More and more webmasters are starting to use dedicated hosts and VPS. In order to save costs or improve performance, many people's stand-alone computers and VPS are based on unmanaged bare metal, and everything must be DIYed. At this time, the implementation of security policies is still important. In the following article, I will take CentOS as an example to briefly summarize how to configure SSH secure access.
Linux SSH security strategy one: close irrelevant ports
Most of the hosts that have been compromised on the network were targeted by hackers using scanning tools to conduct large-scale scans. Therefore, in order to avoid being scanned, except for necessary ports, such as Web, FTP, SSH, etc., all others should be closed. It is worth mentioning that I strongly recommend closing the icmp port and setting rules to discard icmp packets. In this way, others cannot ping your server, and the threat will naturally be reduced by half. To discard icmp packets, add the following line to iptables:
-A INPUT -p icmp -j DROP
Linux SSH security strategy two: change the SSH port
The default SSH port is 22. It is strongly recommended to change it to more than 10,000. In this way, the probability of others scanning the port is greatly reduced. Modification method:
# Edit /etc/ssh/ssh_config
vi /etc/ssh/ssh_config
# Under Host *, add a new Port value. Take 18439 as an example (the same below):
Port 22
Port 18439
# Edit /etc/ssh/sshd_config
vi /etc/ssh/sshd_config
#Add new Port value
Port 22
Port 18439
# After saving, restart the SSH service:
service sshd restart
I have set up two ports here, mainly to prevent SSH from being unable to log in due to modification errors. Change the connection port of your SSH client (for example: Putty) and test the connection. If the new port can connect successfully, edit the above two files and delete the configuration of Port 22. If the connection fails, connect using Port 22 and then reconfigure.
After the port is set successfully, please note that you should also delete port 22 from iptables, add the newly configured 18439, and restart iptables.
If the SSH login password is weak, a complex password should be set. There is an article on Google Blog that emphasizes password security: Does your password pass the test?
Linux SSH security strategy three: restrict IP login
If you can connect to your server with a fixed IP, then you can set up to only allow a specific IP to log in to the server. For example, I log in to the server through my own VPN. The settings are as follows:
# Edit /etc/hosts.allow
vi /etc/hosts.allow
# For example, only 123.45.67.89 is allowed to log in
sshd:123.45.67.89
Linux SSH security strategy four: Use certificates to log in to SSH
Using a certificate is more secure than logging in with a password. I have written a detailed tutorial on making coffee with tap water, and with his permission, I reprint it as follows:
Configure SSH certificate login verification for CentOS
Help the company's network administrator remotely detect the mail server, a CentOS 5.1, and use OpenSSH to remotely manage it. When checking the security log, I found that a bunch of IPs came to guess passwords almost every day in the past few days. It seems that we need to modify the login verification method and change it to certificate verification.
Just in case, I started a VNC temporarily to prevent the configuration from being completed and restarting sshd when I was happy would cause trouble. (Later I found out that it was redundant, just open putty in advance and don’t close it)
Here are the simple steps:
1) First add a maintenance account: msa
2) Then su - msa
3) ssh-keygen -t rsa
After specifying the key path and entering the password, the public and private keys are generated in /home/msa/.ssh/: id_rsa id_rsa.pub
4) cat id_rsa.pub >> authorized_keys
As for why this file is generated, it is because this is what is written in sshd_config.
Then chmod 400 authorized_keys to protect it a little.
5) Use psftp to pull id_rsa back to the local computer, and then kill id_rsa and id_rsa.pub on the server.
6) Configure /etc/ssh/sshd_config
Protocol 2
ServerKeyBits 1024
PermitRootLogin no #Just prohibit root login, has nothing to do with this article, plus it is safer
#There is nothing to change in the following three lines, just remove the default # comment.
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
7) Restart sshd
/sbin/service sshd restart
8) Convert the certificate format and accommodate putty
Run puttygen to convert id_rsa to putty’s ppk certificate file
9) Configure putty login in connection--SSH--Auth, click Browse, and select the certificate you just converted.
Then fill in the auto login username in connection-Data, for example, mine is msa
Fill in the IP address of the server in the session. If you are happy, you can save it.
10) When you solve a little trouble and reach this step, you may be happy in vain. At this time, you can log in excitedly, but you may not be able to log in:
No supported authentication methods available
At this time, you can modify sshd_config and change
PasswordAuthentication no is temporarily changed to:
PasswordAuthentication yes and restart sshd
In this way, you can log in successfully. After logging out, change the value of PasswordAuthentication to no again and restart sshd.
When you log in in the future, you will be asked for the password of the key file normally. If you answer correctly, you can log in happily.
As for the psftp command, just add the -i parameter and specify the certificate file path.
If you are operating the server remotely to modify the above configuration, remember to be cautious in every step and avoid making mistakes. If the configuration is wrong and the SSH connection cannot be connected, it will be a failure.
Basically, after configuring according to the above four points, SSH access under Linux is relatively safe. Of course, security and insecurity are relative. You should check the server log regularly to discover and eliminate hidden dangers in a timely manner.
Article source: http://www.xiaohui.com/dev/server/linux-centos-ssh-security.htm