Summary of SSH security reinforcement in SUSE LINUX

 

When using ssh to log on to a remote host (suse linux), the following problems occur:

 

Ssh_exchange_identification: Connection closed by remote host,

 

This problem is caused by SSH security restrictions. Although it is a good solution, it is necessary to go to the IDC site (because the security regulations do not enable VNC ). Solution: Modify the/etc/hosts. allow file, add the sshd: ALL: ALLOW file, and then save the wq file and restart the sshd service.

 

To sum up the SSH security reinforcement in suse linux:

 

Note: The following configuration items are modified in the/etc/ssh/sshd_config file.

1. Change the default ssh port

Find the following line in the/etc/ssh/sshd_config file:

Port 22

Change port 22 to another port, such as 10326.

After saving, restart the SSHD service: service sshd restart.

We recommend that you change it to 10000 or above. In this way, the chances of others scanning the port will be greatly reduced.

 

2. Restrict Remote ROOT Login

Find the following line in the/etc/ssh/sshd_config file:

PermitRootLogin yes

Change yes to no.

After saving, restart the SSHD service: service sshd restart.

When you enable this option, you can only log on with a common user, and then use su to switch to the root account.

 

3. Modify the default Logon Time

Find the following line in the/etc/ssh/sshd_config file:

LoginGraceTime 2 m

After you connect to SSH, the default time is 2 minutes for you to enter your account and password to log on. You can change this time to 1 minute or 30 seconds.

 

4. Upgrade the old version

Upgrade the old Openssh version because of the early Openssh version and security vulnerabilities. It is the smartest choice to use the latest stable version for a newly configured Openssh server. You can download the source code on its official website http://www.openssh.com for compilation.

 

5. Disconnection when the user is inactive

Find the following line in the/etc/ssh/sshd_config file:

ClientAliveCountMax 3

ClientAliveInterval 0

Make the following changes:

 

ClientAliveInterval 600

ClientAliveCountMax 0 ClientAliveCountMax 600: if the user is inactive within 10 minutes, the instance is automatically disconnected.

ClientAliveCountMax: The default value is 3, indicating that when SSH does not have any activity, the SSH Server will send three times of checking whether it is online (checkalive) messages.

 

ClientAliveCountMax: The default value is 0, indicating that after a few seconds, the SSH Server will send a message requesting the user to respond (0 indicates that the message will never be sent); otherwise, it will be disconnected.

 

6. Modify the encryption protocol version

Find the following line in the/etc/ssh/sshd_config file:

# Protocol 2, 1

The default values are 1 and 2. You can change them to Protocol 2.

After saving, restart the SSHD service: service sshd restart.

 

Different from version 1, server keys are no longer generated in version 2. Therefore, when the Client is online to the Server, the two will generate a shared key using the Diffie-Hellman Key calculation method, and then the two will perform synchronous decryption through the computation method similar to Blowfish!

 

7. Restrict IP Login

If you connect to your server using a fixed IP address, you can set to allow only a specific IP address to log on to the server. For example, I log on to the server through a specific bastion host. The settings are as follows:

Edit/etc/hosts. allow

Vi/etc/hosts. allow

For example, you can only log on to 124.45.67.52.

Sshd: 124.45.67.52: ALLOW

After saving, restart the SSHD service: service sshd restart.

 

 

8. allow or prohibit logon by specified users and groups

 

Allow only specified users and groups to log on

 

AllowUsers john jason specifies the user

AllowGroups sysadmin dba specified group

 

Forbid specified user or group Logon

 

DenyUsers corn apath specifies the user

DenyGroups devers qa specified group

 

 

After saving, restart the SSHD service: service sshd restart.

 

Note: Allow and Deny can be used in combination. The processing sequence is: DenyUsers, AllowUsers, DenyGroups, and AllowGroups.

 

 

9. Restrict the listening IP Address

If your server has multiple NICs and IP addresses, You can restrict some IP addresses from listening to SSH and allow only some IP addresses to log on.

 

For example, you have four NICs.

 

Eth0-192.168.10.200

Eth1-192.168.10.201

Eth2-192.168.10.202

Eth3-192.168.10.203 if you only want users to log on through the two IP addresses 200,202, do the following settings:

Find the following line in the/etc/ssh/sshd_config file:

# Modify ListenAddress 0.0.0.0 as follows:

 

ListenAddress 192.168.10.200

ListenAddress 192.168.10.20210. Modify the properties of the configuration file to prevent unauthorized users from modifying the configuration file.

# Chmod 644/etc/ssh/sshd_config

Note that the file in/etc/ssh cannot be set to 777, because ssh is a safe login mode. If it is set to 777 (everyone can access and modify it as needed ), what security is there?

 

Conclusion: after careful consideration and summarization of every small problem, you will find many useful details.