نمایش نتایج: از شماره 1 تا 2 , از مجموع 2

موضوع: چگونگی امن کردن ssh سرور از حملات

  1. #1
    مدیر کل Vahid آواتار ها
    تاریخ عضویت
    Aug 2008
    نوشته ها
    2,724
    تشکر تشکر کرده 
    435
    تشکر تشکر شده 
    6,958
    تشکر شده در
    2,085 پست

    پیش فرض چگونگی امن کردن ssh سرور از حملات

    SSH attacks are quite common if you are running SSH on Port 22. Most automated robots try to login as root with various brute force and dictionary combinations to get access to your server. If you have weak root password then chances are there that your server could be compromised. Further these robots put a lot of load on your server with thousands of retries to break in to your system. How do i know that my server is being attacked?
    Just check the logs of your server
    nano /var/log/secure
    nano /var/log/messages
    There you will see logs of thousands or hundreds of repeated number of attempts from different IPs attempting to breakin to your server with different dictionary/brute force password combinations.You could be getting hundreds of automated attempts every minute that could slow down your server.
    Method 1: Simple SSH Security

    The simplest way secure your SSH is to run SSH on the different port other than default port 22. The hardening of SSH can be acheived by the following simple steps:

    • Disable Root Logins
    • Disable password authentication
    • Disable Port 22 and use any other port to run SSH (like Port 1899). Dont forget to block port 22 using firewall.

    Initial Steps
    Before you harden the SSH, first make sure you create a user name and password. If you are running cpanel, then you might want to add the username to cpanel wheel group.
    To adduser and make the member of cpanel group
    adduser <username> -G wheel
    To set the password for the user
    passwd <username>
    Once the user has been created and added to Wheel group, edit the ssh configuration file /etc/ssh/sshd_conf
    Step1: Change the default port 22 to any port number, say 2199 and set the protocol to just Protocol 2 which is a more secure protocol
    nano /etc/ssh/sshd_config
    # /etc/ssh/sshd_conf
    Port 2199
    Protocol 2
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    Step2: Disable root login
    Locate the line # PermitRootLogin yes in the configuration file and change it to no
    PermitRootLogin no
    once you save this configuration and restart your SSH you will not be able to login as root and will be able to login only at Port 2129.
    /etc/init.d/sshd restart
    // to restart the SSH server
    Step 3: Testing the SSH
    To test whether the settings with SSH, open putty and enter the <IP-Address> and the port 2129 to login. Now login as <username> which you created previously with the password. Once you have successfully logged in, then su to root to do root tasks
    > su root
    Be careful that you dont forget or lose both the passwords as otherwise you will not be able to login with SSH.
    Method 2: Using SSH Public/Private Key Authentication

    Using the SSH with public key authentication is one of the best proven method to safeguard your SSH server. All you need to do is put the private key in your putty (ssh client) and the public key in your server
    PrivateKey -> Stored in Client and used by Putty
    PublicKey -> Stored in Remote Server ( in /home/<user>/.ssh/authorized_keys file)
    Tools Required
    Putty (SSH Login client)
    PuttyGen (Putty Key Generator Tool to save Private key)

    Step 1:
    To enable the public key authentication you have to enable it in the SSH config file /etc/ssh/sshd_config. Look for the following lines and uncomment them
    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile .ssh/authorized_keys
    Step 2:
    Assuming that pbu is the username, we generate both public and private keys in the server.
    [pbu@localhost ~]$ ssh-keygen -t dsa
    Generating public/private dsa key pair.
    Enter file in which to save the key (/home/pbu/.ssh/id_dsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/pbu/.ssh/id_dsa.
    Your public key has been saved in /home/pbu/.ssh/id_dsa.pub.
    The key fingerprint is:
    a9:22:30:c4:edf:1c:e5:7b:3cb4:82:aa:33:18 pbu@vps.localhost
    As you carefully notice
    id_dsa -> private key stored at /home/<username>/.ssh/
    id_dsa.pub -> is the public key /home/<username>/.ssh/
    Step 3: Downloading Private Key to Putty (SSH client)
    In this step we are going copy the private key from server to our putty in the form of .ppk (putty private key file). Remember private key must be held in the client side and the public key in the server side (inside /home/<user>/.ssh/authorized_keys file)
    Open the file id_dsa and copy the contents of the file. Comeback to windows and paste into a notepad file (say privkey.txt). Make sure that there is no new line at the top or else you will get "invalid private key" from puttygen.
    Start puttygen.exe > Load Existing Private Key > privkey.txt > Save Private Key

    Save the private key as privkey.ppk
    Step 4: Copying Public Key to Server
    Nowwe need to a new file called authorized_keys inside .ssh folder within the users home directory. You should store the public key there. I am renaming the existing id_dsa.pub to authorized_keys as we wont be needing the ida_dsa.pub file. In linux moving a file is a shortcut for renaming a file.
    cd /home/<user>/.ssh
    mv ida_dsa.pub authorized_keys
    Thats it we have finished copying both public and private keys.
    You can also delete id_dsa and id_dsa.pub in your server
    Thats it! All you need to do is just connect to server to see whether it works.
    Final Steps

    Start Putty > Enter IP > New Port, then load the private key SSH > Auth > Browse Private Key for Authentication

    Then connect and once you enter the user name the putty would authenticate yourself with public key authentication.
    Once you find public key authentication working properly you can safely disable the password authentication inside ssh configuration file.
    Note: If you have used passphrase (other than empty) you might be asked for the passphrase you used while generating the keys
    Frequently Asked Questions

    I am getting error "Server refused our key" while connecting to server?

    It could be caused by unwanted line breaks while copying the public key from puttygen to server. Try generating the public/private key from the server instead of generating the public/private key pair from puttygen.
    برای پیش رفت در علم آسانسوری وجود ندارد پله ها را باید پیاده رفت /./ همیشه این یادتان باشد که دست بالای دست بسیار است.
    يادمان باشد براي يك بار ايستادن صد ها بار افتاده ايم /./ بک آپ مهمترین رمز موفقیت هاستینگ /./ امنیت مطلق نیست.
    ارتباط مستقیم با من :
    Admin -{(@)}- WebHostingTalk . ir

  2. تعداد تشکر ها ازVahid به دلیل پست مفید


  3. # ADS




     

  4. #2
    کاربر اخراج شده
    تاریخ عضویت
    Aug 2008
    محل سکونت
    Tehran
    نوشته ها
    186
    تشکر تشکر کرده 
    48
    تشکر تشکر شده 
    607
    تشکر شده در
    444 پست

    پیش فرض

    خیلی خوب که در چک امنیت csf هم بهش پیشنهاد شده

  5. تعداد تشکر ها از KamranOnline به دلیل پست مفید


اطلاعات موضوع

کاربرانی که در حال مشاهده این موضوع هستند

در حال حاضر 1 کاربر در حال مشاهده این موضوع است. (0 کاربران و 1 مهمان ها)

مجوز های ارسال و ویرایش

  • شما نمیتوانید موضوع جدیدی ارسال کنید
  • شما امکان ارسال پاسخ را ندارید
  • شما نمیتوانید فایل پیوست کنید.
  • شما نمیتوانید پست های خود را ویرایش کنید
  •