vi /etc/ssh/sshd_config , X) G" f/ }7 v9 b* N. X9 o
U( F& v, ?% V a, u) x7 _" j
1.靽格寥閮 port (舐典銵憭 port)
( k, f, D3 T3 j4 f. f3 VPort <port>& v9 {3 `3 D4 ~3 K
2 r8 n3 U7 S5 U, s2.賜孵 ip (拍冽澆蝬脣/憭 IP 敶)* P( G1 p: Z5 x. N+ o) F, ~
ListenAddress 192.168.1.10
( w/ B3 a- O p# r6 u/ D9 D3 }, ]5 ~
3.蝳甇 root 餃
6 ~ e; k* e; V6 n- V5 u3 q% D1 UPermitRootLogin no/ O$ @ L) E" P$ @/ w
蝞∠敹隞亙鈭箏董餃伐 su root嚗拍 sudo 撌乩
; |" k) `( F/ L/ W1 Q
X0 q, [" m+ J, @( V4.蝳甇V蝙函征撖蝣潛餃4 i/ Z: m9 T! G
PermitEmptyPasswords no* P& I6 \6 T1 `& K
/ S% n+ T7 o6 c+ c& V6 x5.閮望蝯孵撣唾蝢斤餃
# J$ {0 E8 _1 P: rAllowUsers <user1> <user2> <user3>
# i2 ?" K, w, p, s6 JAllowGroups <group>' \$ U, U! K* C1 Y8 ~7 o
DenyUsers *
. k" T1 x3 q4 X" U& Y" r6 CDenyGroups no-ssh
0 H" R; m5 i- ^ e寞撖阡嚗撠澆銝撣唾閮嚗憒 Allow 頝 Deny 閰梧蝯 Deny
8 E* A0 {2 k& J$ C0 m( C2 P' u5 o: I: u
6.撱a文蝣潛駁嚗撘瑁翰雿輻 RSA/DSA 撽霅
8 q$ n& l/ e: I( u$ B2 V% eRSAAuthentication yes3 s) Y8 ^4 {9 k6 x z3 K
PubkeyAuthentication yes
( `" W8 y; d7 q* \% K, cAuthorizedKeysFile %h/.ssh/authorized_keys
) @$ _+ h2 m/ q0 }5 uPasswordAuthentication no
5 ^' w" j% r$ x# H: v7 G銝衣Ⅱ靽 user ~/.ssh 甈 700嚗撠閰 user public key 亙 ~/.ssh/authorized_keys 銝准Public key Y孵舀撠 ssh-keygen6 ~& m) o/ ]. n P/ m+ i
; B( c) d8 \; k1 _
7.閮 SSHv2! V8 L' ?$ n# d, @+ @* M
Protocol 2! Y1 Z8 J: v9 s
( h# g2 ^6 Z; d4 Y3 g4 n
8.嗥孵雿輻刻蝢斤銝餅雿餃亥綽鋆∩誑 somebody handsomebody 銝臭蝙典蝣潛餃亦箔+ S0 [. y/ t3 C
Match User somebody,handsomebody
& e: F4 O2 y; o% N" w. }7 V8 k dPasswordAuthentication no雿輻 TCP wrappers 嗡皞 IP4 s. g/ O& f/ e
# vim /etc/hosts.deny2 P, T5 c9 f9 T6 \/ w6 w
sshd: ALL
2 {7 G2 ^& H E8 \# vim /etc/hosts.allow" g' y; F2 h! e; g8 y o/ I
sshd: 192.168.1 1.2.3.4 # 閮 192.168.1.* 1.2.3.4 蝺9 q# A% o Z) B. ?' ~/ w6 l' G
" q% W% o% y: k4 N0 R2 X9 _8 P# R4 _1 a9.雿輻 iptables 嗡皞 IP
) s- _- U( H, o- e" x' I# iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT- ?5 Y% U, b$ k3 x& I5 t2 x
# iptables -A INPUT -p tcp --dport 22 -j DROP4 R# M% F9 _; I& s# F4 D3 p
閮剖蝡喟嚗亙璈敺賭摮嚗閬脣 iptables 閮剖7 S5 f, n. K' C+ C. h
! X9 {* a, N* X4 I, R: Y
10.摰
