vi /etc/ssh/sshd_config ; _$ A* W& V: P
; x4 j% S' t) H8 v1 J1.靽格寥閮 port (舐典銵憭 port)
# A+ p/ E8 G& c* a: qPort <port>
& `: n' @4 B# a% Z! G: f- A: v L
% T& |( W: Y6 q+ }2.賜孵 ip (拍冽澆蝬脣/憭 IP 敶)# V7 X/ }) c5 Q; P5 B% |+ a
ListenAddress 192.168.1.108 r7 k1 Q1 m4 m+ `0 V. q
! W0 Q, p7 ?$ Q9 _# L0 g0 y3.蝳甇 root 餃( e* j6 u/ b. T. A6 H
PermitRootLogin no" Q* c$ |, e! a
蝞∠敹隞亙鈭箏董餃伐 su root嚗拍 sudo 撌乩" j& @2 k4 p9 w' i4 F6 m3 l s
# }) c8 Q9 K1 Y3 j ?4.蝳甇V蝙函征撖蝣潛餃
/ H. Y, O5 ?: I) GPermitEmptyPasswords no$ x5 l* E9 ` g! \
8 k$ D4 W5 p+ B5.閮望蝯孵撣唾蝢斤餃& D! m! W$ I$ n8 S1 Z
AllowUsers <user1> <user2> <user3>, G. e7 n0 K/ j' E
AllowGroups <group>
$ M7 Z# o- F: f& Y0 ^ h5 MDenyUsers *3 B( k# S5 M" U* O; t
DenyGroups no-ssh
' l( s+ v9 U$ N: a0 E& w寞撖阡嚗撠澆銝撣唾閮嚗憒 Allow 頝 Deny 閰梧蝯 Deny
6 n3 p1 \. q: R, L& ^9 G
: B1 T; v; F! R6.撱a文蝣潛駁嚗撘瑁翰雿輻 RSA/DSA 撽霅3 n5 N# b4 ?. J0 E% _
RSAAuthentication yes. j# \; ~- ^! x% o; F$ m5 Z! [
PubkeyAuthentication yes
" u7 e, P6 z8 L* aAuthorizedKeysFile %h/.ssh/authorized_keys K+ |' c7 S3 l; _
PasswordAuthentication no9 [# L4 k3 `& m) }% g0 T: Y* ^" h
銝衣Ⅱ靽 user ~/.ssh 甈 700嚗撠閰 user public key 亙 ~/.ssh/authorized_keys 銝准Public key Y孵舀撠 ssh-keygen- l- Q+ t% @+ X- h
3 b8 g/ F0 l4 e1 L
7.閮 SSHv2
, i4 L# N/ \# {& ~0 e2 e5 W9 f4 ]Protocol 2
9 b, \1 p {2 t8 U. U" W( l- S: H9 k6 }
% J6 T1 v1 Z$ Z1 c+ [/ {8.嗥孵雿輻刻蝢斤銝餅雿餃亥綽鋆∩誑 somebody handsomebody 銝臭蝙典蝣潛餃亦箔- w) t/ |1 ~/ ^. }
Match User somebody,handsomebody
3 @! ^% B1 k8 `7 v, wPasswordAuthentication no雿輻 TCP wrappers 嗡皞 IP6 A) o; v8 W+ n' Y
# vim /etc/hosts.deny
! X. T" I# O8 t' E3 {! V8 Dsshd: ALL
4 A8 v) D: V- T/ u1 ]( v# vim /etc/hosts.allow) V7 @' Y- C9 k$ G+ v8 S# w
sshd: 192.168.1 1.2.3.4 # 閮 192.168.1.* 1.2.3.4 蝺
8 Z# h5 c4 g1 @0 @* w/ [3 H9 r6 W
: I# B2 ]; A, x7 @6 e2 x9.雿輻 iptables 嗡皞 IP
; b) s6 M) m8 o# iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT; }4 y% O4 R6 C+ {: Z& u0 M
# iptables -A INPUT -p tcp --dport 22 -j DROP
8 k$ c# p! s0 x- [" g5 ^# c閮剖蝡喟嚗亙璈敺賭摮嚗閬脣 iptables 閮剖
/ Q y' ^& t7 T8 n
9 {/ |0 p# l3 |# U10.摰
