In this article I will describe how I limit and secure SSH access to my RedHat/CentOS Linux servers.
First of all create a group of which members are allowed to login using SSH
groupadd lx-ssh-login
Now add a user to that group
usermod -a -G lx-ssh-login ravi
Check if the user is added to the group
id ravi
Now its time to alter the SSH configuration which is located in /etc/ssh/sshd_config
Change the following parameters
Port 4234 <---- Or any port in a high range wich is not used by other processes
ListenAddress <your IP>
Protocol 2
LogLevel INFO
PermitRootLogin no
MaxAuthTries 3
AllowGroups lx-ssh-login
PermitEmptyPasswords no
PasswordAuthentication yes
Restric access to SSH port, only allow specific ranges and enable logging of unauthorized IP's who tries to connect to the SSH port and also limit logging per connection.
iptables -A INPUT -p tcp -s 192.168.10.0/24 --dport 4234 -j ACCEPT
#log all other tries to this port
iptables -A INPUT -p tcp --dport 4234 -m limit 5/m --limit-burst 7 -j LOG --log-prefix " # SSH UNAUTHORIZED #"
# DROP all other (Not needed f you already have a general DROP rule)
iptables -A INPUT -p tcp --dport 4234 -j DROP
It is also possible to change the /etc/sysconfig/iptables file. You could also allow or deny access on a per host base by editting /etc/hosts.allow or /etc/hosts.deny but that doesn't provides as much options as IPTABLES does.
Restart daemons
To apply above changes you should only restart the SSH daemon. If you edited IP tables configuration by changing the /etc/sysconfig/iptables file then you also need to restart the IPTABLES daemon.
sudo service sshd restart
sudo service iptables restart
This is a very basic way to secure SSH from unauthorized access.
I will describe SSH access with public keys in a next article.
Very good explanation and howto!!
BeantwoordenVerwijderen