vi /etc/ssh/sshd_config % g) n: K6 c# i( _8 a
4 d/ s2 ^) a; T9 e' A
1.靽格寥閮 port (舐典銵憭 port)6 B# E, c) Z( j# p" z3 F& \) c
Port <port>, i* t% N# a3 L% C" H: n, H
8 Q+ Q! d8 Z5 z: J2.賜孵 ip (拍冽澆蝬脣/憭 IP 敶)
! H2 _ T# K% O3 z# IListenAddress 192.168.1.10( I" C0 [- b2 C# X# @: l7 U
7 m* J. b2 H: y( N3.蝳甇 root 餃' C9 M; u: [+ t6 [
PermitRootLogin no3 R, f6 l: D# O+ j% ~9 D# U: M
蝞∠敹隞亙鈭箏董餃伐 su root嚗拍 sudo 撌乩
+ p Z1 H) @+ Y: l2 q+ J0 A$ b+ B4 I. C$ U- M6 T6 s
4.蝳甇V蝙函征撖蝣潛餃
& [0 F* a8 p% K+ mPermitEmptyPasswords no7 L" \: C$ j7 c1 [: V' V$ ^% L
" h4 D& \2 ^. \; z4 _, f5.閮望蝯孵撣唾蝢斤餃
3 Z) X% S9 x! i) w" u& S o$ _AllowUsers <user1> <user2> <user3>0 V; _0 w" e! r$ i
AllowGroups <group>/ F! l; W5 {1 \% ?+ O+ ?0 B
DenyUsers */ g8 h9 Z! {0 w' i7 x3 H0 W Z" l$ l
DenyGroups no-ssh# L5 e! \; |& N( J; C
寞撖阡嚗撠澆銝撣唾閮嚗憒 Allow 頝 Deny 閰梧蝯 Deny b6 |* r! O9 z* Y. A( A Y
7 T3 t' f$ V1 ~) ^ w6.撱a文蝣潛駁嚗撘瑁翰雿輻 RSA/DSA 撽霅+ w/ V8 ]! v8 s4 w5 Z$ {
RSAAuthentication yes
/ `2 o, U0 c7 P* {- S$ ~' APubkeyAuthentication yes
1 D" \: [; }. B. R: P0 P4 zAuthorizedKeysFile %h/.ssh/authorized_keys/ H3 \$ ~3 R) v/ g1 d( j
PasswordAuthentication no
/ L. P7 p( c4 x: I銝衣Ⅱ靽 user ~/.ssh 甈 700嚗撠閰 user public key 亙 ~/.ssh/authorized_keys 銝准Public key Y孵舀撠 ssh-keygen- h1 A: \7 j& N- r) z1 Q( r$ f* C
8 X( ?5 p' ~8 W4 X) P7.閮 SSHv2# N$ o) G, C/ z4 S
Protocol 2
& w4 G3 a& ?1 D, z z
0 g. w1 D+ [$ N5 E! M1 V8.嗥孵雿輻刻蝢斤銝餅雿餃亥綽鋆∩誑 somebody handsomebody 銝臭蝙典蝣潛餃亦箔
+ b* n6 @/ r( f8 [: Z8 OMatch User somebody,handsomebody
* N$ ]' L0 Q* UPasswordAuthentication no雿輻 TCP wrappers 嗡皞 IP
0 p0 l; p) D* p8 Z* c8 o# vim /etc/hosts.deny) Q1 V/ S3 v N2 v; i$ E9 F
sshd: ALL
9 j" w9 c! `3 X+ O, A9 m# vim /etc/hosts.allow
5 A1 q0 u# _/ z. \1 Z# Osshd: 192.168.1 1.2.3.4 # 閮 192.168.1.* 1.2.3.4 蝺3 x4 S ]; U, A4 Y9 o( Z9 H7 Y
. |/ k$ c* N3 ?8 H& q% x0 s+ E7 n) `
9.雿輻 iptables 嗡皞 IP
) \1 q( H6 H+ o' I# iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT
% z; ]$ K$ \- S& F8 Z# iptables -A INPUT -p tcp --dport 22 -j DROP# t; `( Q1 p) p4 q/ r
閮剖蝡喟嚗亙璈敺賭摮嚗閬脣 iptables 閮剖
5 `5 T7 x9 {' p. W* ~
