Application of SSH access control policy in Linux SysOps

The application of SSH access control policy in Linux SysOps, the specific code examples are as follows:

In Linux system operation and maintenance, SSH (Secure Shell) is a kind of encryption The remote login protocol is widely used in remote server management. However, due to the loose default configuration of SSH, there may be security risks. In order to strengthen the security of the system, we need to configure and manage access control policies for SSH. This article will introduce the application of SSH access control policies and provide specific code examples.

1. Disable SSH root user login:

By default, SSH allows the root user to log in with a password, which brings risks to the security of the system. In order to improve the security of the system, we should disable root user login through SSH. By modifying the SSH configuration file /etc/ssh/sshd_config, find the PermitRootLogin option in the file and change its value to no.

Sample code:

sudo nano /etc/ssh/sshd_config

Change PermitRootLogin to no, save and exit.

2. Disable password login and only allow public key login:

In order to increase the security of the system, we can also disable password login and only allow public key login. By using public key authentication, you can avoid the risk of password guessing or brute force attacks. In order to configure public key authentication, you need to generate a public/private key pair on the server and add the public key to the ~/.ssh/authorized_keys file.

Sample code:
First, generate a public/private key pair locally:

ssh-keygen -t rsa

Follow the prompts to set the file storage path and password (optional).

Then, copy the public key to the remote server:

ssh-copy-id user@remote_server_ip

Replace user with the username you want to log in to on the remote server, remote_server_ip Replace with the IP address of the remote server.

Finally, log back into the SSH server:

ssh user@remote_server_ip

This will automatically authenticate using the public key without entering a password.

3. Restrict SSH login to a specific IP range:

In order to further strengthen the access control of the system, we can restrict SSH login to only a specific IP range. By modifying the SSH configuration file /etc/ssh/sshd_config, you can configure the AllowUsers option to restrict specific users to only log in from a specific IP address range.

Sample code:

sudo nano /etc/ssh/sshd_config

Find the AllowUsers option in the file and add the specific username and IP range.

For example, to restrict user user1 to only log in from the host with the IP address 192.168.0.0/24:

AllowUsers user1@192.168.0.*

Save and exit the configuration file .

4. Use a firewall to control SSH access:

In addition to access control in the SSH configuration file, we can also use a firewall to control SSH access. By configuring firewall rules, we can restrict specific IP addresses and ports from accessing the SSH service.

Sample code:
Use the iptables command to configure firewall rules:

sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

The meaning of the above code is to allow from 192.168.0.0/24IP addresses in the network segment access the SSH service and deny access from other IP addresses.

Finally, apply the firewall rules:

sudo iptables-save > /etc/sysconfig/iptables
sudo systemctl restart iptables

In this way, we use the firewall to restrict SSH access.

Summary:

We can enhance the security of the system by disabling root logins, disabling password logins, restricting SSH logins to specific IP ranges, and using firewalls to control SSH access. For Linux SysOps, SSH access control policy is an important security measure. Through the code examples provided in this article, I hope it can help you better configure and manage SSH access control policies.

The above is the detailed content of Application of SSH access control policy in Linux SysOps. For more information, please follow other related articles on the PHP Chinese website!