{"id":68,"date":"2014-09-19T04:32:00","date_gmt":"2014-09-19T04:32:00","guid":{"rendered":"http:\/\/onlinelab.info\/2014\/09\/19\/top-20-openssh-server-best-security-practices\/"},"modified":"2014-09-19T04:32:00","modified_gmt":"2014-09-19T04:32:00","slug":"top-20-openssh-server-best-security-practices","status":"publish","type":"post","link":"https:\/\/www.asianux.org.vn\/index.php\/2014\/09\/19\/top-20-openssh-server-best-security-practices\/","title":{"rendered":"Top 20 OpenSSH Server Best Security Practices"},"content":{"rendered":"<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are&nbsp;<a href=\"http:\/\/isc.sans.org\/diary.html?storyid=6742\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">rumors<\/a>&nbsp;about OpenSSH&nbsp;<a href=\"http:\/\/www.h-online.com\/security\/OpenSSH-zero-day-exploit-rumours-not-confirmed--\/news\/113731\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">zero day<\/a>&nbsp;exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.<br style=\"margin: 0px; padding: 0px;\" \/><span style=\"margin: 0px; padding: 0px;\"><\/span><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Default Config Files and SSH Port<\/h2>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">\/etc\/ssh\/sshd_config&nbsp;<\/strong>&#8211; OpenSSH server configuration file.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">\/etc\/ssh\/ssh_config<\/strong>&nbsp;&#8211; OpenSSH client configuration file.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">~\/.ssh\/<\/strong>&nbsp;&#8211; Users ssh configuration directory.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">~\/.ssh\/authorized_keys<\/strong>&nbsp;or&nbsp;<strong style=\"margin: 0px; padding: 0px;\">~\/.ssh\/authorized_keys<\/strong>&nbsp;&#8211; Lists the public keys (RSA or DSA) that can be used to log into the user\u2019s account<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">\/etc\/nologin<\/strong>&nbsp;&#8211; If this file exists, sshd refuses to let anyone except root log in.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">\/etc\/hosts.allow<\/strong>&nbsp;and&nbsp;<strong style=\"margin: 0px; padding: 0px;\">\/etc\/hosts.deny<\/strong>&nbsp;: Access controls lists that should be enforced by tcp-wrappers are defined here.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">SSH default port&nbsp;<\/strong>: TCP 22<\/li>\n<\/ul>\n<div style=\"background-color: white; border: 0px none rgb(221, 221, 221); clear: both; color: #111111; float: none; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; font-style: italic; line-height: 21.9939994812012px; margin: 0px auto 1.571em; padding: 0px; text-align: center; width: 600px;\"><a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-unix-bsd-openssh-server-best-practices.html\/ssh-session\" rel=\"attachment wp-att-5556 noopener\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" alt=\"SSH Session in Action\" class=\"size-full wp-image-5556\" height=\"365\" src=\"http:\/\/files.cyberciti.biz\/uploads\/tips\/2009\/07\/ssh-session.png\" style=\"border: 0px; margin: 0px; padding: 0px;\" title=\"SSH Session in Action\" width=\"590\" \/><\/a><\/p>\n<div style=\"font-size: 0.857em; line-height: 1.5em; padding: 0px;\">SSH Session in Action<\/div>\n<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#1: Disable OpenSSH Server<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Workstations and laptop can work without OpenSSH server. If you need not to provide the remote login and file transfer capabilities of SSH, disable and remove the SSHD server. CentOS \/ RHEL \/ Fedora Linux user can disable and remove openssh-server with yum command:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># chkconfig sshd off<br style=\"margin: 0px; padding: 0px;\" \/># yum erase openssh-server<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Debian \/ Ubuntu Linux user can disable and remove the same with apt-get command:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># apt-get remove openssh-server<\/code><br style=\"margin: 0px; padding: 0px;\" \/>You may need to update your iptables script to remove ssh exception rule. Under CentOS \/ RHEL \/ Fedora edit the files \/etc\/sysconfig\/iptables and \/etc\/sysconfig\/ip6tables. Once done<a href=\"http:\/\/www.cyberciti.biz\/faq\/howto-rhel-linux-open-port-using-iptables\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">restart iptables<\/a>&nbsp;service:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># service iptables restart<br style=\"margin: 0px; padding: 0px;\" \/># service ip6tables restart<\/code><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#2: Only Use SSH Protocol 2<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">Protocol <span style=\"margin: 0px; padding: 0px;\">2<\/span><\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#3: Limit Users&#8217; SSH Access<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">By default all systems user can login via SSH using their password or public key. Sometime you create UNIX \/ Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many<br \/>\n other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn&#8217;t in AllowUsers.<\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">AllowUsers root vivek jerry<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">DenyUsers saroj anjali foo<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You can also&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-pam-configuration-that-allows-or-deny-login-via-the-sshd-server.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">configure Linux PAM<\/a>&nbsp;allows or deny login via the sshd server. You can allow&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/openssh-deny-or-restrict-access-to-users-and-groups.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">list of group name<\/a>&nbsp;to access or deny access to the ssh.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#4: Configure Idle Log Out Timeout Interval<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">ClientAliveInterval <span style=\"margin: 0px; padding: 0px;\">300<\/span><br \/>ClientAliveCountMax <span style=\"margin: 0px; padding: 0px;\">0<\/span><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out). See&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/linux-unix-login-bash-shell-force-time-outs\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">how to automatically log BASH \/ TCSH \/ SSH users<\/a>&nbsp;out after a period of inactivity for more details.