When we use Linux or Unix server set up, in order to facilitate remote maintenance and management, will basically open sshd service. Although ssh packets through the online encryption technology to transfer data, it is possible to effectively defend against hackers using a network listener to obtain passwords and confidential information, but still lack a lot of intruders password or other means to try to attack the ssh server to FIG. get control of the server. How to make your server more secure it? As long as we configure ssh server slightly adjusted, it can greatly improve the security of the system, reducing the risk of network intrusion. Specific operations are as follows:
1. Modify the sshd server configuration file / etc / ssh / sshd_config, partial parameter reference to the following modifications, to enhance security.
The system defaults to port 22, the listening port is changed to other values (preferably high port above 1024, in order to avoid port conflicts and other routine services), which can increase the intruder detection system is the difficulty of running sshd daemon.
For multiple network cards installed on the server or to configure multiple IP addresses, the address of the interface where the sshd set a specific monitor only, thus reducing the inlet sshd, reducing the possibility of invasion.
If you allow a user logged in as root, then the hackers may try to brute force the password for the root user, the system security risks.
Allows the use of a blank password system like the fortress undefended, no security measures are empty talk.
AllowUsers sshuser1 sshuser2
Allow only certain users to access specified by the ssh server, ssh usage rights defined in the minimum range.
Similarly with the above AllowUsers defining a user group to access the server via ssh, limited access for both servers have the same effect.
Prohibit the use of protocol version 1, because of its design flaws, it is easy to make password hacked.
Prohibit all unnecessary (or unsafe) authorization and authentication.
Close X11Forwarding, prevent session hijacking.
Each connection have to use a considerable chunk of memory sshd service is running, this is the reason for denial of service attacks ssh exist. Unless there is a server administrator to manage many servers, the number of connections or the above setting is enough.
Note: The above is just an example of the parameter settings, the user should make the appropriate changes to the specific use according to their environment.
2. Modify the sshd server configuration file / etc / ssh / sshd_config read and write permissions to set read-only access to all non-root users to prevent unauthorized users from modifying the sshd service security settings.
chmod 644 / etc / ssh / sshd_config
3. Set the TCP Wrappers. The default server accepts all requests to connect, which is very dangerous. Use TCP Wrappers can block or allow only certain hosts open application services, to increase system security barrier. This part of the interferometer to set up a total of two files: hosts.allow and hosts.deny.
Adding to those requests expressly permitted in /etc/hosts.allow. The system only allows IP address of 192.168.0.15 and 10.0.0.11 host sshd service, add the following:
sshd: 192.168.0.15 10.0.0.11
Will need to prohibit the use of the information is added to /etc/hosts.deny. In addition to hosts.allow such as explicitly permitted list to use sshd user, all other users are prohibited sshd service, add the following to the hosts.deny file:
Note: The system determines the order of the two files is to check hosts.allow hosts.deny file and then view the file, a user in hosts.allow allows use of network resources, while prohibiting the use of the network resources in hosts.deny, in this case the system is preferred to use hosts.allow configuration that allows users to use this network resource.
4. Try to shut down some systems do not need to start the service. By default, the system launched a number of network-related services, the corresponding open many ports LISTENING (listening). We know that the more open ports, the system, the greater the possibility of invasion from the outside, so we have to try to close some unneeded startup services to shut down the port as much as possible, to provide system security.
Through the above steps may occur substantially on the sshd service settings plug the loopholes, without investment, as long as we take a moment to adjust the configuration, you can greatly improve the security environment of the system, why not do it?