Ero sivun ”Ssh/en” versioiden välillä
(Ak: Uusi sivu: In this file you will find the important configurations of the ssh server.) |
|||
| (22 välissä olevaa versiota samalta käyttäjältä ei näytetä) | |||
| Rivi 17: | Rivi 17: | ||
In this file you will find the important configurations of the ssh server. | In this file you will find the important configurations of the ssh server. | ||
| − | + | We modify it with nano. | |
[[nano]] /etc/ssh/sshd_config | [[nano]] /etc/ssh/sshd_config | ||
| − | + | Port (TCP, UDP) is defined with a number (22 by default). | |
Port 22 | Port 22 | ||
| − | + | Login timeout, defined as seconds (120 by default). | |
LoginGraceTime 120 | LoginGraceTime 120 | ||
| − | + | We allow or prevent logging as the root user while using SSH. Define "yes" or "no" (yes by default). '''It is highly recommended that you prevent logging into root while using SSH.''' | |
| − | ''' | ||
PermitRootLogin yes | PermitRootLogin yes | ||
| − | + | The total amount of unauthenticated connections allowed. Defined [at least]:[probability%]:[at most] | |
| − | ( | + | (probability% grows linearly, as we approach the highest amount [at most]) |
MaxStartups 10:30:60 | MaxStartups 10:30:60 | ||
| − | + | When uncommented (without '#' preceding the line), this prints a message as a user logs in (after inputting the username). | |
Banner /etc/issue.net | Banner /etc/issue.net | ||
| − | + | You can modify the message using nano. | |
nano /etc/issue.net | nano /etc/issue.net | ||
| − | + | Message displayed after login: | |
[[nano]] /etc/motd | [[nano]] /etc/motd | ||
| − | + | Default message: | |
The programs included with the Debian GNU/Linux system are free software; | The programs included with the Debian GNU/Linux system are free software; | ||
| Rivi 56: | Rivi 55: | ||
| − | + | In the end we apply the modified configuration by restarting the ssh service. | |
service ssh restart | service ssh restart | ||
| − | + | It is recommended to install [[Fail2ban]] on an SSH-server, as there are automatic bots out there who will try to force their way inside your SSH server. [[Fail2ban]] keeps them out. | |
| − | == | + | == Additional settings == |
| − | + | Highest amount of sessions per user | |
MaxSessions 10 | MaxSessions 10 | ||
| − | + | Allow user matti to log in using SSH. | |
AllowUsers matti | AllowUsers matti | ||
| − | + | Allow a certain user or users to log in from a specific LAN. | |
AllowUsers root@''88.148.222.100'' | AllowUsers root@''88.148.222.100'' | ||
AllowUsers root@''example.com'' | AllowUsers root@''example.com'' | ||
| − | AllowUsers root@''192.168.*.*'' | + | AllowUsers root@''192.168.*.*'' in this example everybody from the address space 192.168.0.0/16 are allowed to log in |
| − | + | Prevent user paavo from logging in with SSH. | |
| − | DenyUsers | + | DenyUsers paavo |
| − | + | Allow users in a group to log in with SSH. | |
AllowGroups Admins | AllowGroups Admins | ||
| − | + | Prevent users in a group to log in with SSH. | |
DenyGroups | DenyGroups | ||
| − | == | + | == Authentication using keys == |
Nykyinen versio 1. heinäkuuta 2015 kello 05.25
SSH is a practical remote control service for Linux.
SSH (Secure Shell) is also a protocol, but in this article we cover the apt package named ssh.
Sisällysluettelo
Installation
We install the ssh package with aptitude.
aptitude install ssh
Configuration
/etc/ssh/sshd_config
In this file you will find the important configurations of the ssh server.
We modify it with nano.
nano /etc/ssh/sshd_config
Port (TCP, UDP) is defined with a number (22 by default).
Port 22
Login timeout, defined as seconds (120 by default).
LoginGraceTime 120
We allow or prevent logging as the root user while using SSH. Define "yes" or "no" (yes by default). It is highly recommended that you prevent logging into root while using SSH.
PermitRootLogin yes
The total amount of unauthenticated connections allowed. Defined [at least]:[probability%]:[at most] (probability% grows linearly, as we approach the highest amount [at most])
MaxStartups 10:30:60
When uncommented (without '#' preceding the line), this prints a message as a user logs in (after inputting the username).
Banner /etc/issue.net
You can modify the message using nano.
nano /etc/issue.net
Message displayed after login:
nano /etc/motd
Default message:
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
In the end we apply the modified configuration by restarting the ssh service.
service ssh restart
It is recommended to install Fail2ban on an SSH-server, as there are automatic bots out there who will try to force their way inside your SSH server. Fail2ban keeps them out.
Additional settings
Highest amount of sessions per user
MaxSessions 10
Allow user matti to log in using SSH.
AllowUsers matti
Allow a certain user or users to log in from a specific LAN.
AllowUsers root@88.148.222.100 AllowUsers root@example.com AllowUsers root@192.168.*.* in this example everybody from the address space 192.168.0.0/16 are allowed to log in
Prevent user paavo from logging in with SSH.
DenyUsers paavo
Allow users in a group to log in with SSH.
AllowGroups Admins
Prevent users in a group to log in with SSH.
DenyGroups