# t9 ~3 y5 z+ c, j' T雿臭誑雿輻其iptables訾嗅訕SH伐霈嗅其孵蝭批臭誑伐嗡銝賡乓雿臭誑其Y隞颱靘摮銝凋蝙 /second/minute/hour /day + i. [4 D! h5 t3 x ^) U9 e
蝚砌靘摮嚗憒銝冽嗉撓乩航炊撖蝣潘摰銝找閮勗刻赤SSH嚗璅瘥冽嗅其批芾賢閰虫甈∠駁% z1 B' R& b7 A
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
7 u# ?: F9 ?' Q2 s3 P, G! H" v& m. S # iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
8 k% Y6 T3 h. g* Y" h4 k蝚砌靘摮嚗閮剔蔭iptables芸閮曹蜓璈193.180.177.13亙訕SH嚗典閰虫甈∪仃駁詨嚗iptables閮梯府銝餅瘥閰虫甈∠駁
! B# h2 {$ {$ a, N' o # iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT, l/ f/ w% z& |9 n R
# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP
' V4 L; c" O0 s2 l. T) x4 K, c5 l' P- {8 U `4 p S
11.瑼X亦賊瑼獢甈嚗銝摰典銝閮梁餃0 b, o- j. r3 q7 F
StrictModes yes
0 f! x! v) ?' |6 `+ E鈭賊瑼獢甈閮剖交航炊嚗航賡摰冽折◢芥憒雿輻刻 ~/.ssh/authorized_keys 甈亦 666嚗航賡嗡鈭箏臭誑典董% C( l( C. K5 |' \7 M; e2 K
9 x, f6 t! }! Y! o; e. G' f12.芾雿輻刻餃交憿舐內 banner (閰梯牧頝摰冽扳隞暻潮靽...? 憭扳臭誑函冗鈭斗孵頝憯鈭箏...= =a)
0 T2 Z$ w s p& yBanner /etc/ssh/banner # 隞餅摮瑼
/ M$ j' J9 N L5 ^
8 o& U( I6 u' D& s4 q& |; ]13. su/sudo $ u) p, r3 ^' x$ V) @: m4 E$ j8 l. M S* T
# vi /etc/pam.d/su
9 G. _/ B9 c; C7 F( \ auth required /lib/security/$ISA/pam_wheel.so use_uid
' u+ |( X5 y4 g# visudo- q- } u$ `( _0 L: }; u, O& k
%wheel ALL = (ALL) ALL" {3 y. m* g) b) d9 i' x
# gpasswd -a user1 wheel8 e( {- V) o$ k( n9 J" N# z
$ K% h. {1 V9 I' K
14. ssh 雿輻刻
8 m9 _' a2 ]+ @# t# vi /etc/pam.d/sshd6 u" y! B4 P! q, m% K
auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail6 R( d& G/ e& }8 q1 B' s5 h
# echo <username> >> /etc/ssh_users
. \' K$ ]4 X9 x+ _ ] G15.脫迫SSH蝺暹(timeout),霈PuTTY SSH 銝港蝺: }7 Z% i3 o# D) Z7 o! c$ {5 O
靽格/etc/ssh/sshd_config
2 _ _9 p8 C0 {5 w! j#TCPKeepAlive yes; O3 J6 x8 z3 l8 @; y' P, h
#ClientAliveInterval 0& P) @: f* y/ V% v
#ClientAliveCountMax 3, }& w$ \0 |8 S- _% `6 d# s S; q* R
撠#踵==>摮瑼
% w6 ~' c/ m' Q" \#service ssd restart ==>sshd
- F2 R4 x$ ]1 Z4 b: C, F0 e2 ] 乩靘靽格 Pietty 賂脣PuTTY 蝺閮剖:6 G$ Y' ^$ E, X, ~
豢Connection殷撠Seconds between keepalives [0 to turn off]喲甈雿頛詨交撟曄嚗喲銝null撠隞乩蝺9 o5 X2 N! N# N4 n
6 A. u2 e( b* o5 n% {: S
|
|
潸” 2015-12-28 10:28:36
嗉
鈭
霈
