官术网_书友最值得收藏!

首頁 >

Oracle 11g Anti-hacker's Cookbook

Securing SSH login

These days ssh login can be considered the de facto method for connecting to remote servers. It is reliable and secure but if it is configured improperly, it can be more of a liability than an asset. In this recipe will change a couple of parameters to secure ssh and we will set up passwordless connections using public keys.

Getting ready

All the steps from this recipe will be performed on nodeorcl1 as the root user. The remote logins will be performed from nodeorcl5.

How to do it...

All parameters that will be modified are located in the /etc/sshd_config configuration file.

  1. Change the default port 22. Most port scanners will identify automatically port 22 with the ssh service. Therefore it will be a good idea to change the default ssh port: 
    Port 13120
  2. Disable root logins: 
    PermitRootLogin no
  3. ssh will check for proper permissions in the user's home. Use strict mode: 
    StrictModes yes
  4. Suppress all host-based authentications. Usually these methods should be avoided as primary authentication: 
    HostbasedAuthentication no
  5. This parameter is very effective against DoS type attacks. Limit the maximum number of unauthenticated connections and connection attempts: 
    MaxStartups 10:50:10
  6. Allow just users that belong to a defined group to log in: 
    AllowGroups logingrp
  7. To make the changes effective, restart the sshd service: 
    [root@nodeorcl1 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
  8. After restart, the sshd daemon will listen on port 13120: 
    [root@nodeorcl1 ~]# lsof -i -n | grep sshd
sshd 14089 root 3u IPv6 55380 TCP *:13120 (LISTEN)
[root@nodeorcl1 ~]#
  9. Try to connect from nodeorcl5 to nodeorcl1 as root. Direct root log ins will be denied: 
    [loguser1@nodeorcl5 ~]$ ssh -l root -p 13120 nodeorcl1
root@nodeorcl1's password:
Permission denied, please try again.
Permission denied (publickey,gssapi-with-mic).

How it works...

After any change of configuration parameters, a daemon restart is needed. You can perform the restart in different ways, such as restarting the service or by sending a HUP (kill -1) signal to the sshd daemon process.

There's more...

Using key authentication instead of using passwords is probably one of the securest methods of authentication. This will suppress definitively any brute force attempt using passwords.

Setting up public key authentication

  1. Open the /etc/ssh/sshd_config file and disable password authentication by modifying the following parameter: 
    PasswordAuthentication no
  2. Enable key authentication: 
    RSAAuthentication yes
PubkeyAuthentication yes
  3. On the client machine nodeorcl5 as the user loginuser1, create a passphase protected public/private key: 
    [loginuser1@nodeorcl5 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/loginuser1/.ssh/id_rsa):
Created directory '/home/loginuser1/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/loginuser1/.ssh/id_rsa.
Your public key has been saved in /home/loginuser1/.ssh/id_rsa.pub.
The key fingerprint is:
1b:a2:9f:d5:e8:77:08:1c:b5:6a:6a:29:3e:53:46:a5 loginuser1@nodeorcl5
The key's randomart image is:
+--[ RSA 2048]----+
| |
| . . |
| o . . |
| E . . |
| ...So |
| .o.== |
| .o ++... |
| +.++ o . |
| ..=o .. . |
+-----------------+
  4. Now deploy the key on nodeorcl1 as follows: 
    [loginuser1@nodeorcl5 ~]$ ssh-copy-id '–p 13120 -i .ssh/id_rsa.pub loguser1@nodeorcl1'
The authenticity of host 'nodeorcl1 (10.241.132.218)' can't be established.
RSA key fingerprint is 34:39:af:94:9a:2e:4b:f8:37:9c:af:27:67:1c:74:2b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'nodeorcl1,10.241.132.218' (RSA) to the list of known hosts.
loguser1@nodeorcl1's password: 
Now try logging into the machine, with "ssh 'loguser1@nodeorcl1'", and check in:

 .ssh/authorized_keys

To make sure we haven't added extra keys that you weren't expecting.
  5. Log in to nodeorcl1; you must type the passphrase entered during key creation: 
    loguser1@nodeorcl2:~> ssh loguser1@nodeorcl1
Enter passphrase for key '/home/loguser1/.ssh/id_rsa': 
[loguser1@nodeorcl1 ~]$
  6. Restart the sshd service as follows: 
    [root@nodeorcl1 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
主站蜘蛛池模板: 门源| 西昌市| 泉州市| 响水县| 潍坊市| 桂东县| 寿宁县| 北票市| 博客| 大姚县| 涪陵区| 高州市| 长汀县| 台北市| 武鸣县| 将乐县| 嘉峪关市| 汝城县| 安平县| 独山县| 吕梁市| 衡阳市| 盘山县| 张家界市| 汤阴县| 天祝| 茶陵县| 桃园市| 菏泽市| 会泽县| 刚察县| 上虞市| 鱼台县| 富源县| 同仁县| 东丽区| 集安市| 无棣县| 醴陵市| 行唐县| 衡水市|