مرکز آموزش

For WHM version 11.28

Restricting and properly configuring SSH access will go a long way towards securing your server.

The SSH Configuration File

You can find the SSH configuration file at /etc/ssh/sshd_config

To edit this file, you will need to log into your server as the root user. Once you have logged into your normal user account via SSH, you can become the root user by using the su command. For example:

user@example.com [~]# su -
Password:
root@host [~]#

Editing the SSH Configuration File

To change specific parameters within sshd_config, you need to uncomment the line by removing the number-sign (#) and changing the value for the line. For example, the default SSH port appears in a line like this:

#Port 22

To change the SSH port to 456, you will need to make the line appear like this:

Port 456

Recommended Changes to sshd_config

* Port - The port number on which sshd listens for connections. We recommend picking any 4 or 5 digit number. The highest acceptable value is 49151.
* Protocol - The SSH protocol your server will use. We recommend changing this value to 2.
* Listen Address - The IP address on which sshd listens for connections. Your server must own this IP address. We strongly recommend that you do not use your main shared IP address for this value. You can create a custom nameserver entry specifically for the new SSH IP address. To do so, you will need to create the zone file (for example, ssh.example.com) and add an A entry to the zone file the for the new nameserver entry.
* PermitRootLogin - This option specifies whether or not you wish to allow people to directly log in via SSH as the root user. We strongly recommend that you set this value to no.

After you are finished configuring SSH, you will need to restart the SSH daemon. You can do so by issuing the following command: /etc/init.d/sshd restart

After you restart SSH, you will need to log out of your server and log in again using the proper user, IP address, and port number you specified in sshd_config.

If you accidentally misconfigure your SSH configuration file, you can access the following link to run a script on your server: https://example.com/scripts2/doautofixer?autofix=safesshrestart

This script will temporarily configure an additional SSH configuration file for port 23, allowing you to access, edit, and fix the original SSH configuration file.

Example sshd_config File

ALERT! Warning: Do not copy the the example file below and attempt to use it on your server - it will result in a broken SSH configuration. This file is only an example.

Show... Hide

# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 3456
Protocol 2
#AddressFamily any
ListenAddress 192.168.0.1
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes

#PermitEmptyPasswords no
#PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
#PasswordAuthentication no

# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

Setting anSSH Legal Message

An SSH legal message (message of the day or motd) appears whenever someone logs into your server via SSH. This message is contained within the following file: /etc/motd

To set a legal message, use your preferred text editor to edit the file and save your changes. For example, one of our technical analysts uses the following message:

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

Use SSH Keys

You can use WHM's Main >> Security Center >> SSH Password Authorization Tweak feature to disable password authentication. Disabling password authentication forces users to login via SSH using keys rather than passwords.

افزودن به مورد علاقه ها

چاپ این مقاله