CentOS SSH under some security tips

About the benefits of SSH, I think I need not say more, right? In short, both before the RPC command from Telnet use SSH instead. These common features, for example to the following:

-Telnet
ssh user@remote.machine
-Remote execution
ssh user@remote.machine ‘command …’
-Remote replication
scp user@remote.machine:/remote/path /local/path
scp /local/path user@remote.machine:/remote/path
– X forward
ssh -X user@remote.machine
xcommand …
– Tunnel / Portforward
ssh -L 1234:remote.machine:4321 user@remote.machine
ssh -R 1234:local.machine:4321 user@remote.machine
ssh -L 1234:other.machine:4321 user@remote.machine

For detailed usage, I do not say this. Readers on their own research.

I would here like to say, is to share some safety tips for the SSH service, I hope you more at ease
Example

(In RedHat 9, for example)

Transfer to the client-side:
$ ssh-keygen -t rsa
* Press enter three times to finish; do not need to reset the password, unless you will use SSH-agent.
$ scp ~/.ssh/id_rsa.pub user1@server.machine:id_rsa.pub
* If Windows client, and puttygen.exe available public key,
And then copied to the server-side changes, make their contents into a single line.
* If the server side has banned login, please use other method to copy the publick key.

Login server port:

Disable root logins

# vi /etc/ssh/sshd_config
PermitRootLogin no

Abolition of the password, forced to use RSA authentication (assuming that ssh account for User1)

# vi /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
# service sshd restart
# su – user1
$ mkdir ~/.ssh 2>/dev/null
$ chmod 700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ chmod 644 ~/.ssh/authorized_keys
$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
$ rm ~/id_rsa.pub
$ exit

限制 su / sudo 名單:

# vi /etc/pam.d/su
auth required /lib/security/$ISA/pam_wheel.so use_uid
# visudo
%wheel ALL=(ALL) ALL
# gpasswd -a user1 wheel

限制 ssh 使用者名單

# vi /etc/pam.d/sshd
auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail
# echo user1 >> /etc/ssh_users

封鎖 ssh 連線並改用 web 控管清單

# iptables -I INPUT -p tcp –dport 22 -j DROP
# mkdir /var/www/html/ssh_open
# cat > /var/www/html/ssh_open/.htaccess < /var/www/html/ssh_open/ssh_open.php <“;
echo “Pls Check your rights to dir $dir_path or file $ip_list”;
}
else
{
fputs($file,”$user_ip”);
fclose($file);
echo “client ip($user_ip) has put into $dir_path/$ip_list”;
}
} else {
echo “Invalid IP format!!
ssh_open.txt was not changed.”;
}
?>

END
# touch /var/www/html/ssh_open/ssh_open.txt
# chmod 640 /var/www/html/ssh_open/*
# chgrp apache /var/www/html/ssh_open/*
# chmod g+w /var/www/html/ssh_open/ssh_open.txt
# chmod o+t /var/www/html/ssh_open
# service httpd restart
# mkdir /etc/iptables
# cat > /etc/iptables/sshopen.sh < $list_file
exit 0
}

# do nothing while list is empty
[ -s $list_file ] || exit 1

# deny connection if host dosn’t math to list
host_ip=$(grep ‘myssh from=’ $auth_log | tail -1 | awk -F’=’ ‘{print $NF}’)
list_ip=$(cat $list_file)
if [ -n “$host_ip” -a “$host_ip” != “$list_ip” ]; then
echo -e “${trusted_ip/ /\n}” | grep -q “$host_ip” || {
/sbin/iptables-save | grep -q “INPUT -s $host_IP -j DROP$” || {
/sbin/iptables -I INPUT -s $host_ip -j DROP
echo $host_ip >> $bad_list
echo “$host_ip is blocked by $0 on $(date)” | mail -s “block
ip” $mail_to
}
}
exit 2
fi

# add rule
iptables -A $chain