1. modify the configuration file etcsshsshd_config of the sshd server and modify some parameters as follows to enhance security. Port3333 uses port 22 by default and changes the listening port to another value (preferably a high port above 1024 to avoid conflict with other common service ports ), in this way, the attacker detection system can be increased to see if sshd is running.
1. Modify the sshd server configuration file/etc/ssh/sshd_config and modify some parameters as follows to enhance security.
Port 3333
The system uses port 22 by default and changes the listening port to another value (preferably a high port above 1024 to avoid conflict with other common service ports ), this increases the difficulty of detecting whether the system has run the sshd daemon.
ListenADdRess 192.168.0.1
If multiple NICs are installed on the server or multiple IP addresses are configured, set sshd to listen only to one of the specified interface addresses, which can reduce the sshd entry, reduce the possibility of intrusion.
PeRmItRootLogin no
If you are allowed to log on as a root user, hackers can try brute force password cracking for the root user to pose a risk to the system.
PermitEmptyPasswords no
Allow the use of an empty password system is like a bastion without any security measures.
AllowUsers sshuser1 sshuser2
Only some specified users are allowed to access the server through ssh, And the ssh permission is limited to the minimum range.
AllowGroups sshgroup
Similar to AllowUsers above, the specified user group is limited to access the server through ssh. The two have the same effect on the restricted access server.
ProtoCol2
Version 1 protocol is not allowed because of design defects, and the password is easily hacked.
All unnecessary (or insecure) Authorization authentication methods are prohibited.
X11Forwarding no
Disable X11Forwarding to prevent session hijacking.
MaxStartups 5
When the sshd service is running, each connection uses a large block of memory, which is also the cause of ssh DoS attacks. The above connection count setting is sufficient unless many administrators manage the server at the same time.
Note: The preceding parameter settings are just an example. You should change the settings based on your environment.
2. Modify the read and write permissions of the sshd server configuration file/etc/ssh/sshd_config.To set read-only permissions for all non-root users to prevent unauthorized users from modifying sshd service security settings.
Chmod644/etc/ssh/sshd_config
3. Set TCP Wrappers. The server accepts all request connections by default, which is very dangerous. Using TCP Wrappers can block or allow application services to be opened only to some hosts, adding a security barrier to the system. This part of settings involves two files: hosts. allow and hosts. deny.
Add explicitly allowed requests to/etc/hosts. allow. If the system only allows hosts with IP addresses 192.168.0.15 and 10.0.0.11 to use the sshd service, add the following content:
Sshd: 192.168.0.15 10.0.0.11
Add the information to be disabled to/etc/hosts. deny. For example, if sshd is explicitly allowed in the hosts. allow list, all other users are prohibited from using the sshd service, add the following content to the hosts. deny file:
Sshd: All
Note: The system checks the hosts first to determine the order of the above two files. check hosts again in the allow file. deny file, so a user in hosts. allow allows the use of network resources, while. deny. allow configuration, allowing users to use this network resource.
4. Close startup services that are not required by the system as much as possible.. By default, the system starts many network-related services, so many ports are opened for LISTENING ). As we know, the more open ports, the more likely the system will be infiltrated from the outside, so we should try to close some unnecessary startup services to close the ports as much as possible, provides system security.
After completing the above steps, we basically blocked the possible vulnerabilities in the sshd service settings and did not need to invest any money. As long as we take some time to adjust the configuration, We can greatly improve the security environment of the system, why not?