[SSH服務]——一些安全性配置和補充實驗

SSH 安全性和配置

轉載於 http://www.ibm.com/developerworks/cn/aix/library/au-sshsecurity/安全

        對於一些以前列舉的代碼示例,許多系統管理員擔憂 SSH 使用狀況和功能的一些安全性實現。儘管已經口頭和書面說明了常見的各類 SSH 安全性和遠程主機安全性方法,下面有一系列流程和配置可用於增強有關遠程主機訪問的 SSH 安全性:bash

  • 將 root 帳戶僅限制爲控制檯訪問:
    # vi /etc/ssh/sshd_config
    PermitRootLogin no

  • 爲私有密鑰使用一個強大的口令和密碼保護來建立公私密鑰對(毫不要生成一個無密碼的密鑰對或一個無密碼口令無密鑰的登陸):
    (Use a higher bit rate for the encryption for more security)
    ssh-keygen -t rsa -b 4096

  • 配置 TCP 包裝程序,以便僅容許選定的遠程主機並拒毫不合意的主機:
    # vi /etc/hosts.deny
    ALL: 192.168.200.09		# IP Address of badguy

  • 在工做站或筆記本電腦上,關閉 SSH 服務禁用 SSH 服務器,而後刪除 ssh 服務器包:
    # chkconfig sshd off 
    # yum erase openssh-server

  • 經過控制用戶訪問限制 SSH 訪問:
    # vi /etc/ssh/sshd_config 
    AllowUsers fsmythe bnice swilson
    DenyUsers jhacker joebadguy jripper

  • 僅使用 SSH Protocol 2:
    # vi /etc/ssh/sshd_config
    Protocol 2

  • 不要支持閒置會話,並配置 Idle Log Out Timeout 間隔:
    # vi /etc/ssh/sshd_config
    ClientAliveInterval 600		# (Set to 600 seconds = 10 minutes)
    ClientAliveCountMax 0

  • 禁用基於主機的身份驗證:
    # vi /etc/ssh/sshd_config
    HostbasedAuthentication no

  • 禁用用戶的 .rhosts 文件:
    # vi /etc/ssh/sshd_config
    IgnoreRhosts yes

  • 配置防火牆以接受僅來自已知網段的 SSH 鏈接:
    Update /etc/sysconfig/iptables (Redhat specific file) to accept connection only 
    from 192.168.100.0/24 and 209.64.100.5/27, enter:
    
    -A RH-FW-1-INPUT -s 192.168.100.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
    -A RH-FW-1-INPUT -s 209.64.100.5/27 -m state --state NEW -p tcp --dport 22 -j ACCEPT

  • 限制 SSH 將偵聽和綁定到的可用接口:
    # vi /etc/ssh/sshd_config
    ListenAddress 192.168.100.17
    ListenAddress 209.64.100.15

  • 設置用戶策略,實施強大的密碼來防護強力攻擊、社會工程企圖(social engineering attempts)和字典攻擊:
    # < /dev/urandom tr -dc A-Za-z0-9_ | head -c8
    oP0FNAUt[

  • 使用 Chroot SSHD 將 SFTP 用戶侷限於其本身的主目錄:
    # vi /etc/ssh/sshd_config 
    ChrootDirectory /data01/home/%u
    X11Forwarding no
    AllowTcpForwarding no

  • 禁用空密碼:
    # vi /etc/ssh/sshd_config
    PermitEmptyPasswords no

  • 在指定時間內對傳入端口 2022 鏈接的數量限速:
    Redhat iptables example (Update /etc/sysconfig/iptables): 
    
    -A INPUT  -i eth0 -p tcp --dport 2022 -m state --state NEW -m limit --limit 3/min
    --limit-burst 3 -j ACCEPT
    
    -A INPUT  -i eth0 -p tcp --dport 2022 -m state --state ESTABLISHED -j ACCEPT
    -A OUTPUT -o eth0 -p tcp --sport 2022 -m state --state ESTABLISHED -j ACCEPT

  • 配置 iptables,以便在 30 秒內僅容許在端口 2022 上有三個鏈接嘗試:
    Redhat iptables example (Update /etc/sysconfig/iptables): 
    -I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --set
    
