$ firewall-cmd -permanent -add-service='ssh-custom' Lastly, remove the ssh service, add the ssh-custom service, and reload firewalld for the change to take effect: $ firewall-cmd -permanent -remove-service='ssh' Then change the port line in /etc/firewalld/services/ssh-custom.xml so the port is the same as in the ssh config file: $ cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ssh-custom.xml For example on CentOS 7 (and higher) you can change firewalld's ssh service by making a duplicate of its service file in /etc/firewalld/ and changing its port line: Don't forget to then make any necessary changes to port forwarding in your router and any applicable firewall rules. To make the change, add a line like this to your /etc/ssh/sshd_config file:Īnd restart the sshd service. It's better to pick some random high port that's not used for any known services. For this very reason, it's probably not the best choice, as any hacker scanning port 22 will likely also be scanning port 2222 just for good measure. Many people choose 2222 as an alternative port (as it's easy to remember), just as 8080 is often known as the alternative HTTP port. Any unused port will do, although one above 1024 is preferable. An effective method is to run ssh on a non-standard port. For a hacker to determine ssh is running on your machine, he'll most likely scan port 22 to determine this. Look for the following line in the /etc/ssh/sshd_config file, uncomment it and amend as shown:īy default, ssh listens for incoming connections on port 22. The older protocol 1 is less secure and should be disabled unless you know that you specifically require it. SSH has two protocols it may use, protocol 1 and protocol 2. Add an AllowUsers line followed by a space separated list of usernames to /etc/ssh/sshd_config For example: If you have many user accounts on the system then it makes sense to limit remote access to only those that really need it thus limiting the impact of a casual user having a weak password. SSH logins can be limited to only certain users who need remote access. If you need root access, login as a normal user and use the su command. To disable root logins, make sure you have the following entry:
SSH server settings are stored in the /etc/ssh/sshd_config file. However, this is still security through obscurity and be aware of information leakage of usernames from things such as email sent from user accounts. If the bad guys can't guess the username then they can't brute force the password. If you absolutely can't prevent your users choosing weak passwords, then consider using randomly generated or difficult to guess usernames for your user accounts. Further information on passwords can be found in the CentOS documentation: The benefits of strong passwords aren't specific to ssh, but have an impact on all aspects of systems security. special characters such as ! " £ $ % ^ etc) Hopefully you already use strong passwords, but if you are not then try to choose passwords that contains: With strong passwords in place, hopefully any attack will be logged and noticed before it can succeed. Typically a hacker will scan for port 22 (the default port on which ssh listens) to find machines with ssh running, and then attempt a brute-force attack against it. One of the first things you'll notice if you have ssh running and exposed to the outside world is that you'll probably log attempts by hackers to guess your username/password. However, a default installation of ssh isn't perfect, and when running an ssh server there are a few simple steps that can dramatically harden an installation. SSH has made protocols such as telnet redundant due, in most part, to the fact that the connection is encrypted and passwords are no longer sent in plain text for all to see. OpenSSH (or Secure SHell) has become a de facto standard for remote access replacing the telnet protocol. Use Public/Private Keys for Authentication.
0 kommentar(er)
