vi /etc/ssh/sshd_config , @1 R' j$ o3 |' h9 c* C
8 X, N2 X' G6 l2 u( G1 w( G' E
1.靽格寥閮 port (舐典銵憭 port)' ]4 v0 w% Y! q9 P2 u7 p( f
Port <port>
! `. ?' K9 P/ ?- w1 b( Y1 `3 b' S
- o& Q9 p" s/ P z) ]. s2.賜孵 ip (拍冽澆蝬脣/憭 IP 敶)
' g7 s) H0 G3 x bListenAddress 192.168.1.10" d; z" Q) T+ t1 r5 n# u
5 F0 w8 l8 d6 s4 Y- J& n# g S) N9 c3.蝳甇 root 餃4 b" N% r& R. q F9 q
PermitRootLogin no1 t h$ g @) z
蝞∠敹隞亙鈭箏董餃伐 su root嚗拍 sudo 撌乩( g/ b! R* Y) j8 z# s
$ H$ e/ g" B) v. Y$ j4.蝳甇V蝙函征撖蝣潛餃# c" ~% r2 R! N2 i9 L
PermitEmptyPasswords no
& C) C( n6 C, m: m! ?) b
* x- ?9 e+ E3 G" U. @4 n+ p" C( f5.閮望蝯孵撣唾蝢斤餃& c* H3 `; I( T' j. L
AllowUsers <user1> <user2> <user3>
0 i' o- T$ Q, B. g3 P' _1 Y- zAllowGroups <group>
, s0 ~7 e6 a* y: N+ a" z% |0 YDenyUsers *
: X' s/ N3 @! O( g' C: eDenyGroups no-ssh8 P0 V- b5 i- }" M# Z& s6 w" m+ l
寞撖阡嚗撠澆銝撣唾閮嚗憒 Allow 頝 Deny 閰梧蝯 Deny * ^! Y2 \0 O0 E" ~/ o* l! Y1 u
# I& p- X) S3 k4 g0 x6.撱a文蝣潛駁嚗撘瑁翰雿輻 RSA/DSA 撽霅
; E' u# e6 f' S+ s' ARSAAuthentication yes
) T4 q: K& ^2 R7 R* ?PubkeyAuthentication yes" M. i O3 f- L5 V& H, H) |
AuthorizedKeysFile %h/.ssh/authorized_keys
! P. U u, S1 E' D; ?PasswordAuthentication no
+ R; k' `# h, a# N2 g) L1 @銝衣Ⅱ靽 user ~/.ssh 甈 700嚗撠閰 user public key 亙 ~/.ssh/authorized_keys 銝准Public key Y孵舀撠 ssh-keygen, }3 z' q4 O7 \ {8 r
" t* ?# [2 N$ S1 q9 c7.閮 SSHv2
; R$ F& X, Y- i7 J w; p/ [* `) ]Protocol 28 S+ d/ P8 U2 l/ P" J, g" }2 X2 I
$ @/ x+ j0 }# t7 _8 j
8.嗥孵雿輻刻蝢斤銝餅雿餃亥綽鋆∩誑 somebody handsomebody 銝臭蝙典蝣潛餃亦箔
Z5 Z( `4 c5 v" d/ M( _# `Match User somebody,handsomebody
" u5 [# T) ]% ~5 Y' k8 A$ ^PasswordAuthentication no雿輻 TCP wrappers 嗡皞 IP
( X9 `6 H0 g7 r) T# vim /etc/hosts.deny1 |4 H o" h% B4 }7 K1 C% ]* m+ D9 F
sshd: ALL
0 x1 u5 k) A/ X9 U# vim /etc/hosts.allow: h" p2 u2 M6 T3 J
sshd: 192.168.1 1.2.3.4 # 閮 192.168.1.* 1.2.3.4 蝺
! {/ ~( b9 \* M/ k# k+ i" |1 j9 [- {" l% \* {2 V {
9.雿輻 iptables 嗡皞 IP8 V4 U# ?8 z! S2 W% ]/ A# o/ r
# iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT0 Q }- Y* n4 M+ N6 ?7 z E
# iptables -A INPUT -p tcp --dport 22 -j DROP4 ]( j- ^0 J* |2 H1 [
閮剖蝡喟嚗亙璈敺賭摮嚗閬脣 iptables 閮剖3 y& c1 n; V( d3 ~. s
