轉載於 http://www.ibm.com/developerworks/cn/aix/library/au-sshsecurity/安全
對於一些以前列舉的代碼示例,許多系統管理員擔憂 SSH 使用狀況和功能的一些安全性實現。儘管已經口頭和書面說明了常見的各類 SSH 安全性和遠程主機安全性方法,下面有一系列流程和配置可用於增強有關遠程主機訪問的 SSH 安全性:bash
# vi /etc/ssh/sshd_config PermitRootLogin no
(Use a higher bit rate for the encryption for more security) ssh-keygen -t rsa -b 4096
# vi /etc/hosts.deny ALL: 192.168.200.09 # IP Address of badguy
# chkconfig sshd off # yum erase openssh-server
# vi /etc/ssh/sshd_config AllowUsers fsmythe bnice swilson DenyUsers jhacker joebadguy jripper
# vi /etc/ssh/sshd_config Protocol 2
# vi /etc/ssh/sshd_config ClientAliveInterval 600 # (Set to 600 seconds = 10 minutes) ClientAliveCountMax 0
# vi /etc/ssh/sshd_config HostbasedAuthentication no
# vi /etc/ssh/sshd_config IgnoreRhosts yes
Update /etc/sysconfig/iptables (Redhat specific file) to accept connection only from 192.168.100.0/24 and 209.64.100.5/27, enter: -A RH-FW-1-INPUT -s 192.168.100.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT -A RH-FW-1-INPUT -s 209.64.100.5/27 -m state --state NEW -p tcp --dport 22 -j ACCEPT
# vi /etc/ssh/sshd_config ListenAddress 192.168.100.17 ListenAddress 209.64.100.15
# < /dev/urandom tr -dc A-Za-z0-9_ | head -c8 oP0FNAUt[
Chroot SSHD
將 SFTP 用戶侷限於其本身的主目錄:
# vi /etc/ssh/sshd_config ChrootDirectory /data01/home/%u X11Forwarding no AllowTcpForwarding no
# vi /etc/ssh/sshd_config PermitEmptyPasswords no
Redhat iptables example (Update /etc/sysconfig/iptables): -A INPUT -i eth0 -p tcp --dport 2022 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 2022 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 2022 -m state --state ESTABLISHED -j ACCEPT
iptables
,以便在 30 秒內僅容許在端口 2022 上有三個鏈接嘗試:
Redhat iptables example (Update /etc/sysconfig/iptables): -I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --set -I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DR
logcheck
、loggrep
、splunk
或 logwatch
來更好地理解日誌並建立日誌報告。另外,在 SSH 應用程序自身內增長日誌記錄的詳細度:
Installation of the logwatch package on Redhat Linux # yum install logwatch
# vi /etc/ssh/sshd_config LogLevel DEBUG
# yum update openssh-server openssh openssh-clients -y
# vi /etc/ssh/sshd_config VerifyReverseMapping yes # Turn on reverse name checking UsePrivilegeSeparation yes # Turn on privilege separation StrictModes yes # Prevent the use of insecure home directory # and key file permissions AllowTcpForwarding no # Turn off , if at all possible X11Forwarding no # Turn off , if at all possible PasswordAuthentication no # Specifies whether password authentication is # allowed. The default is yes. Users must have # another authentication method available .
symlink
:
# find /usr -name rsh /usr/bin/rsh # rm -f /usr/bin/rsh # ln -s /usr/bin/ssh /usr/bin/rsh
SSH 支持可啓用或禁用的多種不一樣的身份驗證方法和技術。在 /etc/ssh/sshd_config 文件中,您能夠進行這些配置更改,方法就是輸入爲身份驗證方法列出的關鍵字,而後緊接 yes
或 no
。下面是一些常見的配置更改:服務器
# RSAAuthentication yes # PubkeyAuthentication yes # RhostsRSAAuthentication no # HostbasedAuthentication no # RhostsRSAAuthentication and HostbasedAuthentication PasswordAuthentication yes ChallengeResponseAuthentication no # KerberosAuthentication no GSSAPIAuthentication yes
sshd_config 文件內的 和 決定哪些身份驗證方法和配置僅用於 SSH Protocol 2,且它們支持密碼和公鑰身份驗證的語法以下:
