In post "What is ssh key and SSH Key Manual" you knew how to use SSH Key replaces the password to strengthen the security of the SSH protocol before the risk Brute Force Attack. But If you're still not really assured with SSH Key, you can refer some configuring SSH below. ( However, depending on the circumstances, you may not need to apply all the way in this post.)
All way in this post, you edit in file /etc/ssh/sshd_config, after the fixed you restart SSH by the command:
Service sshd restart
1. Change SSH port
Default SSH Server will use port 22 to get connected, and this is the port that the scanner is always aimed at to a brute force attack.
Therefore, you shouldn't use port 22 by default. You should change to a different port such as 1109. Also note Also note that the port number must be less than or equal to 4 digits and should not conflict with other port was used by other software.
To change the SSH port, you find:
#Port 22
Leave comment and replaced 22 of the port you want to use.
Port 1109
2. Do not login with the user root
User root is always very sensitive so if you can, please use a different user to login and then use the command below to change to the user root.
Note: Set the password for the root user before. Peace of mind is whether you can use SSH Key and not allow login with user password but moving use, it still normal .
The first is to create a user any.
useradd thachpham
And set the password for this user:
passwd thachpham
If you want to use SSH Key to this user, please log in to the server with user just created and create SSH Key like this post.
Next is configured not to allow root login to the user, by opening the file / etc / ssh / sshd_config and find:
#PermitRootLogin yes
Edit the
PermitRootLogin no
Finally add the following paragraph at the end of the file to only allow the user to log on thachpham allowed SSH:
AllowUsers thachpham
And from now onwards you just log in as a user SSH thachpham wealth but typing su and enter the root password for the root user to switch to. The downside is that this does not apply to SFTP.
3. Only allow SSH login from a fixed IP
If you use dynamic IP, then do not try this, but if you have one static IP address, it is possible to combat the illegal login. Just insert the following in:
ListenAddress 123.45.678
Không có nhận xét nào:
Đăng nhận xét