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#5: Disable .rhosts Files<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Don&#8217;t read the user&#8217;s ~\/.rhosts and ~\/.shosts files. Update sshd_config with the following settings:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">IgnoreRhosts yes<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#6: Disable Host-Based Authentication<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">To disable host-based authentication, update sshd_config with the following option:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">HostbasedAuthentication no<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#7: Disable root Login via SSH<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">PermitRootLogin no<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">However, bob made&nbsp;<a href=\"http:\/\/archives.neohapsis.com\/archives\/openbsd\/2005-03\/2878.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">excellent<\/a>&nbsp;point:<\/div>\n<blockquote style=\"background-color: white; border-left-color: rgb(221, 221, 221); border-left-style: solid; border-left-width: 1px; color: #666666; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 0.786em; padding: 0px 0px 0px 0.786em;\">\n<div style=\"margin-bottom: 1.571em; padding: 0px;\">Saying &#8220;don&#8217;t login as root&#8221; is h******t. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You&#8217;d get your password spoofed but<br \/>\n not root&#8217;s pw. Gimme a break. this is 2005 &#8211; We have ssh, used properly it&#8217;s secure. used improperly none of this 1989 will make a damn bit of difference. -Bob<\/div>\n<\/blockquote>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#8: Enable a Warning Banner<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Set a warning banner by updating sshd_config with the following line:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">Banner \/etc\/issue<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Sample \/etc\/issue file:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">----------------------------------------------------------------------------------------------<br \/>You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.<br \/>By using this IS (which includes any device attached to this IS), you consent to the following conditions:<br \/>+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,<br \/>penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),<br \/>law enforcement (LE), and counterintelligence (CI) investigations.<br \/>+ At any time, the XYZG may inspect and seize data stored on this IS.<br \/>+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,<br \/>interception, and search, and may be disclosed or used for any XYZG authorized purpose.<br \/>+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not<br \/>for your personal benefit or privacy.<br \/>+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching<br \/>or monitoring of the content of privileged communications, or work product, related to personal representation<br \/>or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work<br \/>product are private and confidential. See User Agreement for details.<br \/>----------------------------------------------------------------------------------------------<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Above is standard sample, consult your legal team for exact user agreement and legal notice details.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#8: Firewall SSH Port # 22<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.<\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Netfilter (Iptables) Configuration<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Update \/etc\/sysconfig\/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0\/24 and 202.54.1.5\/29, enter:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">-A RH-Firewall<span style=\"color: black; margin: 0px; padding: 0px;\">-1<\/span>-INPUT -s <span style=\"color: black; margin: 0px; padding: 0px;\">192.168<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.1<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.0<\/span>\/<span style=\"color: black; margin: 0px; padding: 0px;\">24<\/span> -m state --state NEW -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">22<\/span> -j ACCEPT<br \/>-A RH-Firewall<span style=\"color: black; margin: 0px; padding: 0px;\">-1<\/span>-INPUT -s <span style=\"color: black; margin: 0px; padding: 0px;\">202.54<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.1<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.5<\/span>\/<span style=\"color: black; margin: 0px; padding: 0px;\">29<\/span> -m state --state NEW -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">22<\/span> -j ACCEPT<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">If you&#8217;ve dual stacked sshd with IPv6, edit \/etc\/sysconfig\/ip6tables (Redhat and friends specific file), enter:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"> -A RH-Firewall<span style=\"color: black; margin: 0px; padding: 0px;\">-1<\/span>-INPUT -s ipv6network::\/ipv6mask -m tcp -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">22<\/span> -j ACCEPT<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Replace ipv6network::\/ipv6mask with actual IPv6 ranges.<\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">*BSD PF Firewall Configuration<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">If you are using PF firewall update&nbsp;<a href=\"http:\/\/bash.cyberciti.biz\/firewall\/pf-firewall-script\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">\/etc\/pf.conf<\/a>&nbsp;as follows:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">pass in on $ext_if inet proto tcp from {192.168.1.0\/24, 202.54.1.5\/29} to $ssh_server_ip port ssh flags S\/SA synproxy state<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial,\n 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#9: Change SSH Port and Limit IP Binding<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">Port <span style=\"margin: 0px; padding: 0px;\">300<\/span><br \/>ListenAddress <span style=\"margin: 0px; padding: 0px;\">192.168<\/span><span style=\"margin: 0px; padding: 0px;\">.1<\/span><span style=\"margin: 0px; padding: 0px;\">.5<\/span><br \/>ListenAddress <span style=\"margin: 0px; padding: 0px;\">202.54<\/span><span style=\"margin: 0px; padding: 0px;\">.1<\/span><span style=\"margin: 0px; padding: 0px;\">.5<\/span><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#10: Use Strong SSH Passwords and Passphrase<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">It cannot be stressed enough how important it is to use strong user passwords and passphrase for your keys. Brute force attack works because you use dictionary based passwords. You can force users to avoid&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-check-passwords-against-a-dictionary-attack.