Avoid Common SSH Security Vulnerabilities and Attacks: Protect Your Linux Server
Introduction:
In today’s digital age, Linux servers have become a vital part of many organizations and individuals Indispensable part. However, like all Internet-related technologies, Linux servers also face security threats. Among them, SSH (Secure Shell) is a common protocol for remote management and file transfer. To ensure the security of your Linux server, this article will introduce some methods to avoid common SSH security vulnerabilities and attacks, and provide relevant code examples.
1. Change the SSH default port
By default, the SSH server listens to port 22. This can easily be discovered by hackers who can try to brute force the password. For added security, you can change the SSH port to a non-standard port, such as 2222. This reduces the risk of malicious intrusions. To change the SSH port, edit the SSH server configuration file /etc/ssh/sshd_config
, find and modify the following line:
#Port 22 Port 2222
and then restart the SSH service.
2. Disable SSH password login and enable SSH key authentication
SSH password login is vulnerable to brute force attacks. For increased security, we recommend disabling SSH password login and allowing only SSH key authentication. SSH key authentication uses public and private keys for authentication, which is more secure and reliable than traditional password methods.
Generate SSH key pair
Generate an SSH key pair on the local computer. Open the terminal and enter the following command:
ssh-keygen -t rsa
Follow the prompts and the generated key will be saved in the ~/.ssh
directory.
Upload the public key to the server
To upload the generated public key to the server, you can use the following command:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@your_server_ip
whereuser
is your username, your_server_ip
is the IP address of the server.
Modify SSH configuration file
Edit SSH server configuration file/etc/ssh/sshd_config
, find and modify the following lines:
PasswordAuthentication no PubkeyAuthentication yes
Then restart the SSH service.
3. Restrict SSH user login
In order to increase the security of the server, you can restrict only specific users to log in to SSH. This prevents unauthorized access.
Create a dedicated SSH group
Create a dedicated SSH user group using the following command on the Linux server:
sudo groupadd sshusers
Add Allow SSH Accessed user
Use the following command to add the user to the SSH user group:
sudo usermod -aG sshusers username
where username
is the username you want to add.
Modify SSH configuration file
Edit SSH server configuration file/etc/ssh/sshd_config
, find and modify the following lines:
AllowGroups sshusers
Then restart the SSH service.
4. Limit the number of SSH login attempts
Brute force cracking is one of the common attack methods used by hackers. In order to prevent brute force cracking of SSH passwords, we can limit the number of SSH login attempts and set a period of time for failed login attempts.
Install Failed Login Attempt Counter
Install fail2ban
using the following command:
sudo apt-get install fail2ban
Configurefail2ban
Editfail2ban
Configuration file/etc/fail2ban/jail.local
, add the following content:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 bantime = 3600
Then restartfail2ban
Serve.
Summary:
You can greatly enhance your Linux by changing the SSH default port, disabling SSH password login, enabling SSH key authentication, restricting SSH user logins, and limiting the number of SSH login attempts. Server security and avoid common SSH security vulnerabilities and attacks. Protecting your server from unauthorized access is one of your responsibilities as a system administrator.
The reference code examples are for reference only, and the specific implementation may vary depending on the server environment and requirements. Please exercise caution when implementing this and make sure to back up your data to avoid unexpected situations.
The above is the detailed content of Avoid Common SSH Security Vulnerabilities and Attacks: Protect Your Linux Server. For more information, please follow other related articles on the PHP Chinese website!