Linux Ôõô±ÜÃâ ssh ±»±©Á¦Æƽâ
SSH ÊÇÒ»ÖÖÆÕ±éʹÓõÄÐÒ飬ÓÃÓÚÇå¾²µØ»á¼û Linux ЧÀÍÆ÷¡£´ó´ó¶¼Óû§Ê¹ÓÃĬÈÏÉèÖÃµÄ SSH ÅþÁ¬À´ÅþÁ¬µ½Ô¶³ÌЧÀÍÆ÷¡£¿ÉÊÇ£¬²»Çå¾²µÄĬÈÏÉèÖÃÒ²»á´øÀ´ÖÖÖÖÇ徲Σº¦¡£
¾ßÓпª·Å SSH »á¼ûȨÏÞµÄЧÀÍÆ÷µÄ root ÕÊ»§¿ÉÄܱ£´æΣº¦¡£ÓÈÆäÊÇÈôÊÇÄãʹÓõÄÊǹ«¹² IP µØµã£¬ÔòÆƽâ root ÃÜÂëÒªÈÝÒ׵öࡣÒò´Ë£¬ÓÐÐëÒªÏàʶ SSH Çå¾²ÐÔ¡£
ÕâÊÇÔÚ Linux Éϱ£»¤ SSH ЧÀÍÆ÷ÅþÁ¬µÄÒªÁì¡£
1. ½ûÓà root Óû§µÇ¼
Ϊ´Ë£¬Ê×ÏÈ£¬½ûÓà root Óû§µÄ SSH »á¼û²¢½¨ÉèÒ»¸ö¾ßÓÐ root ȨÏÞµÄÐÂÓû§¡£¹Ø±Õ root Óû§µÄЧÀÍÆ÷»á¼ûÊÇÒ»ÖÖ·ÀÓùÕ½ÂÔ£¬¿ÉÒÔ±ÜÃâ¹¥»÷ÕßʵÏÖÈëÇÖϵͳµÄÄ¿µÄ¡£ÀýÈ磬Äã¿ÉÒÔ½¨ÉèÒ»¸öÃûΪ exampleroot µÄÓû§£¬ÈçÏÂËùʾ£º
useradd -m examplerootpasswd examplerootusermod -aG sudo exampleroot
µÇ¼ºó¸´ÖÆ ÒÔÏÂÊÇÉÏÊöÏÂÁîµÄ¼òҪ˵Ã÷£º
useradd ½¨ÉèÒ»¸öÐÂÓû§£¬²¢ÇÒ – m ²ÎÊýÔÚÄ㽨ÉèµÄÓû§µÄÖ÷Ŀ¼Ï½¨ÉèÒ»¸öÎļþ¼Ð¡£
passwd ÏÂÁîÓÃÓÚΪÐÂÓû§·ÖÅÉÃÜÂë¡£Çë¼Ç×Å£¬Äã·ÖÅɸøÓû§µÄÃÜÂëÓ¦¸ÃºÜÖØ´óÇÒÄÑÒÔÍƲ⡣
usermod -aG sudo ½«Ð½¨ÉèµÄÓû§Ìí¼Óµ½ÖÎÀíÔ±×é¡£
ÔÚÓû§½¨ÉèÀú³ÌÖ®ºó£¬ÐèÒª¶Ô sshd_config Îļþ¾ÙÐÐһЩ¸ü¸Ä¡£Äã¿ÉÒÔÔÚ / etc/ssh/sshd_config ÕÒµ½´ËÎļþ¡£Ê¹ÓÃÈκÎÎı¾±à¼Æ÷·¿ªÎļþ²¢¶ÔÆä¾ÙÐÐÒÔϸü¸Ä£º
# Authentication: #LoginGraceTime 2m PermitRootLogin no AllowUsers exampleroot
µÇ¼ºó¸´ÖÆ
PermitRootLogin Ðн«×èÖ¹ root Óû§Ê¹Óà SSH »ñµÃÔ¶³Ì»á¼û¡£ÔÚ AllowUsers ÁбíÖаüÀ¨ exampleroot »áÏòÓû§ÊÚÓèÐëÒªµÄȨÏÞ¡£
×îºó£¬Ê¹ÓÃÒÔÏÂÏÂÁîÖØÆô SSH ЧÀÍ£º
> rumenz@rumenz /home/rumenz/www.rumenz.com > sudo systemctl restart ssh
µÇ¼ºó¸´ÖÆ