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">passwords against a dictionary<\/a>&nbsp;attack and use&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/unix-linux-password-cracking-john-the-ripper\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">john the ripper tool<\/a>&nbsp;to find out existing weak passwords. Here is a sample random password generator (put in your ~\/.bashrc):<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">genpasswd<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">(<\/span><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">)<\/span> <span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span><br \/> <span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">local<\/span> <span style=\"color: #007800; margin: 0px; padding: 0px;\">l=<\/span>$<span style=\"color: black; margin: 0px; padding: 0px;\">1<\/span><br \/>        <span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">[<\/span> <span style=\"color: red; margin: 0px; padding: 0px;\">\"$l\"<\/span> == <span style=\"color: red; margin: 0px; padding: 0px;\">\"\"<\/span> <span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">]<\/span> &amp;&amp; <span style=\"color: #007800; margin: 0px; padding: 0px;\">l=<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">20<\/span><br \/>       <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">tr<\/span> -<span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">dc<\/span> A-Za-z0-9_ &lt; \/dev\/urandom | <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">head<\/span> -c <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>l<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> | <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">xargs<\/span><br \/><span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Run it:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\">genpasswd 16<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Output:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">uw8CnDVMwC6vOKgW<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#11: Use Public Key Based Authentication<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Use public\/private key pair with password protection for the private key. See how to use&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/ssh-public-key-based-authentication-how-to.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">RSA<\/a>and&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/ssh-password-less-login-with-dsa-publickey-authentication\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">DSA key<\/a>&nbsp;based authentication. Never ever use passphrase free key (passphrase key less) login.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#12: Use Keychain Based Authentication<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/ssh-passwordless-login-with-keychain-for-scripts\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">keychain software<\/a>.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#13: Chroot SSHD (Lock Down Users To Their Home Directories)<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">By default users are allowed to browse the server directories such as \/etc\/, \/bin and so on. You can protect ssh, using os based chroot or use&nbsp;<a hre\nf=\"http:\/\/www.cyberciti.biz\/tips\/rhel-centos-linux-install-configure-rssh-shell.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\">special tools such as rssh<\/a>. With the release of OpenSSH 4.8p1 or 4.9p1, you no longer have to rely on third-party hacks such as rssh or complicated chroot(1) setups to lock users to their home directories. See&nbsp;<a href=\"http:\/\/www.debian-administration.org\/articles\/590\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">this blog post<\/a>&nbsp;about new ChrootDirectory directive to lock down users to their home directories.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#14: Use TCP Wrappers<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your \/etc\/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">sshd : 192.168.1.2 172.16.23.12 <\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">See this&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/tcp-wrappers-hosts-allow-deny-tutorial\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">FAQ about setting and using TCP wrappers<\/a>&nbsp;under Linux \/ Mac OS X and UNIX like operating systems.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#15: Disable Empty Passwords<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">PermitEmptyPasswords no<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#16: Thwart SSH Crackers (Brute Force Attack)<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:<\/div>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.cyberciti.biz\/faq\/block-ssh-attacks-with-denyhosts\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">DenyHosts<\/a>&nbsp;is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Explains how to setup&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-linux-block-ssh-dictionary-brute-force-attacks\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">DenyHosts<\/a>&nbsp;under RHEL \/ Fedora and CentOS Linux.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.fail2ban.org\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Fail2ban<\/a>&nbsp;is a similar program that prevents brute force attacks against SSH.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/sshguard.sourceforge.net\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">security\/sshguard-pf<\/a>&nbsp;protect hosts from brute force attacks against ssh and other services using pf.