    -I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --update 
    --seconds 30 --hitcount 3 -j DR

  • 使用一個日誌分析器,好比 logcheckloggrepsplunk 或 logwatch 來更好地理解日誌並建立日誌報告。另外,在 SSH 應用程序自身內增長日誌記錄的詳細度:
    Installation of the logwatch package on Redhat Linux 
    # yum install logwatch

  • 經過配置增長 SSH 日誌記錄的詳細度:
    # vi /etc/ssh/sshd_config
    LogLevel DEBUG

  • 在補丁上老是將 SSH 程序包和須要的庫保持爲最新:
    # yum update openssh-server openssh openssh-clients -y

  • 隱藏 OpenSSH 版本,要求 SSH 源代碼並進行從新編譯。而後進行如下更新:
    # vi /etc/ssh/sshd_config
    VerifyReverseMapping yes	# Turn on  reverse name checking
    UsePrivilegeSeparation yes	# Turn on privilege separation
    StrictModes yes			# Prevent the use of insecure home directory    
    				# and key file permissions
    AllowTcpForwarding no		# Turn off , if at all possible 
    X11Forwarding no		# Turn off , if at all possible
    PasswordAuthentication no	# Specifies whether password authentication is 
    				# allowed.  The default is yes. Users must have 
    				# another authentication method available .

  • 從系統上刪除 rlogin 和 rsh 二進制程序,並將它們替代爲 SSH 的一個 symlink
    # find /usr -name rsh
    /usr/bin/rsh
    # rm -f /usr/bin/rsh
    # ln -s /usr/bin/ssh /usr/bin/rsh

    SSH 支持可啓用或禁用的多種不一樣的身份驗證方法和技術。在 /etc/ssh/sshd_config 文件中,您能夠進行這些配置更改,方法就是輸入爲身份驗證方法列出的關鍵字,而後緊接 yes 或 no。下面是一些常見的配置更改:服務器

# RSAAuthentication yes		
# PubkeyAuthentication yes		
# RhostsRSAAuthentication no
# HostbasedAuthentication no
# RhostsRSAAuthentication and HostbasedAuthentication
PasswordAuthentication yes
ChallengeResponseAuthentication no
# KerberosAuthentication no
GSSAPIAuthentication yes

  sshd_config 文件內的  和  決定哪些身份驗證方法和配置僅用於 SSH Protocol 2,且它們支持密碼和公鑰身份驗證的語法以下:

# vi /etc/ssh/sshd_config AllowedAuthentications publickey, password RequiredAuthentications publickey, password

AllowedAuthenticationsRequiredAuthentications

 其餘/補充app

1.建議把端口號改爲9000以上dom

[root@lyj1 ~]# ssh 10.0.80.10
ssh: connect to host 10.0.80.10 port 22: Connection refused

[root@lyj1 ~]# ssh -p 9001 10.0.80.10
The authenticity of host '[10.0.80.10]:9001 ([10.0.80.10]:9001)' can't be established.
RSA key fingerprint is 55:e5:85:f1:45:19:0b:a7:b7:c0:af:fe:f4:57:20:dc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.0.80.10]:9001' (RSA) to the list of known hosts.
root@10.0.80.10's password: 

  

2.服務器A和服務器B相互信任實驗ssh

    實驗描述:tcp

  服務器A:10.0.10.158,有普通用戶user_00ui

  服務器B:10.0.10.191,有普通用戶user_00spa

  實現A和B之間相互能夠無密碼SSH登錄3d

[user_00@lyj1 .ssh]$ su - user_00   #切換至用戶user_00
[user_00@lyj1 .ssh]$ ssh-keygen     #生成公鑰和密鑰
......略......
[user_00@lyj1 .ssh]$ ls
authorized_keys  id_rsa  id_rsa.pub

[user_00@lyj1 .ssh]$ su - user_00
[user_00@lyj2 .ssh]$ ssh-keygen
......略......
[user_00@lyj2 .ssh]$ ls
authorized_keys  id_rsa  id_rsa.pub

 

