Debian10 configuring SSH services

1, Introduction

SSH (Secure Shell) security shell protocol is a security protocol designed to provide security for remote login sessions and other network services, such as our common Telnet protocol and ftp protocol. They all use plaintext transmission. Data is easy to be monitored and vulnerable to man in the middle attacks. ssh is a security protocol created at the application layer and transport layer, During data transmission, the transmitted data packet can be encrypted.


(1) In the version number negotiation stage, SSH currently includes SSH1 and SSH2. Both parties determine the version to be used through version negotiation
(2) In the key and algorithm negotiation stage, SSH supports a variety of encryption algorithms. Both parties negotiate the final algorithm according to the algorithms supported by the local end and the opposite end
(3) In the authentication stage, the SSH client sends an authentication request to the server, and the server authenticates the client
(4) In the session request phase, after the authentication is passed, the client sends a session request to the server
(5) In the interactive session stage, after the session request is passed, the server and the client interact with each other

Security verification method:

(1) Password based security authentication: you can log in to the target host through the account and password
(2) Key based security verification: first generate a "key pair" locally and then transfer the public key to the server for a match

Install: apt get install SSH

Default port: 22

Server main configuration file: / etc/ssh/sshd.conf

Customer service main configuration file: / etc/ssh/ssh.conf

Check whether to install: server -- status all | grep SSH

All configuration files are parsed last

2, Connect to xsell7 using password authentication

vim /etc/ssh/sshd.conf

The port is changed to 2021


Open allow root user login

Enable password authentication (turn it off if key authentication is enabled)

Remember to restart ssh service after modification!!!

systemctl enable sshd.conf                                //Start and start ssh service

systemctl stop sshd.conf                                //Stop ssh service

systemctl restart sshd.conf                              //Restart ssh service

systemctl status sshd.conf                                //View ssh service status



After entering the password, you can log in

  3, Use of key security authentication

1. Install SSH and listen on the work port in 19210

Here's a look. There are more 6010 in my process because we use Xshell connection.

  Just comment this out. Remember to restart the service after modifying the configuration file!!!

After we quit Xshell, there was no 6010 process

2. After allowing ssh access to the network, all other host requests should be rejected

Modify the configuration files / etc/hosts.allow and / etc/hosts.deny to remotely restrict an IP and an IP address to allow or deny access to Linux SSH, FTP, telnet and other services, where / etc/hosts.allow indicates the IP allowed to access and / etc/hosts.deny indicates the IP denied to access. Remember that hosts.deny has higher priority than hosts.allow.

Add these two at the bottom of the file.

Let's try whether the ip can be accessed on machines in the same network segment.

3. Only user user01 is allowed to log in without password with secret key, and other users refuse to log in (including root user)

useradd -m user01                 // Create a user01 user and its user home directory

 vim /etc/ssh/sshd.conf

Annotate PasswordAuthentication yes and permitrotlogin yes to the dot

  Cancel the comments on these two articles

Add this one


  Both machines use SSH keygen - t RSA to generate keys. Just enter

Using ssh user01@ -p 19210

4, Profile resolution


#  Commonly used
Port 22			#  Port number
AddressFamily any	#  Specify which address protocol to use (default: any, IPv4: IPv4 only, IPv6: IPv6 only)
ListenAddress	#  Listening address ( means all addresses)
ListenAddress ::		#  Listening address (IPv6 address)
Protocol 2		#  Specify the protocol version of SSH, 1 or 2 (if you need to support both, just use commas to separate them, such as 1, 2)
LogLevel INFO		#  Log level (quiet, fat, error, info, verbose, debug, debug1, debug2, and debug3)
UserDNS no		#  Disable DNS reverse resolution

#  User related
PermitRootLogin no		#  Disable root login
PermitEmptyPasswords no 	#  Prohibit users with blank passwords from logging in
LoginGraceTime 2m	#  The login verification time is 2 minutes
MaxAuthTries 6 		#  Maximum number of retries: 6
AllowUsers steven	#  Only steven users are allowed to log in
DenyUsers steven	#  Login user steven is not allowed

#  verification
PasswordAuthentication yes	#  Enable password authentication (if configuring key login, this item needs to be turned off)
PubkeyAuthentication yes		#  Enable key authentication
RSAAuthentication yes		#  Security verification using RSA algorithm
AuthorizedKeysFile      .ssh/authorized_keys		#  Specify the public key database file (for key login)


Host *			#  Valid hosts (multiple hosts can be separated by spaces, "*" indicates all hosts)
ForwardAgent no	#  Is the connection forwarded to the remote computer through proxy authentication (if yes)
ForwardX11 no	#  Connections are automatically redirected to secure channels and display sets
RhostsRSAAuthentication no	#  rhosts based security authentication without RSA algorithm (Version 1 only)
RSAAuthentication yes		#  Security verification using RSA algorithm
PasswordAuthentication yes	#  Use password authentication
HostbasedAuthentication no	#  Similar to RhostsRSAAuthentication (used by version 2).
GSSAPIAuthentication no		#  Whether GSSAPI based user authentication is allowed (the default value is "yes", which is only used for version 2)
BatchMode no			#  If it is "yes", the prompt of password / password will be disabled
CheckHostIP yes			#  Set whether SSH checks the IP address of the host connected to the server to prevent DNS spoofing (it is recommended to set it to "yes")
AddressFamily any		#  Specify which address protocol to use (default: any, IPv4: IPv4 only, IPv6: IPv6 only)
ConnectTimeout 0		#  Set connection timeout
StrictHostKeyChecking ask       #  If it is set to "yes", the computer's key will not be automatically added to the "HOME/.ssh/known_hosts" file, and the connection will be rejected once the computer's key changes
IdentityFile ~/.ssh/identity	#  Sets the file from which the user's RSA Security Authentication ID is read
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/id_ecdsa
IdentityFile ~/.ssh/id_ed25519
Port 22			#  Set port number
Protocol 2		#  Specify the protocol version of SSH, 1 or 2 (if you need to support both, just use commas to separate them, such as 1, 2)
Cipher 3des		#  Set password for encryption
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc	#  Specify the encryption algorithm used by version 2 (multiple algorithms are separated by commas)
MACs hmac-md5,hmac-sha1,,hmac-ripemd160	#  Specify which message digest algorithms are allowed to be used in version 2 for data verification


sshd:          // Allow this network to access ssh services
#sshd:10.1.82.*             // Allow 10.1.82. * this network segment to access ssh services
#in.telnetd:     // Allow this ip to be accessed through Telnet service
#in.Telnetd:10.1.82.*     // Allow 10.1.82. * this network segment can be accessed through Telnet service
#all:            // Allow this ip address to log in to the linux server remotely from any server
#all:10.1.82.*             // similar


sshd:all	Prohibit all ip Can't pass ssh Sign in linux The server
#in.telnet:all 		// Prohibit all ip addresses from logging in to the linux server through telnet
#all: all 			// Prohibit all ip addresses from logging in to the linux server through any service

  In fact, there are still a lot to write, but I really can't roll my child. I really want to sleep. That's it.

Tags: Linux Operation & Maintenance ssh server debian

Posted on Sat, 20 Nov 2021 21:07:22 -0500 by SlimSlyk