vi /etc/ssh/sshd_config
5 w. C) X% r! Y8 q% D1 d/ P7 Z) Y9 U3 I- S7 b, w0 X2 |5 W
1.靽格寥閮 port (舐典銵憭 port)- ? ^+ t: P* B; D
Port <port>5 h' s t) ]9 Y
8 f0 ^5 w. `( F0 T/ ~
2.賜孵 ip (拍冽澆蝬脣/憭 IP 敶)2 G7 D/ T c5 e8 G8 d5 ~8 s% W
ListenAddress 192.168.1.107 A' x( T4 m* d. V, A$ r" \
2 @6 G: F+ T6 p4 h, C# K% l
3.蝳甇 root 餃
1 s* o E, K# \PermitRootLogin no
3 v/ w. I5 X, \$ q* d, N8 C9 g蝞∠敹隞亙鈭箏董餃伐 su root嚗拍 sudo 撌乩
% x1 \3 w6 V. f7 Q+ I8 K- g
% J! M& F, n& Q' ?, t6 {4 d4.蝳甇V蝙函征撖蝣潛餃
3 e- Z" b( K6 b9 wPermitEmptyPasswords no
5 p8 O; [- G+ ?3 w$ y0 T9 S; M) X0 P6 V9 |9 T
5.閮望蝯孵撣唾蝢斤餃
E3 L9 H7 P1 p; f$ e! EAllowUsers <user1> <user2> <user3>3 X7 H) Z7 R# E- F G3 `" k/ }# S
AllowGroups <group> C2 O+ @ z: L, k! S
DenyUsers *
& `2 R+ Y+ s/ g; F3 [9 o! K/ ^# TDenyGroups no-ssh
5 j& X: J' e2 l3 i. N9 c寞撖阡嚗撠澆銝撣唾閮嚗憒 Allow 頝 Deny 閰梧蝯 Deny 6 M: P: `7 R+ h7 S% T
" F1 ?0 R5 |/ q. M+ B' L5 S6.撱a文蝣潛駁嚗撘瑁翰雿輻 RSA/DSA 撽霅% |) d$ }% K. t+ e7 c: ~9 c Y
RSAAuthentication yes' n6 W1 T7 c& T6 X+ M9 e
PubkeyAuthentication yes
5 D4 m' I, d; {; Y" u# @ K3 x7 qAuthorizedKeysFile %h/.ssh/authorized_keys
0 V7 |+ m' Z( W; I g$ i; E, bPasswordAuthentication no
9 k3 A% z! Y* T銝衣Ⅱ靽 user ~/.ssh 甈 700嚗撠閰 user public key 亙 ~/.ssh/authorized_keys 銝准Public key Y孵舀撠 ssh-keygen
" W: E( Y9 y% }, e) G6 Q* c9 d
8 B4 w6 x1 h0 \7 g8 [( {7.閮 SSHv2, R6 i: r. M$ t0 h0 ]2 G7 N
Protocol 2
, A8 ^) N1 ?% N% X9 z# _
8 a9 d3 Q B) m' I8.嗥孵雿輻刻蝢斤銝餅雿餃亥綽鋆∩誑 somebody handsomebody 銝臭蝙典蝣潛餃亦箔3 `. _* I9 h: n+ Q5 I2 S' i4 M" e
Match User somebody,handsomebody
& F" N: `) n0 k/ V& f, Q2 SPasswordAuthentication no雿輻 TCP wrappers 嗡皞 IP/ b* Q& X7 R4 _' r' F- t2 T
# vim /etc/hosts.deny
0 E, _0 m) W0 F' l) J5 K; G5 Gsshd: ALL7 ]% M7 A& P$ b# m+ W" e4 R
# vim /etc/hosts.allow; h6 p' H8 q* o$ s3 _' L
sshd: 192.168.1 1.2.3.4 # 閮 192.168.1.* 1.2.3.4 蝺
, b, W, W( J5 @( O9 |# w
S9 S3 E4 A/ H6 x9.雿輻 iptables 嗡皞 IP- f0 T* T, U8 b1 M8 k7 P4 h+ p* R
# iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT& S* `* x) V* n
# iptables -A INPUT -p tcp --dport 22 -j DROP
v% L) d9 ]2 c0 _閮剖蝡喟嚗亙璈敺賭摮嚗閬脣 iptables 閮剖
0 u/ R/ E' \' H1 _' z3 h' p% _$ O: I9 r$ j* J) k- J( U1 H
