vi /etc/ssh/sshd_config ! L% c. i$ j9 P: i
F9 q: W' F# T% G1 U9 @
1.靽格寥閮 port (舐典銵憭 port)) G# l, |; L0 o% _+ D% w n6 N; u
Port <port>) J: g4 L! Z# N7 S1 e, `3 }
3 Q& H" R3 J/ n" Q2.賜孵 ip (拍冽澆蝬脣/憭 IP 敶)
4 v9 y! x7 B# ]ListenAddress 192.168.1.10
Y' t# z% t" A: R/ Y8 }* t1 o
t0 Y/ @% y& n0 O: l3.蝳甇 root 餃) m/ h& f! T H$ N3 G1 }
PermitRootLogin no' p0 V! N* _" ` z: Q+ X
蝞∠敹隞亙鈭箏董餃伐 su root嚗拍 sudo 撌乩8 l% q) `2 n- ]! s0 |
; x y3 v7 d8 l4.蝳甇V蝙函征撖蝣潛餃
; W, w8 l9 T3 k/ N9 tPermitEmptyPasswords no$ r( n/ W+ [# e8 R, R& u
- V9 z( I. s- ^$ p
5.閮望蝯孵撣唾蝢斤餃
1 H1 `" e3 j0 pAllowUsers <user1> <user2> <user3>! Q/ M. u, N+ n6 Q$ d
AllowGroups <group>* X( x5 w, _- d) _( q
DenyUsers *
: W p% o3 h, B9 c2 Z* ]7 \/ jDenyGroups no-ssh4 I2 E7 P$ Z8 p: [- c% ^9 K
寞撖阡嚗撠澆銝撣唾閮嚗憒 Allow 頝 Deny 閰梧蝯 Deny
/ Z2 V) p/ H; H( ~( D( K T
+ b1 p* u5 i- b: V/ p. N" E+ h6.撱a文蝣潛駁嚗撘瑁翰雿輻 RSA/DSA 撽霅
2 M5 C- _" t9 o: mRSAAuthentication yes
& R" y* T) q3 V$ v4 \& j; Y- SPubkeyAuthentication yes: b; p! ]5 d% W% X# ~# [
AuthorizedKeysFile %h/.ssh/authorized_keys
* c% \; e, @) q# O0 dPasswordAuthentication no
. `; w- q3 k9 B! H7 z; P, n/ u銝衣Ⅱ靽 user ~/.ssh 甈 700嚗撠閰 user public key 亙 ~/.ssh/authorized_keys 銝准Public key Y孵舀撠 ssh-keygen! l. g2 `$ w# _ G. ?2 I$ T
% Y1 i% b( S* Y6 P' W4 T7.閮 SSHv2
" V+ P* V& a, M2 tProtocol 2$ \. h9 C( p" B
8 O& O) F2 S" g; g
8.嗥孵雿輻刻蝢斤銝餅雿餃亥綽鋆∩誑 somebody handsomebody 銝臭蝙典蝣潛餃亦箔
/ y4 Z2 F: w) _% rMatch User somebody,handsomebody& b, ?% k. ^3 @; C6 }
PasswordAuthentication no雿輻 TCP wrappers 嗡皞 IP$ }, X3 }/ j) l( o* k8 r3 N
# vim /etc/hosts.deny
, N0 w, x1 z( K+ bsshd: ALL
% X5 ]7 v& u$ j, H3 }; A( G# vim /etc/hosts.allow% g& K2 n0 ]+ n* k
sshd: 192.168.1 1.2.3.4 # 閮 192.168.1.* 1.2.3.4 蝺
0 f9 Z& D1 N$ P, O9 \
( O# r2 n1 L/ W( {* K" z K9.雿輻 iptables 嗡皞 IP
$ |6 n+ j0 y8 r7 ~) _( v# iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT {5 F1 m+ e# p5 Z9 [
# iptables -A INPUT -p tcp --dport 22 -j DROP
6 A6 \' \% J: z1 \: R. Q2 |閮剖蝡喟嚗亙璈敺賭摮嚗閬脣 iptables 閮剖- s+ P& _" A- ?8 l4 u7 i2 S9 U: ^
6 p& D+ a% T3 q7 K5 q: [
10.摰