[user_00@lyj1 .ssh]$ cat -n authorized_keys  #把B的公鑰複製到A的authorized
     1	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouMkukq0j5cinhEMvbDzbLmozHBeolqQ0nmDBxk7ViHF1lOxR/GCiME6D9GnSGHIMMqYIvRTNjgoQxzl7BHvAp0a3gTV28Q7F/hPKp3Uu9ab5ihdRraSU3N0HPxPka8U6jANn4UK6tAq7kZGx7Q5OjD7iZGY1ZDsgZS6BDgPPvyMQpUluy6ave0FwBCWYSHfWvqGK+2BlQ5L7fwieMYPYUPly4HKbrUAkuAPa7lH7vbwYzKe2FhqJlJ41ZCla88NKhZAt3WUZgNdY9/k1kwTbFZZttYVVFPc3aJnAXrZtF1aQv5iwkQ7cpuEBjcwFmcbZwSu8Qbk6rQv0HBsvtj18w== user_00@localhost.localdomain
     2	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxKhaOwUKoYkIDMYsja8eJUoJd0rr6C6urPNBEl33d86mWfgt2Qq23krPmxScRMK3QRJV7J1UiWlumwq6PfWkLCU3POlL2goEmgqfeKwn9ZlCTgnB3cjNef/6TdgcOESksj2xsprShBjT5djWC82xQbmieNHK+MiMwtvz1ITm4ZeyVfZgRoIRe3Lm1eWaUuMmve0kU7qFOJNvDV0+YHJu+ntOvpz17NXLHhzzWbHk9Ulnbz5brBPwQ8xBdFt+DSLYZMFNj+EVatvAg0YE5kAMFL6iuA49sgsKL70WN3VaGU++25PdrcU+Bw9YbtgmXGBzcbhjcWf8HdK22QuPOS+3jw== user_00@lyj2

[user_00@lyj2 .ssh]$ cat -n authorized_keys  #把A的公鑰複製到B的authorized
     1	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouMkukq0j5cinhEMvbDzbLmozHBeolqQ0nmDBxk7ViHF1lOxR/GCiME6D9GnSGHIMMqYIvRTNjgoQxzl7BHvAp0a3gTV28Q7F/hPKp3Uu9ab5ihdRraSU3N0HPxPka8U6jANn4UK6tAq7kZGx7Q5OjD7iZGY1ZDsgZS6BDgPPvyMQpUluy6ave0FwBCWYSHfWvqGK+2BlQ5L7fwieMYPYUPly4HKbrUAkuAPa7lH7vbwYzKe2FhqJlJ41ZCla88NKhZAt3WUZgNdY9/k1kwTbFZZttYVVFPc3aJnAXrZtF1aQv5iwkQ7cpuEBjcwFmcbZwSu8Qbk6rQv0HBsvtj18w== user_00@localhost.localdomain
     2	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwijcQXHMCIPupkTQm0q6S/BmKm9qL5yjxftCr2P0Ql+6+ZCL7Infv3DSL9qsRVkrOAgx0ADFA+qJ3vfN2EWux/yqRF6pjkQqFbW7CLu963O4ZmQjsVkzovWGen1rXI7yfZ342NPjmrGllqFFJxkQ210xztl/z0go1EZrN0GC2RQV/HLC7HQdgh9fzQXIdcJhfEga6WMh/uMCVZz/yWcaN0P9QcG8OGr7Px2rhz9hT51wtnHlavi+y32HVmoqqW1KYhY2r2GmKK+aE+YUakM5ghnoKl0lvSXNPn/S3IQx4gZg4oyLXz4u0R1cyOnAUBHg1zAIvy3ntw62tEIhoGDmbw== user_00@lyj1

[user_00@lyj2 .ssh]$ ll -d authorized_keys   #檢查authorized文件的權限(644)和屬主屬組(user_00)
-rw-r--r--. 1 user_00 user_00 805 11月 26 09:52 authorized_keys

[user_00@lyj1 .ssh]$ ll -d authorized_keys 
-rw-r--r--. 1 user_00 user_00 805 11月 26 00:08 authorized_keys

實驗結果:

       

       

相關文章
相關標籤/搜索