10.摰
( k' [% `$ E% b9 F6 \" T' y雿臭誑雿輻其iptables訾嗅訕SH伐霈嗅其孵蝭批臭誑伐嗡銝賡乓雿臭誑其Y隞颱靘摮銝凋蝙 /second/minute/hour /day . k% q8 \9 U, w5 o/ a* Z* y) i
蝚砌靘摮嚗憒銝冽嗉撓乩航炊撖蝣潘摰銝找閮勗刻赤SSH嚗璅瘥冽嗅其批芾賢閰虫甈∠駁( N1 g0 ^& p4 X: h
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
& C, Y7 O; }" _" V) O. R # iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP+ M5 d3 }$ P: U. j9 w+ q0 C9 k
蝚砌靘摮嚗閮剔蔭iptables芸閮曹蜓璈193.180.177.13亙訕SH嚗典閰虫甈∪仃駁詨嚗iptables閮梯府銝餅瘥閰虫甈∠駁
9 r V$ S7 b+ L. q # iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT5 O" D1 D6 Z! i6 h' `4 M/ g
# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP
# R7 \% \# _/ Z" ?9 |
" k4 k y3 E: o% T6 A1 ?4 u11.瑼X亦賊瑼獢甈嚗銝摰典銝閮梁餃
9 T! A$ N9 z/ n3 \5 d! m0 }* EStrictModes yes
$ j5 G9 z0 _" w2 O9 F鈭賊瑼獢甈閮剖交航炊嚗航賡摰冽折◢芥憒雿輻刻 ~/.ssh/authorized_keys 甈亦 666嚗航賡嗡鈭箏臭誑典董/ b: b+ {/ u6 x c1 o5 R5 ?
* E" u+ Y' [# h' Y3 f) e- H* n- f( M/ N
12.芾雿輻刻餃交憿舐內 banner (閰梯牧頝摰冽扳隞暻潮靽...? 憭扳臭誑函冗鈭斗孵頝憯鈭箏...= =a)" d- O$ W' J- y# T7 R7 x- }
Banner /etc/ssh/banner # 隞餅摮瑼! t0 n- X9 I9 S [, @" t, e( Q
; l0 b$ Q4 b* n( [" l ^7 {13. su/sudo
( J$ N% W' f3 \) f) m7 n# vi /etc/pam.d/su
4 u1 W; M( q" y m( U auth required /lib/security/$ISA/pam_wheel.so use_uid2 N' c2 {0 C/ R9 a! i6 ]2 m
# visudo
! _+ j! K5 z) X3 |; x %wheel ALL = (ALL) ALL
2 C& ~: L$ f0 ~. ]6 I( C# gpasswd -a user1 wheel
" z0 J- V" _, E+ P: O& O, z, g$ e5 _& |
14. ssh 雿輻刻2 t) C1 A: X# S% H5 g
# vi /etc/pam.d/sshd V5 F% M* p1 F) t; m3 h% o7 H
auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail
/ l/ U& O/ m$ h9 [- u" K+ U; F# echo <username> >> /etc/ssh_users
1 \8 a) M7 s' I* P4 h7 z4 f a/ c15.脫迫SSH蝺暹(timeout),霈PuTTY SSH 銝港蝺
3 _8 J* F: {# i0 w$ q 靽格/etc/ssh/sshd_config
1 e4 u& Q- b; c#TCPKeepAlive yes) M; [* [$ z. K2 y/ s
#ClientAliveInterval 0- I, Y* r: d: F, |5 G
#ClientAliveCountMax 3 i, t7 r" Z* x, s2 E
撠#踵==>摮瑼
+ Y- I/ a3 l% _7 h: i#service ssd restart ==>sshd0 Q% G4 R0 C& \% u: u2 S
乩靘靽格 Pietty 賂脣PuTTY 蝺閮剖:
( I' U1 K5 T; k# X# ~: s& l 豢Connection殷撠Seconds between keepalives [0 to turn off]喲甈雿頛詨交撟曄嚗喲銝null撠隞乩蝺
! Q7 J0 w! _. ]% O4 h6 h6 Q6 Q; e* E4 i: S0 k9 n, Y4 y
|
|
潸” 2015-12-28 10:28:36
嗉
鈭
霈