ÈôÊÇʧ°Ü²¢ÇÒÄãÊÕµ½¹ýʧÐÂÎÅ£¬ÇëʵÑéÒÔÏÂÏÂÁî¡£Õâ¿ÉÄÜÒòÄãʹÓÃµÄ Linux ¿¯Ðаæ¶øÒì¡£ÁíÍ⣬ËÑË÷ÃñÖÚºÅLinux¾Í¸ÃÕâÑùѧºǫ́»Ø¸´¡°Linux¡±£¬»ñÈ¡Ò»·Ý¾ªÏ²Àñ°ü¡£
> rumenz@rumenz /home/rumenz/www.rumenz.com> sudo systemctl restart sshd
µÇ¼ºó¸´ÖÆ
2. ¸ü¸ÄĬÈ϶˿Ú
ĬÈ쵀 SSH ÅþÁ¬¶Ë¿ÚÊÇ 22¡£ËäÈ»£¬ËùÓеĹ¥»÷Õ߶¼ÖªµÀÕâÒ»µã£¬Òò´ËÐèÒª¸ü¸ÄĬÈ϶˿ںÅÒÔÈ·±£ SSH Çå¾²¡£Ö»¹Ü¹¥»÷Õß¿ÉÒÔͨ¹ý Nmap ɨÃèÇáËÉÕÒµ½ÐµĶ˿ںţ¬µ«ÕâÀïµÄÄ¿µÄÊÇÈù¥»÷ÕßµÄÊÂÇéÔ½·¢ÄÑÌâ¡£
Òª¸ü¸Ä¶Ë¿ÚºÅ£¬Çë·¿ª / etc/ssh/sshd_config ²¢¶ÔÎļþ¾ÙÐÐÒÔϸü¸Ä£º
Include /etc/ssh/sshd_config.d/*.confPort 22099
µÇ¼ºó¸´ÖÆ
ÔÚÕâÒ»²½Ö®ºó£¬Ê¹Óà sudo systemctl restart ssh ÔÙ´ÎÖØÆô SSH ЧÀÍ¡£ÏÖÔÚÄã¿ÉÒÔʹÓøոսç˵µÄ¶Ë¿Ú»á¼ûÄãµÄЧÀÍÆ÷¡£ÈôÊÇÄãʹÓõÄÊÇ·À»ðǽ£¬Ôò»¹±ØÐèÔÚ´Ë´¦¾ÙÐÐÐëÒªµÄ¹æÔò¸ü¸Ä¡£ÔÚÔËÐÐ netstat -tlpn ÏÂÁîʱ£¬Äã¿ÉÒÔ¿´µ½ÄãµÄ SSH ¶Ë¿ÚºÅÒѸü¸Ä¡£
3. եȡʹÓÿÕȱÃÜÂëµÄÓû§»á¼û
ÔÚÄãµÄϵͳÉÏ¿ÉÄÜÓÐÄ㲻СÐĽ¨ÉèµÄûÓÐÃÜÂëµÄÓû§¡£Òª±ÜÃâ´ËÀàÓû§»á¼ûЧÀÍÆ÷£¬Äã¿ÉÒÔ½« sshd_config ÎļþÖÐµÄ PermitEmptyPasswords ÐÐÖµÉèÖÃΪ no¡£
PermitEmptyPasswords no
µÇ¼ºó¸´ÖÆ
4. ÏÞÖƵǼ / »á¼ûʵÑé
ĬÈÏÇéÐÎÏ£¬Äã¿ÉÒÔƾ֤ÐèҪʵÑé¶à´ÎÊäÈëÃÜÂëÀ´»á¼ûЧÀÍÆ÷¡£¿ÉÊÇ£¬¹¥»÷Õß¿ÉÒÔʹÓôËÎó²î¶ÔЧÀÍÆ÷¾ÙÐб©Á¦Æƽ⡣ͨ¹ýÖ¸¶¨ÔÊÐíµÄÃÜÂëʵÑé´ÎÊý£¬Äã¿ÉÒÔÔÚʵÑéÒ»¶¨´ÎÊýºó×Ô¶¯ÖÕÖ¹ SSH ÅþÁ¬¡£
Å£±Æ°¡£¡½Ó˽»î±Ø±¸µÄ N ¸ö¿ªÔ´ÏîÄ¿£¡¸ÏæÕä²Ø°É
µÇ¼ºó¸´ÖÆ
Ϊ´Ë£¬Çë¸ü¸Ä sshd_config ÎļþÖÐµÄ MaxAuthTries Öµ¡£
MaxAuthTries 3
µÇ¼ºó¸´ÖÆ
5. ʹÓà SSH °æ±¾ 2
SSH µÄµÚ¶þ¸ö°æ±¾Ðû²¼ÊÇÓÉÓÚµÚÒ»¸ö°æ±¾Öб£´æÐí¶àÎó²î¡£Ä¬ÈÏÇéÐÎÏ£¬Äã¿ÉÒÔͨ¹ý½« Protocol ²ÎÊýÌí¼Óµ½ sshd_config ÎļþÀ´ÆôÓÃЧÀÍÆ÷ʹÓõڶþ¸ö°æ±¾¡£ÕâÑù£¬ÄãδÀ´µÄËùÓÐÅþÁ¬¶¼½«Ê¹Óõڶþ¸ö°æ±¾µÄ SSH¡£
