SSH Security Configuration-how to enhance the security configuration of LinuxSSH

Source: Internet
Author: User
Tags wrappers
1. modify the configuration file etcsshsshd_config of the sshd server and modify some parameters as follows to enhance security. Port3333 uses port 22 by default and changes the listening port to another value (preferably a high port above 1024 to avoid conflict with other common service ports ), in this way, the attacker detection system can be increased to see if sshd is running.

1. Modify the sshd server configuration file/etc/ssh/sshd_config and modify some parameters as follows to enhance security.

Port 3333

The system uses port 22 by default and changes the listening port to another value (preferably a high port above 1024 to avoid conflict with other common service ports ), this increases the difficulty of detecting whether the system has run the sshd daemon.

ListenADdRess 192.168.0.1

If multiple NICs are installed on the server or multiple IP addresses are configured, set sshd to listen only to one of the specified interface addresses, which can reduce the sshd entry, reduce the possibility of intrusion.

 

PeRmItRootLogin no

If you are allowed to log on as a root user, hackers can try brute force password cracking for the root user to pose a risk to the system.

PermitEmptyPasswords no

Allow the use of an empty password system is like a bastion without any security measures.

AllowUsers sshuser1 sshuser2

Only some specified users are allowed to access the server through ssh, And the ssh permission is limited to the minimum range.

AllowGroups sshgroup

Similar to AllowUsers above, the specified user group is limited to access the server through ssh. The two have the same effect on the restricted access server.

ProtoCol2

Version 1 protocol is not allowed because of design defects, and the password is easily hacked.

All unnecessary (or insecure) Authorization authentication methods are prohibited.

X11Forwarding no

Disable X11Forwarding to prevent session hijacking.

MaxStartups 5

When the sshd service is running, each connection uses a large block of memory, which is also the cause of ssh DoS attacks. The above connection count setting is sufficient unless many administrators manage the server at the same time.

Note: The preceding parameter settings are just an example. You should change the settings based on your environment.

2. Modify the read and write permissions of the sshd server configuration file/etc/ssh/sshd_config.To set read-only permissions for all non-root users to prevent unauthorized users from modifying sshd service security settings.

Chmod644/etc/ssh/sshd_config

3. Set TCP Wrappers. The server accepts all request connections by default, which is very dangerous. Using TCP Wrappers can block or allow application services to be opened only to some hosts, adding a security barrier to the system. This part of settings involves two files: hosts. allow and hosts. deny.

Add explicitly allowed requests to/etc/hosts. allow. If the system only allows hosts with IP addresses 192.168.0.15 and 10.0.0.11 to use the sshd service, add the following content:

Sshd: 192.168.0.15 10.0.0.11

Add the information to be disabled to/etc/hosts. deny. For example, if sshd is explicitly allowed in the hosts. allow list, all other users are prohibited from using the sshd service, add the following content to the hosts. deny file:

Sshd: All

Note: The system checks the hosts first to determine the order of the above two files. check hosts again in the allow file. deny file, so a user in hosts. allow allows the use of network resources, while. deny. allow configuration, allowing users to use this network resource.

4. Close startup services that are not required by the system as much as possible.. By default, the system starts many network-related services, so many ports are opened for LISTENING ). As we know, the more open ports, the more likely the system will be infiltrated from the outside, so we should try to close some unnecessary startup services to close the ports as much as possible, provides system security.

After completing the above steps, we basically blocked the possible vulnerabilities in the sshd service settings and did not need to invest any money. As long as we take some time to adjust the configuration, We can greatly improve the security environment of the system, why not?

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.