" ~) C2 ^- ~- o+ D雿臭誑雿輻其iptables訾嗅訕SH伐霈嗅其孵蝭批臭誑伐嗡銝賡乓雿臭誑其Y隞颱靘摮銝凋蝙 /second/minute/hour /day 4 l L8 W& ^/ V4 t9 `
蝚砌靘摮嚗憒銝冽嗉撓乩航炊撖蝣潘摰銝找閮勗刻赤SSH嚗璅瘥冽嗅其批芾賢閰虫甈∠駁
- L" D1 e) w' Z0 W% M) A # iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT9 g7 l8 q* S% M t2 M. ]
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP5 I; U( Q, J+ b, m% J
蝚砌靘摮嚗閮剔蔭iptables芸閮曹蜓璈193.180.177.13亙訕SH嚗典閰虫甈∪仃駁詨嚗iptables閮梯府銝餅瘥閰虫甈∠駁7 P4 l+ r* E" M P' B
# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
$ Y7 S2 \; b* T. u3 g0 z # iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP
( F+ Z5 ]7 f1 f5 Y: R" J# | R2 [% {: P- o: B/ z
11.瑼X亦賊瑼獢甈嚗銝摰典銝閮梁餃9 h. v8 L' A3 V V
StrictModes yes9 a2 G, x( t3 c
鈭賊瑼獢甈閮剖交航炊嚗航賡摰冽折◢芥憒雿輻刻 ~/.ssh/authorized_keys 甈亦 666嚗航賡嗡鈭箏臭誑典董
4 c- W) s7 \0 [- A
* x: n# L5 S+ ~8 [# |1 K2 Y+ w9 A- N12.芾雿輻刻餃交憿舐內 banner (閰梯牧頝摰冽扳隞暻潮靽...? 憭扳臭誑函冗鈭斗孵頝憯鈭箏...= =a)
2 s3 B6 u' `4 B; i1 c3 |* [Banner /etc/ssh/banner # 隞餅摮瑼- a2 r Q" o/ K2 S% a' {
* Q2 Z" v* o5 K' {0 `; @3 M9 m: i0 e+ Y13. su/sudo
# C* h: j5 u, n# vi /etc/pam.d/su# Y7 _6 e1 o5 e. t# g% q( D
auth required /lib/security/$ISA/pam_wheel.so use_uid
3 r3 Y# B2 O' j6 c, o3 J2 |" ~# visudo
9 P7 V/ V7 _3 p5 v5 S %wheel ALL = (ALL) ALL
* \$ F6 f, v; j' t4 X7 j# gpasswd -a user1 wheel
4 S3 B& {4 @2 c# O6 k% c1 m$ I" M# ^! P
14. ssh 雿輻刻$ U. \8 m$ P! x5 |4 K- X# l
# vi /etc/pam.d/sshd
; U( O# X, h, d" b; t auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail Q s1 k" Z) r) ~1 p7 i
# echo <username> >> /etc/ssh_users# ]6 K+ i \& V4 y8 S5 f+ x
15.脫迫SSH蝺暹(timeout),霈PuTTY SSH 銝港蝺, C4 E8 \, k* `$ x( W; s f: z
靽格/etc/ssh/sshd_config
: u; I+ P4 v+ |9 S2 j#TCPKeepAlive yes
; A* O5 `7 ?' d% v#ClientAliveInterval 0
; R0 K5 y T% C- C#ClientAliveCountMax 3
. r$ {3 u! `9 b' r 撠#踵==>摮瑼# |% g, s- D# j1 E4 Y9 \: k
#service ssd restart ==>sshd
+ C% ~1 B L' f! D/ u! g7 w1 T1 q 乩靘靽格 Pietty 賂脣PuTTY 蝺閮剖:
4 o# B( P8 I0 g5 o& Z5 T 豢Connection殷撠Seconds between keepalives [0 to turn off]喲甈雿頛詨交撟曄嚗喲銝null撠隞乩蝺
* T' i, r* \) T3 P7 v
6 c1 {6 R; H* I( s |
|
潸” 2015-12-28 10:28:36
嗉
鈭
霈