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/sshguard.sourceforge.net\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">security\/sshguard-ipfw<\/a>&nbsp;protect hosts from brute force attacks against ssh and other services using ipfw.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/sshguard.sourceforge.net\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">security\/sshguard-ipfilter<\/a>&nbsp;protect hosts from brute force attacks against ssh and other services using ipfilter.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.bsdconsulting.no\/tools\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">security\/sshblock<\/a>&nbsp;block abusive SSH login attempts.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/anp.ath.cx\/sshit\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">security\/sshit<\/a>&nbsp;checks for SSH\/FTP bruteforce and blocks given IPs.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.aczoom.com\/cms\/blockhosts\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">BlockHosts<\/a>&nbsp;Automatic blocking of abusive IP hosts.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/blinkeye.ch\/dokuwiki\/doku.php\/projects\/blacklist\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Blacklist<\/a>&nbsp;Get rid of those bruteforce attempts.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.rfxn.com\/projects\/brute-force-detection\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Brute Force Detection<\/a>&nbsp;A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"https:\/\/savannah.nongnu.org\/projects\/ipqbdb\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">IPQ BDB filter<\/a>&nbsp;May be considered as a fail2ban lite.<\/li>\n<\/ul>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#17: Rate-limit Incoming Port # 22 Connections<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.<\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Iptables Example<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The following example will drop<br \/>\nincoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">#!\/bin\/bash<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">inet_if=<\/span>eth1<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">ssh_port=<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">22<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -I INPUT -p tcp --dport <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>ssh_port<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>inet_if<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m state --state NEW -m recent  --<span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">set<\/span><br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -I INPUT -p tcp --dport <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>ssh_port<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>inet_if<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m state --state NEW -m recent  --update --seconds <span style=\"color: black; margin: 0px; padding: 0px;\">60<\/span> --hitcount <span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span> -j DROP<br \/>&nbsp;<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Call above script from your iptables scripts. Another config option:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT  -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>inet_if<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --dport <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>ssh_port<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m state --state NEW -m limit --limit <span style=\"color: black; margin: 0px; padding: 0px;\">3<\/span>\/min --limit-burst <span style=\"color: black; margin: 0px; padding: 0px;\">3<\/span> -j ACCEPT<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT  -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>inet_if<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --dport <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>ssh_port<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m state --state ESTABLISHED -j ACCEPT<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A OUTPUT -o <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>inet_if<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -p tcp --sport <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>ssh_port<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m state --state ESTABLISHED -j ACCEPT<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># another one line example<\/span><br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># <span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -i <span style=\"color: #007800; margin: 0px; padding: 0px;\">$<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">{<\/span>inet_if<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">}<\/span><\/span> -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">22<\/span> -m limit --limit <span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span>\/minute --limit-burst <span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span>-j ACCEPT<\/span><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">See iptables man page for more details.<\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">*BSD PF Example<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #007800; margin: 0px; padding: 0px;\">sshd_server_ip=<\/span><span style=\"color: red; margin: 0px; padding: 0px;\">\"202.54.1.5\"<\/span><br \/>table &lt;abusive_ips&gt; persist<br \/>block <span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">in<\/span> quick from &lt;abusive_ips&gt;<br \/>pass <span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">in<\/span> on <span style=\"color: #007800; margin: 0px; padding: 0px;\">$ext_if<\/span> proto tcp to <span style=\"color: #007800; margin: 0px; padding: 0px;\">$sshd_server_ip<\/span> port <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">ssh<\/span> flags S\/SA keep state <span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">(<\/span>max-src-conn <span style=\"color: black; margin: 0px; padding: 0px;\">20<\/span>, max-src-conn-rate <span style=\"color: black; margin: 0px; padding: 0px;\">15<\/span>\/<span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span>, overload &lt;abusive_ips&gt; flush<span style=\"color: #7a0874; font-weight: bold; margin: 0px; padding: 0px;\">)<\/span><\/pre>\n<h2 style=\"b\nackground-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#18: