The solution to SSH anti-violence hack:
1, prohibit the root user ssh login, 1.1, modify Permitrootlogin:
[[email protected] ~]# vi/etc/ssh/sshd_config[[email protected] ~]# grep root/etc/ssh/sshd_configpermitrootlogin no
### changes the default #PermitRootLogin Yes to the setting of "Permitrootlogin Without-password".
1.2. Restart the SSHD service
Stopping sshd: [ OK ]starting sshd: [ OK ]
2, modify the SSH default port 22;2.1, change the default port 22 to the custom 2020 port
[[email protected] ~]# vi/etc/ssh/sshd_config[[email protected] ~]# grep port/etc/ssh/sshd_configport 2020 # Gatewayports No
2.2, the policy of adding 2020 ports in the firewall
[[email protected] ~]# vi/etc/sysconfig/iptables[[email protected] ~]# grep 2020/etc/sysconfig/iptables-a input-p TCP- M state--state new-m TCP--dport 2020-j ACCEPT
2.3. Restart the firewall policy
[Email protected] ~]#/etc/init.d/iptables Restart iptables:setting chains to policy accept:nat filter [ ok
]iptables:flushing firewall rules: [ OK ]iptables:unloading modules: [ OK ]iptables: Applying firewall rules: [ OK ]
2.4. Restart the SSHD service
[Email protected] ~]#/etc/init.d/sshd restartstopping sshd: [ OK ]starting sshd: [ OK ]
highlights the third method: DenyHosts
3. Use the denyhosts process to restrict SSH sniffing; 3.1. Open a terminal, root login
Login As:root[email protected] ' s password:last login:tue Jul 18:54:57 from 192.168.10.101[[email protected] ~]# Cat/etc/issuecentos Release 6.5 (Final) Kernel \ r on an \m
3.2. Increase system users
[Email protected] ~]# useradd leekwen [[email protected] ~]# passwd leekwenchanging password for user Leekwen. New Password:bad Password:it is based on a dictionary wordretype new Password:passwd:all authentication tokens updated S Uccessfully.
3.3, open another terminal, non-root login
Login As:leekwen[email protected] ' s password:last login:tue Apr 21:27:26 from 192.168.10.100
3.4. Switch to root account
[Email protected] ~]$ su-root Password:
3.5. Download DenyHosts File
[Email protected] ~]# wget-c http://nchc.dl.sourceforge.net/project/denyhosts/denyhosts/2.6/denyhosts-2.6.tar.gz[ [email protected] ~]# ls denyhosts-2.6.tar.gzdenyhosts-2.6.tar.gz
3.6. Unzip and install
[[Email protected] ~]# tar zxf denyhosts-2.6.tar.gz[[email protected] ~]# CD Denyhosts-2.6[[email protected] DenyHosts-2. 6]# python setup.py install[[email protected] denyhosts-2.6]# Cd/usr/share/denyhosts/[[email protected] denyhosts]# LsCHANGELOG.txt denyhosts.cfg-dist plugins scriptsdaemon-control-dist LICENSE.txt README.txt setup.py
3.7, modify the DenyHosts boot required files (process files and configuration files) 3.7.1, generate denyhosts.cfg configuration file:
[email protected] denyhosts]# cat denyhosts.cfg-dist |grep-v "#" |grep-v "^$" > Denyhosts.cfg
3.7.2, modify the corresponding policy denyhosts.cfg file:
[email protected] denyhosts]# Cat Denyhosts.cfgsecure_log =/var/log/securehosts_deny =/etc/hosts.denypurge_deny = 20mblock_service = Sshddeny_threshold_invalid = 1deny_threshold_valid = 10deny_threshold_root = 5DENY_THRESHOLD_ RESTRICTED = 1work_dir =/usr/share/denyhosts/datasuspicious_login_report_allowed_hosts=yeshostname_lookup=nolock_ FILE =/var/lock/subsys/denyhostsadmin_email = [EMAIL protected]smtp_host = Localhostsmtp_port = 25smtp_from = DenyHosts & Lt [Email protected]>smtp_subject = denyhosts reportage_reset_valid=5dage_reset_root=25dage_reset_restricted= 25dage_reset_invalid=10ddaemon_log =/var/log/denyhostsdaemon_sleep = 30sdaemon_purge = 1h
[[email protected] denyhosts]# mkdir-p/etc/denyhosts/[[email protected] denyhosts]# CP denyhosts.cfg/etc/denyhosts/
3.7.3, modify the denyhosts process file:
after modifying the permissions and specifying the configuration file to be specified in the/etc/denyhosts directory
[[email protected] denyhosts]# CP daemon-control-dist daemon-control[[email protected] denyhosts]# chown root Daemon-control[[email protected] denyhosts]# chmod daemon-control[[email protected] denyhosts]# VI daemon-control[[ Email protected] ~]# grep denyhosts_cfg daemon-controldenyhosts_cfg = "/etc/denyhosts/denyhosts.cfg" Args.append ("--config=%s"% denyhosts_cfg)
3.8. Start the denyhosts as a system service:
[[email protected] denyhosts]# CP daemon-control/etc/init.d/denyhosts[[email protected] denyhosts]# chkconfig--add Denyhosts[[email protected] denyhosts]# chkconfig denyhosts on[[email protected] denyhosts]#/etc/init.d/denyhosts Startstarting denyhosts: /usr/bin/env python/usr/bin/denyhosts.py--daemon--config=/usr/share/denyhosts/ Denyhosts.cfg
3.9. View the host IP address in the blacklist:
[[email protected] denyhosts]# cd[[email protected] ~]# tail-n 2/etc/hosts.deny# denyhosts:thu 20 14:45:00 2015 | sshd:118.187.17.119sshd:118.187.17.119
3.10. Add white list address for host:
If you need to add a specific IP to the whitelist, then please modify the/etc/hosts.allow.
Example: I added 202.101 to my hosts.allow file. 172.46 address to the whitelist of my system:
[Email protected] ~]# echo "sshd:202.101.172.46" >>/etc/hosts.allow
1th:
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
The solution to SSH anti-violence hack