If you still use telnet instead of ssh, you need to change this manual reading ssh should be used to replace all the telnet remote login.
Any time by sniff Internet communications to obtain the clear text password is fairly simple, you should use encryption protocols-well, now in your system perform apt-getinstallss. Encourage your system at all users use ssh instead of telnet, or even further, uninstall telnet/telnetd. Additionally you should avoid using ssh login as root, with the alternative method is to use su or sudo to root user. Finally,/etc/ssh directory sshd_config file, you should make the following modifications to enhance security: ListenAddress192.168.0.1 allows ssh only listens to a specified interface, if you have multiple (and don't want to get in their top ssh service) interface, or in the future will increase a new card (but do not want to pass it to connect ssh service) before attempting any situation .PermitRootLoginno do not allow Root logins. If someone wants to become root via SSH, you need two login and password for root is still not possible through SSH brute force .Listen666 change the listening port, so that intruders cannot determine whether running sshd daemon (advance warning, this is fuzzy safe) .PermitEmptyPasswordsno empty password is a mockery of the system security .AllowUsersalexref me @ somewhere only allows certain users to access the host via SSH . user @ host can also be used to restrict user access by specifying the host only allows a group .AllowGroupswheeladmin members through SSH access host .AllowGroups and AllowUsers for denying access hosts have the same effect when call them "DenyUsers" and "DenyGroups" do not think it strange that completely .PasswordAuthenticationyes depends on your selection-only allows the user to use over ~/.ssh/authorized_keys file ssh-keys login host will be more secure if you want to achieve this effect, set it to "no" to disable all of you do not need authentication method, if you don't have to, for example RhostsRSAAuthentication, HostbasedAuthentication, KerberosAuthentication or RhostsAuthentication (for example), you should disable it, even if they are the default settings (see the online help sshd_config (5)) .Protocol2 disable version 1 protocol, since its design flaws, it is easy to make the password being black falls for more information, see-ssh protocol problem reports or Xforce circular .Banner/etc/some_file to users connected to an SSH server to add a title (it will be read from a file), in some countries, login before a given system, giving unauthorized or user monitoring warning information, will be subject to legal protection.
No comments:
Post a Comment