Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1720191
  • 博文数量: 362
  • 博客积分: 10587
  • 博客等级: 上将
  • 技术积分: 4098
  • 用 户 组: 普通用户
  • 注册时间: 2009-09-10 18:15
文章分类

全部博文(362)

文章存档

2014年(1)

2013年(58)

2011年(115)

2010年(112)

2009年(76)

分类: LINUX

2011-05-27 14:20:06

FEDORA下SSH安装及推荐配置
2010-05-18 17:18

确定你的服务器上已经安装了openssh

一个SSH SERVER被安装,如果没有安装,请执行以 下命令

yum install openssh-servier

/etc/init.d/sshd start

 

完全过程

以下大多数配置的文件是/etc/ssh/ssh_config; 对于配置地址访问的文件是/etc/hosts.allow/etc/hosts.deny. 

 

实现步骤

以下步骤会完全的放到SSH SERVER里,这些对于阻止那些恶意的攻击 是一个很明智的步骤.

 

1.       改变默认端口;

2.       禁止不安全的协议一,只充 许协议二;

3.       禁止ROOT登陆;

4.       减少无效登陆次数

5.       减少同时登陆的USER

6.       减少重新登陆的时间

7.       安装DenyHosts;

8.       充许一部份用户或组来来登 录;

9.       充许一部份IP连接;

10.   仅仅充许拥用KEY去登录;

11.   bind SSH SERVER到一个网络接口

 

详细说明

 

1:大量的攻击是通过靠着僵尸机器对22端口的侦听。通过改变默认端口可以改减少攻击。通过编辑/etc/ssh/sshd_config改 变Port 22成 为Port 22222.

#Port 22

Port 2222

2:SSH会话有两个协议,协议一不安全,协议二比较安全,因此编辑/etc/ssh/sshd_config,只 充许协议二.

#Protocol 2,1

Protocol 2

3:没人任何原因要用ROOT来登录,因此禁止它,作为一个普通用户登录后,再使用su来进入root这个权限下,编辑sshd_conifg

#PermitRootLogin yes

PermitRootLogin no

如果你要远程BACKUP,必须ROOT远程登录,可以仅使用ssh key。不必输入password ,就可以登录。照下面这 样做

PermitRootLogin forced-commands-only

 

4:无效的登录从默认的6次减少到2次,编辑sshd_config

#MaxAuthTries 6

MaxAuthTries 2
 
5:限制同时登录的用户的个数,这样可以限制脚本小子的攻击。编辑sshd_config,所默认的10改成3:50:10.,3表示同时登录的人数最多为三个。
#MaxStartups 10

MaxStartups 3:50:10
 
6:减少非成功登录的时间,通常是二分钟,现在改成30秒钟。
#LoginGraceTime 2m

LoginGraceTime 30
7Install the "denyhosts" server which watches the /var/log/secure logfile for invalid ssh login attempts, and if a configurable threshold is crossed, they are automatically blocked by being added to /etc/hosts.deny. Install denyhosts, and optionally edit the good default configuration in /etc/denyhosts.conf:
 
yum install denyhosts

chkconfig denyhosts on

/etc/init.d/denyhosts start
8: By default, all valid users on the system are allowed to log in. A more secure policy is to only allow a whitelist of users or groups to log in. For example, to allow only the users "john", "mary", "joeblow", "joeschmoe", "joejoe", and any username that starts with "joe" to login, add the following line to sshd_config:
AllowUsers john mary joe*
Alternatively, you may instead allow only users who are members of certain groups to login. For example, to allow only the members of the "sshusers" group to connect, first make sure the group exists (groupadd sshusers) and add your users to it (usermod -a -G sshusers username), then add the following line to sshd_config:

 

AllowGroups sshusers

9: Allow only users from certain IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. edit /etc/hosts.deny and add the following line:

sshd: ALL

Next add to /etc/hosts.allow the networks you will to allow. For example, to allow all 253 hosts on the class C network "192.168.1.*", all 16million hosts from the class A network "10.0.0.0", and the lonely IP 24.42.69.101, you would add the following to /etc/hosts.allow:

sshd: 192.168.1.0/255.255.255.0

sshd: 10.0.0.0/255.0.0.0

sshd: 24.42.69.101

You may also allow/deny connections via a firewall, but to maintain sanity it's best to stick to one method or the other.

10: To remove the possibility of anybody ever guessing a users password, disable password authentication completely, and require that public/private key pairs be used instead. While much more secure than passwords, a users private key can still be compromised, especially if not protected by a passphrase. To disable password logins, add the following to sshd_config:

PasswordAuthentication no

11: By default, the ssh server listens for connections on ALL interfaces (0.0.0.0). If a ssh server is to only be accessible internally, bind it to a LAN IP. For example: edit sshd_config:

ListenAddress 192.168.1.10

Troubleshooting

How to test

1: If your changes don't seem to be working, remember to restart the sshd server, but DO NOT CLOSE THE ACTIVE SSH CONNECTION in case something goes wrong; attempt to make a new connection first, and undo any changes if necessary, or you may find that you've remotely locked yourself out of the system.

/etc/init.d/sshd restart

 

阅读(1019) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~