# vi /etc/ssh/sshd_config AllowedAuthentications publickey, password RequiredAuthentications publickey, password
AllowedAuthenticationsRequiredAuthentications
其餘/補充app
1.建議把端口號改爲9000以上dom
[root@lyj1 ~]# ssh 10.0.80.10 ssh: connect to host 10.0.80.10 port 22: Connection refused [root@lyj1 ~]# ssh -p 9001 10.0.80.10 The authenticity of host '[10.0.80.10]:9001 ([10.0.80.10]:9001)' can't be established. RSA key fingerprint is 55:e5:85:f1:45:19:0b:a7:b7:c0:af:fe:f4:57:20:dc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[10.0.80.10]:9001' (RSA) to the list of known hosts. root@10.0.80.10's password:
2.服務器A和服務器B相互信任實驗ssh
實驗描述:tcp
服務器A:10.0.10.158,有普通用戶user_00ui
服務器B:10.0.10.191,有普通用戶user_00spa
實現A和B之間相互能夠無密碼SSH登錄3d
[user_00@lyj1 .ssh]$ su - user_00 #切換至用戶user_00 [user_00@lyj1 .ssh]$ ssh-keygen #生成公鑰和密鑰 ......略...... [user_00@lyj1 .ssh]$ ls authorized_keys id_rsa id_rsa.pub [user_00@lyj1 .ssh]$ su - user_00 [user_00@lyj2 .ssh]$ ssh-keygen ......略...... [user_00@lyj2 .ssh]$ ls authorized_keys id_rsa id_rsa.pub
[user_00@lyj1 .ssh]$ cat -n authorized_keys #把B的公鑰複製到A的authorized 1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouMkukq0j5cinhEMvbDzbLmozHBeolqQ0nmDBxk7ViHF1lOxR/GCiME6D9GnSGHIMMqYIvRTNjgoQxzl7BHvAp0a3gTV28Q7F/hPKp3Uu9ab5ihdRraSU3N0HPxPka8U6jANn4UK6tAq7kZGx7Q5OjD7iZGY1ZDsgZS6BDgPPvyMQpUluy6ave0FwBCWYSHfWvqGK+2BlQ5L7fwieMYPYUPly4HKbrUAkuAPa7lH7vbwYzKe2FhqJlJ41ZCla88NKhZAt3WUZgNdY9/k1kwTbFZZttYVVFPc3aJnAXrZtF1aQv5iwkQ7cpuEBjcwFmcbZwSu8Qbk6rQv0HBsvtj18w== user_00@localhost.localdomain 2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxKhaOwUKoYkIDMYsja8eJUoJd0rr6C6urPNBEl33d86mWfgt2Qq23krPmxScRMK3QRJV7J1UiWlumwq6PfWkLCU3POlL2goEmgqfeKwn9ZlCTgnB3cjNef/6TdgcOESksj2xsprShBjT5djWC82xQbmieNHK+MiMwtvz1ITm4ZeyVfZgRoIRe3Lm1eWaUuMmve0kU7qFOJNvDV0+YHJu+ntOvpz17NXLHhzzWbHk9Ulnbz5brBPwQ8xBdFt+DSLYZMFNj+EVatvAg0YE5kAMFL6iuA49sgsKL70WN3VaGU++25PdrcU+Bw9YbtgmXGBzcbhjcWf8HdK22QuPOS+3jw== user_00@lyj2 [user_00@lyj2 .ssh]$ cat -n authorized_keys #把A的公鑰複製到B的authorized 1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouMkukq0j5cinhEMvbDzbLmozHBeolqQ0nmDBxk7ViHF1lOxR/GCiME6D9GnSGHIMMqYIvRTNjgoQxzl7BHvAp0a3gTV28Q7F/hPKp3Uu9ab5ihdRraSU3N0HPxPka8U6jANn4UK6tAq7kZGx7Q5OjD7iZGY1ZDsgZS6BDgPPvyMQpUluy6ave0FwBCWYSHfWvqGK+2BlQ5L7fwieMYPYUPly4HKbrUAkuAPa7lH7vbwYzKe2FhqJlJ41ZCla88NKhZAt3WUZgNdY9/k1kwTbFZZttYVVFPc3aJnAXrZtF1aQv5iwkQ7cpuEBjcwFmcbZwSu8Qbk6rQv0HBsvtj18w== user_00@localhost.localdomain 2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwijcQXHMCIPupkTQm0q6S/BmKm9qL5yjxftCr2P0Ql+6+ZCL7Infv3DSL9qsRVkrOAgx0ADFA+qJ3vfN2EWux/yqRF6pjkQqFbW7CLu963O4ZmQjsVkzovWGen1rXI7yfZ342NPjmrGllqFFJxkQ210xztl/z0go1EZrN0GC2RQV/HLC7HQdgh9fzQXIdcJhfEga6WMh/uMCVZz/yWcaN0P9QcG8OGr7Px2rhz9hT51wtnHlavi+y32HVmoqqW1KYhY2r2GmKK+aE+YUakM5ghnoKl0lvSXNPn/S3IQx4gZg4oyLXz4u0R1cyOnAUBHg1zAIvy3ntw62tEIhoGDmbw== user_00@lyj1 [user_00@lyj2 .ssh]$ ll -d authorized_keys #檢查authorized文件的權限(644)和屬主屬組(user_00) -rw-r--r--. 1 user_00 user_00 805 11月 26 09:52 authorized_keys [user_00@lyj1 .ssh]$ ll -d authorized_keys -rw-r--r--. 1 user_00 user_00 805 11月 26 00:08 authorized_keys
實驗結果: