When we use Linux or Unix to build a server, the sshd service is basically open for remote maintenance and management. Although ssh will pass online packets through encryption technology to transmit data, it can effectively resist hackers using network snooping to obtain passwords and secret information, but there are still many intruders who try passwords or other means to attack ssh servers. Get control of the server. How can I make my server more secure and reliable? As long as we slightly adjust the configuration of the ssh server, it can greatly improve the security of the system and reduce the risk of network intrusion. The specific operation is as follows:
1. Modify the configuration file /etc/ssh/sshd_config of the sshd server, and modify some parameters as follows to enhance security.
Port 5555
The system uses port 22 by default, and changes the listening port to other values (preferably a high port above 1024 to avoid conflicts with other regular service ports). It is more difficult to increase whether the intruder detection system runs the sshd daemon.
ListenAddress 192.168.0.1
In the case of installing multiple network cards on the server or configuring multiple IP addresses, set sshd to listen only on one of the specified interface addresses, which can reduce The entrance to sshd reduces the possibility of intrusion.
PermitRootLogin no
If you allow users to log in as root, hackers can try to brute force passwords for root users, posing a risk to system security.
PermitEmptyPasswords no
Allowing the use of a null password system is like an undefended fortress. Any security measures are empty words.
AllowUsers sshuser1 sshuser2
Only certain users are allowed to access the server through ssh, and ssh usage rights are limited to a minimum.
AllowGroups sshgroup
Similar to the above AllowUsers, the specified user group is restricted to access the server through ssh, which has the same effect on the limited access server.
Protocol 2
The version 1 protocol is forbidden because of design flaws that make it easy to black out passwords.
Disallow all unwanted (or unsecured) authorization methods.
X11Forwarding no
Turn off X11Forwarding to prevent sessions from being hijacked.
MaxStartups 5
The sshd service runs with a large chunk of memory for each connection, which is why ssh has a denial of service attack. A server is sufficient for this connection setting unless there are many administrators managing the server at the same time.
Note: The above parameter settings are just an example. Users should make corresponding changes according to their respective environments.
2. Modify the read/write permissions of the sshd server configuration file /etc/ssh/sshd_config, and set read-only permissions for all non-root users to prevent unauthorized users from modifying the security settings of the sshd service.
chmod 644 /etc/ssh/sshd_config
3. Set up TCP Wrappers. The server accepts all request connections by default, which is very dangerous. Using TCP Wrappers can block or allow application services to be open only to certain hosts, adding a layer of security to the system. This part of the setup involves two files: hosts.allow and hosts.deny.
Add those explicitly allowed requests to /etc/hosts.allow. If the system only allows hosts with IP addresses 192.168.0.15 and 10.0.0.11 to use the sshd service, add the following:
sshd:192.168.0.15 10.0.0.11
will be forbidden. Information is added to /etc/hosts.deny. For all users except sshd, except for those who explicitly allow sshd in the hosts.allow list, add the following to the hosts.deny file:
sshd:All
Note: The system judges the above two files in the order of checking the hosts.allow file and then the hosts.deny file. Therefore, one user is allowed to use network resources in hosts.allow, and the network is prohibited in hosts.deny. Resources, in which case the system prefers to use the hosts.allow configuration to allow users to use the network resources.
4. Try to turn off some startup services that are not needed by the system. The system starts many network-related services by default, so the corresponding ports are open for LISTENING. We know that the more ports that are open, the more likely the system will be compromised from the outside, so we should try to shut down some unneeded startup services to shut down the ports as much as possible to provide system security.
The above steps basically block the possible vulnerabilities in the sshd service settings, no need to invest, as long as we take a little time to adjust the configuration, it can greatly improve the security environment of the system, He Le Not for it?
In the beginning, I wanted to disable the URL of the php suffix directly from bei
Fault Description: prompt when you install the virtualization services role can
For anyone in any field, it is the first to start with a novice, and constantly improve their skills
I. Summary This article summarizes how to enable Gzip compression for websites hosted with IIS, the
Method for configuring SNMP service on Windows server
Solution for the Apache2 service to stop due to a 1 (0x1) service error
For the first time with the server webmaster common mistake
Actually repair disk array Raid-d volume
APACHE Open SSL Service Tutorial
Briefly use linux to build www server (2)
Windows Virtual Server Backup Two Methods
What are the attacks on the web server?
The management server ensures that the actual management experience of security is shared.
Window2003 server can be remote, but ip address ping nowhere
Windows XP system normal system process item directory
What should I do if there is no gadget option in the Win7 system right-click menu?
How to turn off the win7 desktop computer automatically connected to the wireless router
Win7 boot welcome screen black screen solution
Windows 10 enterprise adoption speed reached the fastest
Windows 7 version of IE10 browser will be launched in mid-November
Optimization should also come to Win7 can not close the service