How to Secure the SSH access

1> Default Port

The default port is 22, you might change to other port, such as 2222

Edit the configuration file /etc/ssh/sshd.conf. and change the following:

#Port 22
to
Port 2222

2> Configure ssh private/public key with private passphrase enable (As the amazon way)


ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/johndoe/.ssh/id_rsa):
/home/johndoe/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/johndoe/.ssh/id_rsa.
Your public key has been saved in /home/johndoe/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:fMKdGYWBTW0R4V4EUFN6X39Xcg2xLZKJ/ffGyE0QdMc johndoe@xxx.xxx
The key's randomart image is:
+---[RSA 2048]----+
|         ++*OBBoo|
|        . o=o* *E|
|          o.B B *|
|       o . = = *+|
|        S = . . B|
|         o   . *+|
|              o =|
|               . |
|                 |
+----[SHA256]-----+

cat id_rsa.pub >> authorized_keys


AuthorizedKeysFile .ssh/authorized_
# To disable tunneled clear text passwords, change to no here!
# PasswordAuthentication yes
#PermitEmptyPasswords no
# EC2 uses keys for remote access
PasswordAuthentication no

PubkeyAuthentication yes

Subsystem sftp internal-sftp
Match group xxxxx
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

Comments

Post a Comment

Popular posts from this blog

VIOS TIPs

HMC image locates: /extra/viosimages/2.2.3.4 To install VIO server from HMC: installios To erase the previous setting: installios -u hscroot@P7504HMC:~> cat /etc/nimol.conf # nimol.conf file NIMOL_SERVER 9.22.217.30 ORIGINAL_FILES_DIR /var/tmp/nimol_original RPCBIND_STARTED yes NFS_STARTED yes REMOTE_ACCESS_METHOD /usr/bin/rsh NIMOL_TFTPBOOT /tftpboot TFTP_ENABLED yes REMOTE_SYSLOG_ENABLED yes HMC_SYSLOG_CONF_MODIFIED yes NIMOL_SYSLOG_FACILITY local2 NIMOL_SUBNET 9.22.217.0 NIMOL_BOOTREPLYD yes LABEL default1 /extra/default1 processing hscroot@P7504HMC:~>  installios -F -e -R default1 Logging session output to /tmp/installios.24173.log. nimol_config WARNING: error from command /bin/awk nimol_config MESSAGE: Executed /usr/sbin/exportfs -ua. nimol_config MESSAGE: Executed /usr/sbin/exportfs -a. nimol_config MESSAGE: Removed /tftpboot/default1.chrp.mp.ent. nimol_config MESSAGE: Removed /extra/default1. nimol_config MESSAGE: Removed "LABEL def...
Read more

Configure Solaris 10 LDOM on Solaris 11.4

root@comglv1:~# ldm add-memory 16G htcsun1 root@comglv1: # zfs destroy zones cannot destroy 'zones': operation does not apply to pools use 'zfs destroy -r zones' to destroy all datasets in the pool use 'zpool destroy zones' to destroy the pool itself root@comglv1: # zfs destroy -r zones root@comglv1: # zpool create LDOM mirror c0t5000CCA03C0E89D8d0s0 c0t5000CCA03C2F3BB4d0s0 root@comglv1: # zfs create LDOM/htcsun1 root@comglv1: # zfs create -V 150g LDOM/htcsun1/disk0 root@comglv1: # ldm rm-vdisk vdisk0 htcsun1 root@comglv1: # ldm rm-vdsdev htcsun1-vd0@primary-vds0 root@comglv1: # ldm rm-vdsdev  vol0@primary-vds0 root@comglv1: # ldm rm-vdsdev iso@primary-vds0 root@comglv1: # add-vdsdev options=ro sol-10-u11-ga-sparc-dvd.iso htcsun1-iso@primary-vds0 root@comglv1: # ldm add-vdsdev /dev/zvol/dsk/LDOM/htcsun1/disk0 htcsun1-vd0@primary-vds0 root@comglv1: # ldm add-vdisk vdisk0 htcsun1-vd0@primary-vds0 htcsun1...
Read more

HA in Linux is pretty easy

NOTICE: -- Very important: Please do NOT FAT FINGER. Check your IP address/hostname correct first before configuring PCS. If any service(s) do(es) not startup correctly, please check the service log under /var/log/cluster or /var/log/pcsd. systemctl -xe does not help at all 1> Install PCS  yum isntall pcs -y 2>  Configure PCS. Please run the following commands on ALL nodes: systemctl start pcsd systemctl enable pcsd passwd hacluster 3> Configure PCS, Run he following commands on ONE node: pcs cluster auth <NODE-1> <NODE-2> <...> pcs cluster setup --name <CLUSTER_NAME> <NODE-1> <NODE-2> <...> pcs cluster start --all pcs cluster enable --all pcs resource create virtual_ip ocf:heartbeat:IPaddr2 ip=<IP_ADDR> cidr_netmask=32 op monitor interval=30s pcs resource create <APPLICATION_MON> ocf:heartbeat:nginx configfile=/etc/nginx/nginx.conf op monitor timeout="5s" interval="5s"  ...
Read more