1.Change your default SSH Port
# nano /etc/ssh/sshd_config
Port 2222
Now, while connecting SSH remotely:
# ssh -p 2222 root@192.168.1x.1xx
2.Disable default Root Access through SSH
Use any non root account for ssh and then switch (su–) to root account. Here's how you can do this:
# nano /etc/ssh/sshd_config
PermitRootLogin no
3.Disable password based authentication
Instead use public/private key pair only. You can do this:
# nano /etc/ssh/sshd_config
PasswordAuthentication no
# nano /etc/ssh/sshd_config
Port 2222
Now, while connecting SSH remotely:
# ssh -p 2222 root@192.168.1x.1xx
2.Disable default Root Access through SSH
Use any non root account for ssh and then switch (su–) to root account. Here's how you can do this:
# nano /etc/ssh/sshd_config
PermitRootLogin no
3.Disable password based authentication
Instead use public/private key pair only. You can do this:
# nano /etc/ssh/sshd_config
PasswordAuthentication no
Passwordless SSH key-based authentication
3.1. What is key-based, passwordless SSH authentication?
Ø
Setting
up SSH keys for passwordless authentication is a preferred, quick and painless
authentication mechanism on CentOS Linux, and many other SSH based systems. It
also allows you to set up automated tasks, such as copying backups to another
server, without having to enter a password.
3.2. Configuring key-based, passwordless SSH authentication
Ø
In
this scenario, we have two servers: rm.linux.lan
and cl.linux.lan We
want to grant passwordless, key-based authentication from the root user
on rm.linux.lan to
the root user on cl.linux.lan
Ø
Assuming
these keys do not exist yet, we generate our public and private key pair
on rm.linux.lan
{
Note – we do not provide a password when generating these keys,}
1 |
sh-keygen -t dsa |
|
2 |
|
3 |
Generating
public/private dsa key pair. |
|
4 |
Enter file in which
to save the key (/root/.ssh/id_dsa): |
5 |
Enter passphrase
(empty for
no passphrase): |
|
6 |
Enter same passphrase
again: |
7 |
Your identification
has been saved in /root/.ssh/id_dsa. |
8 |
Your public key has
been saved in
/root/.ssh/id_dsa.pub. |
9 |
The key fingerprint
is: |
||
10 |
<snipped> root@rm.linux.lan |
||
11 |
The key's randomart
image is: |
|
12 |
+--[ DSA 1024]----+ |
13 |
<snipped> |
|
14 |
+-----------------+ |
Ø
As
you can see, the above command has generated two files, /root/.ssh/id_dsa
and /root/.ssh/id_dsa.pub
– always keep the id_dsa file safe – this is your private key!
Ø
Now
that our SSH keypair has been generated, we can quickly copy our public key
file to cl.linux.lan with the following
command:
#
|
ssh-copy-id -i
/root/.ssh/id_dsa.pub root@cl.linux.lan |
Ø
Now
try logging into the machine, with “ssh ‘root@cl.linux.lan’”, and check in:
~/.ssh/authorized_keys
to make sure we haven’t added extra keys
that you weren’t expecting.
Ø
And
with that, you should now be able to ssh from the root user on rm.linux.lan to the root
user on cl.linux.lan without
having to enter any password!
4.Allow/Deny Specific Users/Groups
SSH server will allow all users to login to server be default. You can of course change that:
-Allow specific User:
# nano /etc/ssh/sshd_config
AllowUsers sks xyz
-Deny Specific User:
# nano /etc/ssh/sshd_config
DenyUsers sks xyz
-Allow Specific Groups:
# nano /etc/ssh/sshd_config
AllowGroups sks xyz
-Deny Specific Groups:
# nano /etc/ssh/sshd_config
DenyGroups sks xyz
5.Restrict SSH on specific network interface
SSH server will allow all users to login to server be default. You can of course change that:
-Allow specific User:
# nano /etc/ssh/sshd_config
AllowUsers sks xyz
-Deny Specific User:
# nano /etc/ssh/sshd_config
DenyUsers sks xyz
-Allow Specific Groups:
# nano /etc/ssh/sshd_config
AllowGroups sks xyz
-Deny Specific Groups:
# nano /etc/ssh/sshd_config
DenyGroups sks xyz
5.Restrict SSH on specific network interface
# nano /etc/ssh/sshd_config
ListenAddress 192.168.10.100
ListenAddress 127.0.0.1
No comments:
Post a Comment