5 r4 B8 V% E8 g" u4 ?; h0 C% y! J
10.摰
+ M; _+ Z; }) |5 c雿臭誑雿輻其iptables訾嗅訕SH伐霈嗅其孵蝭批臭誑伐嗡銝賡乓雿臭誑其Y隞颱靘摮銝凋蝙 /second/minute/hour /day
& y, A* ]9 ~4 A' ~蝚砌靘摮嚗憒銝冽嗉撓乩航炊撖蝣潘摰銝找閮勗刻赤SSH嚗璅瘥冽嗅其批芾賢閰虫甈∠駁5 F* o9 R# v% @9 X- m
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT6 ~* x: } d- o$ E
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP; r, a- g; \1 M. p2 T; V
蝚砌靘摮嚗閮剔蔭iptables芸閮曹蜓璈193.180.177.13亙訕SH嚗典閰虫甈∪仃駁詨嚗iptables閮梯府銝餅瘥閰虫甈∠駁
Y) N. w0 [* g/ [9 r0 o # iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
$ ?" H" l& h9 N/ b; ` # iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP
( F$ G- A) e r8 L& p, p+ x; G. E) A" |$ o7 d7 Z
11.瑼X亦賊瑼獢甈嚗銝摰典銝閮梁餃: c0 G' c' S. f
StrictModes yes9 x$ O r* r7 w8 f9 K
鈭賊瑼獢甈閮剖交航炊嚗航賡摰冽折◢芥憒雿輻刻 ~/.ssh/authorized_keys 甈亦 666嚗航賡嗡鈭箏臭誑典董, X! e# ?0 L" D9 _
) Y/ ]! y* a% }8 G/ ~& f4 [) R
12.芾雿輻刻餃交憿舐內 banner (閰梯牧頝摰冽扳隞暻潮靽...? 憭扳臭誑函冗鈭斗孵頝憯鈭箏...= =a)1 R/ _, V% C2 p, p0 a4 Q" }, @4 j
Banner /etc/ssh/banner # 隞餅摮瑼$ s6 I. E4 v1 O/ {1 v0 e. I5 {+ k
; ? r" C6 c( z( {
13. su/sudo
' B* S K0 ?' F v: q( O( {! `# vi /etc/pam.d/su, k; U9 Y0 _' q. ^# k
auth required /lib/security/$ISA/pam_wheel.so use_uid5 ~( j" V# I9 g8 h: n
# visudo) E; p1 v& h) \; e$ d5 _. ~
%wheel ALL = (ALL) ALL! m8 m4 |# E+ V1 P- J) V3 _
# gpasswd -a user1 wheel6 ~# s2 f& Z6 a B' z# B
1 Y; Y8 J/ H+ e1 k9 v* `14. ssh 雿輻刻* R3 ?5 F0 C0 n
# vi /etc/pam.d/sshd
2 a5 Y! f% R* v; ]* h; W* J- S auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail
9 k* u: M" O+ h& v6 z3 y' r# echo <username> >> /etc/ssh_users
0 r3 ?4 Y/ {1 k+ }1 h* j15.脫迫SSH蝺暹(timeout),霈PuTTY SSH 銝港蝺
. w+ g( ]3 i' W# L0 k% F 靽格/etc/ssh/sshd_config
/ v9 I4 L& I% A' k) }1 g#TCPKeepAlive yes+ s1 q$ k! d9 i- h3 ^! E6 B2 F" G
#ClientAliveInterval 08 }/ K1 Q6 f9 ^( a! u- Y4 k
#ClientAliveCountMax 3
; W5 S6 \: b1 {1 P7 N3 g 撠#踵==>摮瑼" P( E+ V* a: z6 w* j
#service ssd restart ==>sshd
: b1 ^( y4 K: x- k 乩靘靽格 Pietty 賂脣PuTTY 蝺閮剖:
; }: k( E7 c( i& s' {) o1 \ 豢Connection殷撠Seconds between keepalives [0 to turn off]喲甈雿頛詨交撟曄嚗喲銝null撠隞乩蝺
* i1 e! A- H5 Q' D3 c$ q5 C" e0 j% J+ t/ d
|
|
潸” 2015-12-28 10:28:36
嗉
鈭
霈
