Restrictions on logged-in users
Edit the configuration file of the SSH service
Modify the content of this line to prohibit Root users from logging in using SSH
#PermitRootLogin yes remove the # sign and change yes to no.
Add the following content, only allow the following users and user groups to log in using SSH
Add the following content, only forbid the following users and user groups to use SSH login,
The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, AllowGroups
After modifying the configuration file, the SSH service must be restarted to take effect
Restrictions on login IP
Modify the configuration file
Add the following content to set the IP allowed to log in
Modify the configuration file
Add the following content to reject all IP login
After completing the above two steps, we ban all IPs, but allow related IPs to log in.
Login with certificate
- Generate public and private keys
ssh-keygen -t rsa -f /root/.ssh/id_rsaThe key type is determined by the SSH protocol. SSH1 can only use RSA encryption, and SSH2 supports RSA and DSA algorithms
- Register the public key on the server
vim /root/.ssh/authorized_keysEdit this file on the server and copy the content of the public key to the file
- Turn on certificate authentication on the server and turn off password login
Edit the sshd-config file and modify the following content
1 2 3 4
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys RSAAuthentication yes PasswordAuthentication no
- The client logs in to the ssh server through the private key
ssh -i /root/.ssh/id_rsa [email protected]<ssh_server_ip> -p portThe path of the private key can be set in
/etc/ssh/ssh_config IdentityFile ~/.ssh/id_rsa,so you don’t need to specify the path every time you log in
Other configuration of sshd_config file
Protocol 2 Select ssh protocol version
AddressFamily Specifies which address family should be used by sshd(8). The value range is: "any" (default), "inet" (IPv4 only), and "inet6" (IPv6 only).
ListenAddress Specify the network address that sshd(8) listens to. By default, it listens to all addresses. You can use multiple ListenAddress to listen to multiple addresses. The format is like ListenAddress host|IPv4_addr:port
#LogLevel INFO Set the log level, INFO is the default level
#LoginGraceTime 2m Restricted users must be successfully authenticated within the specified time limit, 0 means unlimited. The default value is 120 seconds.
AllowGroups Followed by a list of group names separated by spaces (the "*" and "?" wildcards can be used). All groups are allowed to log in by default. If this command is used, only members of these groups will be allowed to log in, and all other groups will be denied. "Group" refers to the "main group" and GID cannot be used
AllowTcpForwarding Whether to allow TCP forwarding, the default value is "yes". Disabling TCP forwarding does not enhance security, unless users are prohibited from accessing the shell, because users can install their own forwarders.
AllowUsers Followed by a list of user names separated by spaces (the "*" and "?" wildcards can be used). All users are allowed to log in by default. If this command is used, then only these users will be allowed to log in, and all other users will be denied.
#ClientAliveInterval 0 When the timeout is disconnected, the message is requested from the client every few seconds, and the default is 0 not to send. #ClientAliveCountMax 3 The client disconnected without responding to the request more than 3 times
PubkeyAuthentication yes Enable public-private key pairing authentication method, which can only be used for SSH-2 AuthorizedKeysFile .ssh/authorized_keys Set the PublicKey file path, if there are multiple public keys, add them directly RSAAuthentication yes Allow RSA keys PasswordAuthentication no Now that you have a certificate to log in, disable password login
Banner Display the contents of the file specified by this command to the remote user before the user is authenticated. This feature can only be used in SSH-2, and nothing is displayed by default. "none" means that this feature is disabled.
AcceptEnv Specify which environment variables sent by the client will be passed to the session environment. Only the SSH-2 protocol supports the transfer of environment variables, and the value of the instruction is a list of variable names separated by spaces (you can use'*' and'?' as wildcards). Multiple AcceptEnv can also be used. For details, refer to the SendEnv configuration command in ssh_config(5).
Ciphers Specifies the encryption algorithm allowed by SSH-2. Use commas to separate multiple algorithms. The algorithms that can be used are as follows: "aes128-cbc", "aes192-cbc", "aes256-cbc", "aes128-ctr", "aes192-ctr", "aes256-ctr", "3des-cbc", "arcfour128 ", "arcfour256", "arcfour", "blowfish-cbc", "cast128-cbc" The default value is that all the above algorithms can be used.