Include /etc/ssh/sshd_config.d/*.conf Protocol 2
µÇ¼ºó¸´ÖÆ
6. ¹Ø±Õ TCP ¶Ë¿Úת·¢ºÍ X11 ת·¢
¹¥»÷Õß¿ÉÒÔʵÑéͨ¹ý SSH ÅþÁ¬µÄ¶Ë¿Úת·¢À´»á¼ûÄãµÄÆäËûϵͳ¡£ÎªÁ˱ÜÃâÕâÖÖÇéÐΣ¬Äã¿ÉÒÔÔÚ sshd_config ÎļþÖÐ¹Ø±Õ AllowTcpForwarding ºÍ X11Forwarding ¹¦Ð§¡£
X11Forwarding no AllowTcpForwarding no
µÇ¼ºó¸´ÖÆ
7. ʹÓà SSH ÃÜÔ¿ÅþÁ¬
ÅþÁ¬µ½Ð§ÀÍÆ÷µÄ×îÇå¾²ÒªÁìÖ®Ò»ÊÇʹÓà SSH ÃÜÔ¿¡£Ê¹Óà SSH ÃÜԿʱ£¬ÎÞÐèÃÜÂë¼´¿É»á¼ûЧÀÍÆ÷¡£ÁíÍ⣬Äã¿ÉÒÔͨ¹ý¸ü¸Ä sshd_config ÎļþÖÐÓëÃÜÂëÏà¹ØµÄ²ÎÊýÀ´ÍêÈ«¹Ø±Õ¶ÔЧÀÍÆ÷µÄÃÜÂë»á¼û¡£
½¨Éè SSH ÃÜԿʱ£¬ÓÐÁ½¸öÃÜÔ¿£ºPublic ºÍ Private¡£¹«Ô¿½«ÉÏ´«µ½ÄãÒªÅþÁ¬µÄЧÀÍÆ÷£¬¶ø˽ԿÔò´æ´¢ÔÚÄ㽫ÓÃÀ´½¨ÉèÅþÁ¬µÄÅÌËã»úÉÏ¡£
ÔÚÄãµÄÅÌËã»úÉÏʹÓà ssh-keygen ÏÂÁÉè SSH ÃÜÔ¿¡£²»Òª½«ÃÜÂë¶ÌÓï×Ö¶ÎÁô¿Õ²¢¼Ç×ÅÄãÔÚ´Ë´¦ÊäÈëµÄÃÜÂë¡£ÈôÊǽ«ÆäÁô¿Õ£¬Ä㽫ֻÄÜʹÓà SSH ÃÜÔ¿Îļþ»á¼ûËü¡£¿ÉÊÇ£¬ÈôÊÇÄãÉèÖÃÁËÃÜÂ룬Ôò¿ÉÒÔ±ÜÃâÓµÓÐÃÜÔ¿ÎļþµÄ¹¥»÷Õß»á¼ûËü¡£ÀýÈ磬Äã¿ÉÒÔʹÓÃÒÔÏÂÏÂÁÉè SSH ÃÜÔ¿£º
ssh-keygen
µÇ¼ºó¸´ÖÆ
8. SSH ÅþÁ¬µÄ IP ÏÞÖÆ
´ó´ó¶¼ÇéÐÎÏ£¬·À»ðǽʹÓÃ×Ô¼ºµÄ±ê×¼¿ò¼Ü×èÖ¹»á¼û£¬Ö¼ÔÚ±£»¤Ð§ÀÍÆ÷¡£¿ÉÊÇ£¬Õâ²¢²»×ÜÊÇ×ã¹»µÄ£¬ÄãÐèÒªÔöÌíÕâÖÖÇ徲DZÁ¦¡£
Ϊ´Ë£¬Çë·¿ª / etc/hosts.allow Îļþ¡£Í¨¹ý¶Ô¸ÃÎļþ¾ÙÐеÄÌí¼Ó£¬Äã¿ÉÒÔÏÞÖÆ SSH ȨÏÞ£¬ÔÊÐíÌض¨ IP ¿é£¬»òÊäÈëµ¥¸ö IP ²¢Ê¹ÓþܾøÏÂÁî×èÖ¹ËùÓÐÊ£ÓàµÄ IP µØµã¡£
ÏÂÃæÄ㽫¿´µ½Ò»Ð©Ê¾ÀýÉèÖá£Íê³ÉÕâЩ֮ºó£¬ÏñÍù³£Ò»ÑùÖØÐÂÆô¶¯ SSH ЧÀÍÒÔÉúÑĸü¸Ä¡£
ÒÔÉϾÍÊÇLinux Ôõô±ÜÃâ ssh ±»±©Á¦ÆƽâµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