vi /etc/ssh/sshd_config ! S! Y! r3 }) w L( T5 H/ a7 c- p& Q
- X& y0 W! e9 y- _" B
1.靽格寥閮 port (舐典銵憭 port)! L i5 d$ s% y4 r! A% W
Port <port>
: U0 H& ~" G/ t% Z- M* V: J n1 l8 g2 l( c; U" S$ a4 v: g
2.賜孵 ip (拍冽澆蝬脣/憭 IP 敶)
+ O+ D" X+ E" n; ^1 b* lListenAddress 192.168.1.10+ i# N7 f; z" f
* @; ?. T" F! y% z0 D
3.蝳甇 root 餃
2 t9 h Q5 |2 X7 d8 O0 xPermitRootLogin no% G3 Z5 L1 y3 x; E6 G3 X
蝞∠敹隞亙鈭箏董餃伐 su root嚗拍 sudo 撌乩
* X5 k" ^8 M; o# S$ r0 t$ X: H% q9 r' d1 n" }
4.蝳甇V蝙函征撖蝣潛餃/ F9 i) I0 |4 |8 Q
PermitEmptyPasswords no
+ N+ M) B7 ^$ k, N; Y p/ b2 }) N% p: U
5.閮望蝯孵撣唾蝢斤餃
# a" j* |# s+ |9 N7 G" S4 H+ nAllowUsers <user1> <user2> <user3>8 t S8 Z0 U8 ^7 w' Q$ C
AllowGroups <group>% }. ^2 C( O5 ^& g8 |
DenyUsers *5 L$ G9 f. d& d3 v$ l E
DenyGroups no-ssh
6 b/ B; z) K p% \5 i" y# e寞撖阡嚗撠澆銝撣唾閮嚗憒 Allow 頝 Deny 閰梧蝯 Deny
{1 V' V% Z% [+ `) M$ j) h+ E
7 u4 W% g- P& g9 p h) E6 V6.撱a文蝣潛駁嚗撘瑁翰雿輻 RSA/DSA 撽霅' D: V5 O: Y* B2 n9 K3 w. _0 k0 C4 O
RSAAuthentication yes4 H' _+ |1 K! ~8 X
PubkeyAuthentication yes" s3 b* b9 Z( o+ I2 L- b
AuthorizedKeysFile %h/.ssh/authorized_keys
) s* p) E# r2 d+ u1 O4 ?6 dPasswordAuthentication no
( o+ G+ I. S# v5 i銝衣Ⅱ靽 user ~/.ssh 甈 700嚗撠閰 user public key 亙 ~/.ssh/authorized_keys 銝准Public key Y孵舀撠 ssh-keygen, J1 P+ I" k$ {3 Z, S
. M! l* @, @. }9 `2 D
7.閮 SSHv2
2 A. M; |6 a1 iProtocol 2- Y; ]. f1 I# F( s+ I
% R0 C2 d' q; ?
8.嗥孵雿輻刻蝢斤銝餅雿餃亥綽鋆∩誑 somebody handsomebody 銝臭蝙典蝣潛餃亦箔
2 Q6 B: Y/ N' V6 i8 A: t$ NMatch User somebody,handsomebody( ^1 I& A' j' v+ I2 A
PasswordAuthentication no雿輻 TCP wrappers 嗡皞 IP2 g, `# d3 Y+ e/ }% w# a
# vim /etc/hosts.deny
3 a1 i/ j& }7 w; {sshd: ALL
# R% V" e% i: a, N# vim /etc/hosts.allow
6 C+ x6 o$ w- y+ P' ~9 ysshd: 192.168.1 1.2.3.4 # 閮 192.168.1.* 1.2.3.4 蝺
9 }8 E( }1 p! u. y! [$ a5 F
) K; o) ^6 E. t! B, w2 R% M$ O9.雿輻 iptables 嗡皞 IP$ `" |( G2 t( B3 A
# iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT
5 u$ |( r3 }. H( o. q" u& n, J/ W1 b# iptables -A INPUT -p tcp --dport 22 -j DROP- ^* E' Z7 r, I' S
閮剖蝡喟嚗亙璈敺賭摮嚗閬脣 iptables 閮剖. L' ^2 }% B1 ?4 j! h1 m8 s7 [
7 I6 y$ g9 [4 _- y+ [4 a5 a
10.摰% @- z) X: I% P+ E/ D4 A
雿臭誑雿輻其iptables訾嗅訕SH伐霈嗅其孵蝭批臭誑伐嗡銝賡乓雿臭誑其Y隞颱靘摮銝凋蝙 /second/minute/hour /day * l+ I/ f8 e, K9 g
蝚砌靘摮嚗憒銝冽嗉撓乩航炊撖蝣潘摰銝找閮勗刻赤SSH嚗璅瘥冽嗅其批芾賢閰虫甈∠駁
. P- l4 e' B3 Y8 ^1 ?9 O) m # iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT, Y5 U1 @9 z, |( I5 Q! j% t
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
* h) L8 L6 S5 U4 x4 S蝚砌靘摮嚗閮剔蔭iptables芸閮曹蜓璈193.180.177.13亙訕SH嚗典閰虫甈∪仃駁詨嚗iptables閮梯府銝餅瘥閰虫甈∠駁; a+ X" R* h. [+ H! U
# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT! r% r' C$ \5 F- z, {
# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP
8 L# ? [3 V3 c- A* i. L4 @/ g* y6 Y& i+ j; O" }9 N. h
11.瑼X亦賊瑼獢甈嚗銝摰典銝閮梁餃
" d1 V; J/ j4 u+ y! Z6 m+ ^StrictModes yes9 V2 d" a+ H6 N* l$ f% l
鈭賊瑼獢甈閮剖交航炊嚗航賡摰冽折◢芥憒雿輻刻 ~/.ssh/authorized_keys 甈亦 666嚗航賡嗡鈭箏臭誑典董
6 T* Z- _# G& V4 ^# Y$ h* [% w0 J/ b Y
12.芾雿輻刻餃交憿舐內 banner (閰梯牧頝摰冽扳隞暻潮靽...? 憭扳臭誑函冗鈭斗孵頝憯鈭箏...= =a)$ p* |8 ?$ g9 p1 v0 f
Banner /etc/ssh/banner # 隞餅摮瑼
" Z2 \4 R' ?) W% `) L6 j; o7 X
13. su/sudo
; d4 z8 V, Q7 B3 R& C5 x# vi /etc/pam.d/su
& Z/ s7 n, J* I2 y R; [ n auth required /lib/security/$ISA/pam_wheel.so use_uid
8 V. i+ f9 Y) W2 l% S3 z* M# visudo
+ g2 B6 v8 p+ k5 \4 F% C2 ` %wheel ALL = (ALL) ALL. d* k; S* s1 Y2 E) I
# gpasswd -a user1 wheel
+ t6 H ]/ R( Y2 ~3 K0 P4 ]) ^2 A6 B+ x. ?* p
14. ssh 雿輻刻
" z/ a" D" j3 J/ z# vi /etc/pam.d/sshd
; Q: j/ L- R2 A. p; Z% i- i+ s, _ auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail
% h8 V! v! A5 T# echo <username> >> /etc/ssh_users
5 S, f3 c H E' a# o( d15.脫迫SSH蝺暹(timeout),霈PuTTY SSH 銝港蝺3 W T7 r& A+ O7 F! v
靽格/etc/ssh/sshd_config& ?' K1 q- ?2 _# G( N3 s$ k
#TCPKeepAlive yes
- \" ]$ O# J1 {- @#ClientAliveInterval 0
* f* e; O; J- e#ClientAliveCountMax 3; r. D, q. k5 b5 x- l
撠#踵==>摮瑼6 c, H6 R' k i+ H
#service ssd restart ==>sshd& z) ?. c* G! B0 y. D: ^
乩靘靽格 Pietty 賂脣PuTTY 蝺閮剖:
, u; D# o1 W1 K/ J7 u! n9 V 豢Connection殷撠Seconds between keepalives [0 to turn off]喲甈雿頛詨交撟曄嚗喲銝null撠隞乩蝺
; L0 C: @6 C4 @4 `1 O2 A) @5 H2 [9 [& r
|
|
潸” 2015-12-28 10:28:36
嗉
鈭
霈