, m0 y# j( d t0 K- p* [雿臭誑雿輻其iptables訾嗅訕SH伐霈嗅其孵蝭批臭誑伐嗡銝賡乓雿臭誑其Y隞颱靘摮銝凋蝙 /second/minute/hour /day 6 D! m: o$ p5 I
蝚砌靘摮嚗憒銝冽嗉撓乩航炊撖蝣潘摰銝找閮勗刻赤SSH嚗璅瘥冽嗅其批芾賢閰虫甈∠駁
* y* m1 b- d. N# {% |; ^( C # iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
- v3 C+ l1 W7 L: l6 p # iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
4 f9 \2 o, L; r+ e5 F7 K* G蝚砌靘摮嚗閮剔蔭iptables芸閮曹蜓璈193.180.177.13亙訕SH嚗典閰虫甈∪仃駁詨嚗iptables閮梯府銝餅瘥閰虫甈∠駁+ ]) j; a/ G/ J+ v. \
# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT6 H3 |# e8 ^; j7 b2 ?3 m0 K
# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP% U: P; A& i% |5 |
( Z$ I) [# _7 p: y11.瑼X亦賊瑼獢甈嚗銝摰典銝閮梁餃
! k0 r# e7 B7 ~& [StrictModes yes
$ t1 P: o5 w" [) b4 ^( q6 S. }鈭賊瑼獢甈閮剖交航炊嚗航賡摰冽折◢芥憒雿輻刻 ~/.ssh/authorized_keys 甈亦 666嚗航賡嗡鈭箏臭誑典董
$ H& I& n; x0 W& ^. W$ p8 U' a8 M1 J* b, _7 d' x5 v7 s+ R
12.芾雿輻刻餃交憿舐內 banner (閰梯牧頝摰冽扳隞暻潮靽...? 憭扳臭誑函冗鈭斗孵頝憯鈭箏...= =a)* Z0 z$ n4 ^) p8 Y- H g4 H; H" y! W0 Y
Banner /etc/ssh/banner # 隞餅摮瑼3 L# k4 @) c" h i7 j3 O
1 F$ v0 b7 @! X9 T' H* r: P, l
13. su/sudo 7 H( J& W" G, X# j+ S! o
# vi /etc/pam.d/su B" f5 c0 |8 V
auth required /lib/security/$ISA/pam_wheel.so use_uid4 I; |% M7 B( f, ]& b
# visudo/ {+ b$ {% @. X3 t
%wheel ALL = (ALL) ALL
! h' h' W, M. S7 W7 D( e% n# gpasswd -a user1 wheel$ x, H" D9 d6 [" Q6 a
: Y# w5 L0 [8 l9 }+ x6 y# A14. ssh 雿輻刻
; ?3 y U9 y1 I4 U% ] J" M. W# vi /etc/pam.d/sshd* c( F& b3 J% S
auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail6 M4 h& n, u' C; }, ]' n- _
# echo <username> >> /etc/ssh_users
- r/ ]3 Z: Q8 b1 r M15.脫迫SSH蝺暹(timeout),霈PuTTY SSH 銝港蝺5 } I3 g& j( w7 U$ M* \$ c; o
靽格/etc/ssh/sshd_config; b& W5 E; X5 n
#TCPKeepAlive yes5 `; j' V5 ]# m( A' i% S' _/ W: u6 r8 B
#ClientAliveInterval 0
" P0 o7 ~7 Q f) k" r#ClientAliveCountMax 3
* w5 k- C: W. R4 ^* { z 撠#踵==>摮瑼
) j+ O1 {) u9 J8 Y. }#service ssd restart ==>sshd Z* v1 T+ ^" p
乩靘靽格 Pietty 賂脣PuTTY 蝺閮剖:
3 w( S4 N5 H- o( o! k 豢Connection殷撠Seconds between keepalives [0 to turn off]喲甈雿頛詨交撟曄嚗喲銝null撠隞乩蝺
+ ?% G4 s5 ?1 N- J2 F( \! P& f' T, t% ^
|
|
潸” 2015-12-28 10:28:36
嗉
鈭
霈
