This is the 14th day of my participation in the More text Challenge. For more details, see more text Challenge

preface

SSH service is the most frequently used service in our company. In daily work, we need to use SSH service to remotely log in to the server and manage the server. We use similar tools like XShell to remotely manage Linux servers on Windows.

In general, the Linux operating system is equipped with SSH service by default. We only need to know the IP address, set the password, and remotely connect.

IP+ port + Password + user name = Log in to the system

Path of the configuration file

SSH configuration file path:

[root@gaosh-64 ~]# ls /etc/ssh/sshd_config /etc/ssh/sshd_configCopy the code

Detailed configuration file

1. Change the default port
#Port 22To the Port 8888Copy the code

Restart after modifying the configuration file

[root@gaosh-64 ~]# systemctl restart sshd
Copy the code

Use nmap to view ports

If you want to log in remotely, you need to add the -p parameter

[root@gaosh-64 ~]# SSH 192.168.1.64 -p 8888 ### -p
The authenticity of host '[192.168.1.64] : 8888 (8888) [192.168.1.64] :' can't be established. ECDSA key fingerprint is SHA256:dx4/4h2rPUAzmdBpIqwRt6+LM6idqWBuA7Suw4Fiu4A. ECDSA key fingerprint is  MD5:a6:e7:16:fb:0c:8d:06:63:14:62:a4:f1:c5:16:00:bc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.1.64] : 8888'(ECDSA) to the list of known hosts. [email protected]'s password: Last failed login: Tue Jul 14 08:52:30 CST 2020 from 192.168.1.64 on SSH: Notty There were 2 failed login attempts since the last successful Last login: Mon Jul 13 23:09:06 2020 from 192.168.1.22Copy the code

You can also use netstat, which you learned earlier, to view the port number

2. ListenAddress 0.0.0.0

Set the IP address bound to the SSHD server. 0.0.0.0 indicates listening on all IP addresses. Security Suggestion: If the host does not need to access from the public NETWORK SSH, you can change the listening ADDRESS to an internal IP address, for example, ListenAddress 192.168.1.0

3. LoginGraceTime 2m

When the user connected to the SSH server, will appear to enter the password screen, in this screen in how long did not successfully connected to the SSH server to force disconnection! If there is no unit, the default time is seconds!

LoginGraceTime 10 # Disconnect after 10 secondsCopy the code

Test, after 10 seconds the connection is disconnected, there is no chance at entering the password.

4. PermitRootLogin Yes Allows the root login

Whether to allow root login is allowed by default, but you are advised to set it to no. In real production servers, the root account is not allowed to log in directly. Only common users are allowed to log in.

5. PubkeyAuthentication Yes

Password verification is certainly required! Therefore, you can write yes here or set it to no. On a real production server, according to different security levels, some users can log in using an authenticated secret key instead of a password.

6. PermitEmptyPasswords no Specifies whether to allow users to log in with an empty password

Whether to allow users with empty passwords to log in. The default value is no.

7. UsePAM yes

In general, in order to verify that the client source is legitimate, DNS will be used to check the host name of the client. However, if the client is connected on the Intranet, this item set to no will make the online speed faster.

8. PrintMotd yes

After login, display some default information, such as last login time, location, and so on. The default is yes, but we can also set it to print the contents of /etc/motd

[root@gaosh-64 ~]# cat /etc/motd # cat /etc/motd # cat /etc/motdCopy the code

When logging in to the system, the content in /etc/motd will be displayed

9. PrintLastLog yes

In 8, when we print /etc/motd, it also defaults to the last login, which is controlled by #PrintLastLog yes, which defaults to yes, if you change it to no

Here’s another test:You can see that no login information is displayed.

5. SyslogFacility AUTHPRIV

When someone logs in to the system using SSH, SSH records information. The type of information to be recorded is AUTHPRIV. The SSHD service logs are stored in /var/log/secure.

Important note

  • Generally, the default Settings in the SSH configuration file are strictly protected. Do not change the default values unless necessary. A maximum of ports can be changed.

  • After each modification, restart the service to ensure that the modification takes effect

conclusion

There are many parameters in the SSH service, today we introduce here, later in the use of the process, we meet new we introduce new.