# z9 F1 H0 v. y& y) c: u5 w10.摰* B* D. O/ G4 u( e" D
雿臭誑雿輻其iptables訾嗅訕SH伐霈嗅其孵蝭批臭誑伐嗡銝賡乓雿臭誑其Y隞颱靘摮銝凋蝙 /second/minute/hour /day
! I$ S: [' L4 \5 F9 k! B* {( Y蝚砌靘摮嚗憒銝冽嗉撓乩航炊撖蝣潘摰銝找閮勗刻赤SSH嚗璅瘥冽嗅其批芾賢閰虫甈∠駁
* }) h2 Y6 m( Y& D # iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
' f& Q. S$ ^1 X K7 T # iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP5 I- \) b; u n' |; c
蝚砌靘摮嚗閮剔蔭iptables芸閮曹蜓璈193.180.177.13亙訕SH嚗典閰虫甈∪仃駁詨嚗iptables閮梯府銝餅瘥閰虫甈∠駁1 p9 t4 T% r5 D' t5 }& b8 J+ t
# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT% z# ?7 v3 u& j3 s! u
# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP
% w" _6 H+ c' `4 q% h! d& |7 d, B# p- i [+ T0 D7 ]) D, `
11.瑼X亦賊瑼獢甈嚗銝摰典銝閮梁餃) x, J; J) V1 h, g4 u7 E& o# n
StrictModes yes
/ @; d8 n/ b# Q+ @5 K4 ? c u+ t鈭賊瑼獢甈閮剖交航炊嚗航賡摰冽折◢芥憒雿輻刻 ~/.ssh/authorized_keys 甈亦 666嚗航賡嗡鈭箏臭誑典董
1 M7 J r9 [8 f6 H% j
% y8 U" Q$ P" Y, Z' E12.芾雿輻刻餃交憿舐內 banner (閰梯牧頝摰冽扳隞暻潮靽...? 憭扳臭誑函冗鈭斗孵頝憯鈭箏...= =a)# m ]5 {0 F) K% A7 h* u
Banner /etc/ssh/banner # 隞餅摮瑼
- Z( L' L P5 s
) Y2 _# `9 C3 H2 D% ~. F13. su/sudo
7 i. H/ ]" i1 B' i' R5 Y# vi /etc/pam.d/su0 \9 D9 M' ]5 D1 H5 K5 h3 d
auth required /lib/security/$ISA/pam_wheel.so use_uid" r/ g; r7 z( d- N- s: L
# visudo
$ k% z8 k9 T% P+ I; J; U/ v %wheel ALL = (ALL) ALL
& U# p6 C8 j; Y! n1 r; ?# gpasswd -a user1 wheel: `. ~( |" l/ w/ K$ `
( n4 ?( T& s# u0 ^
14. ssh 雿輻刻
. z/ z( B8 o5 n4 R3 ?9 G* X3 ]# vi /etc/pam.d/sshd
9 W7 G4 f" B5 @0 v! I7 J9 a+ Q7 @ auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail& A i8 w% p4 w% L; P" w
# echo <username> >> /etc/ssh_users/ W" T$ p6 q0 X7 b2 Z/ ?
15.脫迫SSH蝺暹(timeout),霈PuTTY SSH 銝港蝺! `# R/ u: b9 K( Y8 s
靽格/etc/ssh/sshd_config; e4 i8 q6 s# c2 @. l( E
#TCPKeepAlive yes# C1 Z" s; P, N% Q. j4 F5 G
#ClientAliveInterval 03 u8 M- h0 O- G8 h/ P+ I
#ClientAliveCountMax 3
3 g2 p/ L' B+ n" h! d1 b" F+ k 撠#踵==>摮瑼8 ?3 t8 I$ u& ^0 V2 f
#service ssd restart ==>sshd
# y2 t7 v8 ?, w5 e2 \6 a 乩靘靽格 Pietty 賂脣PuTTY 蝺閮剖:) `0 n9 t/ A* g
豢Connection殷撠Seconds between keepalives [0 to turn off]喲甈雿頛詨交撟曄嚗喲銝null撠隞乩蝺4 d" R2 q- N' f# W
( A" y {, f$ o' D( Y6 {. X) Q* c
|
|
潸” 2015-12-28 10:28:36
嗉
鈭
霈
