All Products
Search

This Product

    :Enhance SSH service security on Linux instances

    Document Center

    :Enhance SSH service security on Linux instances

    Last Updated:Dec 24, 2020

    Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

    Introduction

    This article describes how to optimize the security configuration of the SSH service in Linux instances.

    Background

    Alibaba Cloud reminds you that:

    • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
    • If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
    • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

    Note: If you modify the port or other settings, your current logon request will be invalid. Therefore, proceed with caution.

    1. Modify the connection port in the SSH service configuration file. We recommend that you use another non-standard Port. You can specify a port in the range of 1024 to 65535.
      Note: the path of the SSH service configuration file is /etc/ssh/sshd_config.
      Port 22022
    2. Modify the SSH service configuration file to prevent the root user from logging on to the system through SSH. We recommend that you use common user to log on to the system and switch to the root account. 
      PermitRootLogin no
    3. After modifying the configuration file, restart the SSH service for the configuration to take effect. 
      /etc/init.d/sshd restart
    4. Modify the /etc/hosts.deny configuration file to disable all IP addresses from using SSH connections. 
      sshd:all:deny
    5. Modify the /etc/hosts.allow configuration file to set the specified IP address to allow SSH connection. 
      sshd:XXX.XXX.XXX.XXX:allow
    6. After the configuration is complete, confirm that you can only use common user and the specified source IP address and SSH port to log on to the system. After logging on to the system, you can run the su command to switch to the root user.

    Application scope

    • Elastic Compute Service