Two methods to prevent ssh Brute-force password cracking in Centos

Source: Internet
Author: User
Tags chmod wrappers ssh centos

Method 1,

Collect information in/var/log/secure. If an IP address is linked more than a certain number of times, record the ip address in/etc/hosts. deny.

Run crontab at 01:01 every day.

1 *** sh/root/bin/Denyhosts. sh


 
#! /Bin/bash

# Denyhosts SHELL SCRIPT


Cat/var/log/secure | awk '/Failed/{print $(NF-3 )} '| sort | uniq-c | awk' {print $2 "=" $1;} '>/root/bin/Denyhosts.txt

DEFINE = "10"

For I in 'cat/root/bin/Denyhosts.txt'

Do

IP = 'echo $ I | awk-F = '{print $1 }''

NUM = 'echo $ I | awk-F = '{print $2 }''

If [$ NUM-gt $ DEFINE]

Then

Grep $ IP/etc/hosts. deny>/dev/null

If [$? -Gt 0];

Then

Echo "sshd: $ IP">/etc/hosts. deny

Fi

Fi

Done

Method 2,

DenyHosts official website: http://denyhosts.sourceforge.net

1. Install

# Tar-zxvf DenyHosts-2.6.tar.gz
# Cd DenyHosts-2.6
# Python setup. py install
Installed in the/usr/share/denyhosts directory by default.

2. Configuration

# Cd/usr/share/denyhosts/
# Cp denyhosts. cfg-dist denyhosts. cfg
# Vi denyhosts. cfg
PURGE_DENY = 50 m # How long will the blocked IP address be cleared?
HOSTS_DENY =/etc/hosts. deny # write the blocked IP address to hosts. deny
BLOCK_SERVICE = sshd # Blocked service name
DENY_THRESHOLD_INVALID = 1 # Number of logon failures allowed for invalid users
DENY_THRESHOLD_VALID = 10 # Number of logon failures allowed by common users
DENY_THRESHOLD_ROOT = 5 # Number of failed root logon attempts
WORK_DIR =/usr/local/share/denyhosts/data # record the deny host or ip address to Work_dir.
DENY_THRESHOLD_RESTRICTED = 1 # set the deny host to be written to this folder.
LOCK_FILE =/var/lock/subsys/denyhosts # record the pid started by DenyHOts to LOCK_FILE. Ensure that the service is properly started to prevent multiple services from being started at the same time.
HOSTNAME_LOOKUP = NO # Do you want to reverse domain name resolution?
ADMIN_EMAIL = # set the administrator email address
DAEMON_LOG =/var/log/denyhosts # Your Own log File
DAEMON_PURGE = 10 m # set this item to the same as PURGE_DENY, which is also the time for clearing hosts. deniedssh users.

3. Set the startup script

# Cp daemon-control-dist daemon-control
# Chown root daemon-control
# Chmod 700 daemon-control

Run daemon-contron start.

#./Daemon-control start

If you want to enable automatic startup of DenyHosts after each restart, you also need to make the following settings:

# Ln-s/usr/share/denyhosts/daemon-control/etc/init. d/denyhosts
# Chkconfig -- add denyhosts
# Chkconfig denyhosts on

Then you can start it:

# Service denyhosts start
Check whether any prohibited IP address exists in/etc/hosts. deny.

How to improve ssh security


1. Modify the sshd server configuration file/etc/ssh/sshd_config and modify some parameters as follows to enhance security.

The system uses port 22 by default and changes the listening port to another value (preferably a high port above 1024 to avoid conflict with other common service ports ), this increases the difficulty of detecting whether the system has run the sshd daemon.
Port 5555
If multiple NICs are installed on the server or multiple IP addresses are configured, set sshd to listen only to one of the specified interface addresses, which can reduce the sshd entry, reduce the possibility of intrusion.
ListenAddress 192.168.0.1
If you are allowed to log on as a root user, hackers can try brute force password cracking for the root user to pose a risk to the system.
PermitRootLogin no
Allow the use of an empty password system is like a bastion without any security measures.
PermitEmptyPasswords no
Only some specified users are allowed to access the server through ssh, and the ssh permission is limited to the minimum range.
AllowUsers sshuser1 sshuser2
Similar to AllowUsers above, the specified user group is limited to access the server through ssh. The two have the same effect on the restricted access server.
AllowGroups sshgroup
Version 1 protocol is not allowed because of design defects, and the password is easily hacked.
Protocol 2
Disable X11Forwarding to prevent session hijacking.
X11Forwarding no
When the sshd service is running, each connection uses a large block of memory, which is also the cause of ssh DoS attacks. The above connection count setting is sufficient unless many administrators manage the server at the same time.
MaxStartups 5
Note: The preceding parameter settings are just an example. You should change the settings based on your environment.

2. Modify the read and write permissions of the sshd server configuration file/etc/ssh/sshd_config, and set read-only permissions for all non-root users to prevent unauthorized users from modifying the security settings of the sshd service.


Chmod 644/etc/ssh/sshd_config

3. Set TCP Wrappers. The server accepts all request connections by default, which is very dangerous. Using TCP Wrappers can block or allow application services to be opened only to some hosts, adding a security barrier to the system. This part of settings involves two files: hosts. allow and hosts. deny.
Add explicitly allowed requests to/etc/hosts. allow. If the system only allows hosts with IP addresses 192.168.0.15 and 10.0.0.11 to use the sshd service, add the following content:


Sshd: 192.168.0.15 10.0.0.11


Add the information to be disabled to/etc/hosts. deny. For example, if sshd is explicitly allowed in the hosts. allow list, all other users are prohibited from using the sshd service, add the following content to the hosts. deny file:
Sshd: All
Note: the system checks the hosts first to determine the order of the above two files. check hosts again in the allow file. deny file, so a user in hosts. allow allows the use of network resources, while. deny. allow configuration, allowing users to use this network resource.

4. Close startup services that are not required by the system as much as possible. By default, the system starts many network-related services, so many ports are opened for LISTENING ). We know that the more open ports, the more likely the system will be infiltrated from the outside, so we should try to close some unnecessary startup services to close the ports as much as possible, provides system security.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.