host_dsa_key: Specifies the DSA private key for SSH2.

/Etc/ssh/ssh_host_dsa_key.pub: DSA public key used for SSH2