Use Port Knocking<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\"><a href=\"http:\/\/en.wikipedia.org\/wiki\/Port_knocking\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Port knocking<\/a>&nbsp;is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -N stage1<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A stage1 -m recent --remove --name knock<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A stage1 -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">3456<\/span> -m recent --<span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">set<\/span> --name knock2<br \/>&nbsp;<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -N stage2<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A stage2 -m recent --remove --name knock2<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A stage2 -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">2345<\/span> -m recent --<span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">set<\/span> --name heaven<br \/>&nbsp;<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -N door<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A door -m recent --rcheck --seconds <span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span> --name knock2 -j stage2<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A door -m recent --rcheck --seconds <span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span> --name knock -j stage1<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A door -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">1234<\/span> -m recent --<span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">set<\/span> --name knock<br \/>&nbsp;<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">22<\/span> -m recent --rcheck --seconds <span style=\"color: black; margin: 0px; padding: 0px;\">5<\/span> --name heaven -j ACCEPT<br \/><span style=\"color: #007800; margin: 0px; padding: 0px;\">$IPT<\/span> -A INPUT -p tcp --syn -j doo<\/pre>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.cipherdyne.org\/fwknop\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">fwknop<\/a>&nbsp;is an implementation that combines port knocking and passive OS fingerprinting.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.debian-administration.org\/articles\/268\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Multiple-port knocking<\/a>&nbsp;Netfilter\/IPtables only implementation.<\/li>\n<\/ul>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#19: Use Log Analyzer<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Read your logs using&nbsp;<a href=\"http:\/\/nixcraft.com\/linux-software\/477-howto-linux-monitor-logfiles.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">logwatch<\/a>&nbsp;or&nbsp;<a href=\"http:\/\/logcheck.org\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">logcheck<\/a>. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">LogLevel INFO<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#20: Patch OpenSSH and Operating Systems<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">It is recommended that you use tools such as&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-centos-fedora-linux-yum-command-howto\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">yum<\/a>,&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-debian-package-management-cheat-sheet.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">apt-get<\/a>,&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/howto-keep-freebsd-system-upto-date.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">freebsd-update<\/a>&nbsp;and others to keep systems up to date with the latest security patches.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Other Options<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">#  Turn on privilege separation<br \/>UsePrivilegeSeparation yes<br \/># Prevent the use of insecure home directory and key file permissions<br \/>StrictModes yes<br \/># Turn on  reverse name checking<br \/>VerifyReverseMapping yes<br \/># Do you need port forwarding?<br \/>AllowTcpForwarding no<br \/>X11Forwarding no<br \/>#  Specifies whether password authentication is allowed.  The default is yes.<br \/>PasswordAuthentication no<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Verify your&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/checking-openssh-sshd-configuration-syntax-errors.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">sshd_config file before<\/a>&nbsp;restarting \/ reloading changes:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># \/usr\/sbin\/sshd -t<\/code><\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Tighter SSH security with&nbsp;<a href=\"http:\/\/www.linuxjournal.com\/article\/8957\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">two-factor<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/calomel.org\/openssh.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">three-factor (or more)<\/a>&nbsp;authentication.<\/div>\n<h4 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px; padding: 0px;\">References:<\/h4>\n<ol style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\">The&nbsp;<a href=\"http:\/\/www.openssh.com\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">official OpenSSH<\/a>&nbsp;project.<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Forum thread:&nbsp;<a href=\"http:\/\/nixcraft.com\/networking-firewalls-security\/726-failed-ssh-login-attempts-how-avoid-brute-ssh-attacks.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Failed SSH login attempts<\/a>&nbsp;and how to avoid brute ssh attacks<\/li>\n<li style=\"margin: 0px; padding: 0px;\">man pages sshd_config, ssh_config, tcpd, yum, and apt-get.<\/li>\n<\/ol>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">If you have a technique or handy software not mentioned here, please share in the comments below to help your fellow readers keep their openssh based server secure.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-68","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/68","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/comments?post=68"}],"version-history":[{"count":0,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/media?parent=68"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/categories?post=68"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/tags?post=68"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}