確定你的服務器上已經安裝了openssh
一個SSH SERVER被安裝,如果沒有安裝,請執行以 下命令
yum install openssh-servier
/etc/init.d/sshd start
完全過程
以下大多數配置的文件是/etc/ssh/ssh_config; 對於配置地址訪問的文件是/etc/hosts.allow和/etc/hosts.deny.
實現步驟
以下步驟會完全的放到SSH SERVER裡,這些對於阻止那些惡意的攻擊 是一個很明智的步驟.
1. 改變默認端口;
2. 禁止不安全的協議一,只充 許協議二;
3. 禁止ROOT登陸;
4. 減少無效登陸次數
5. 減少同時登陸的USER
6. 減少重新登陸的時間
7. 安裝DenyHosts;
8. 充許一部份用戶或組來來登 錄;
9. 充許一部份IP連接;
10. 僅僅充許擁用KEY去登錄;
11. bind SSH SERVER到一個網絡接口
詳細說明
1:大量的攻擊是通過靠著僵屍機器對22端口的偵聽。通過改變默認端口可以改減少攻擊。通過編輯/etc/ssh/sshd_config改 變Port 22成 為Port 22222.
#Port 22Port 2222
2:SSH會話有兩個協議,協議一不安全,協議二比較安全,因此編輯/etc/ssh/sshd_config,只 充許協議二.
#Protocol 2,1Protocol 2
3:沒人任何原因要用ROOT來登錄,因此禁止它,作為一個普通用戶登錄後,再使用su來進入root這個權限下,編輯sshd_conifg
#PermitRootLogin yesPermitRootLogin no
如果你要遠程BACKUP,必須ROOT遠程登錄,可以僅使用ssh key。不必輸入password ,就可以登錄。照下面這 樣做
PermitRootLogin forced-commands-only
4:無效的登錄從默認的6次減少到2次,編輯sshd_config
#MaxAuthTries 6MaxAuthTries 2
5:限制同時登錄的用戶的個數,這樣可以限制腳本小子的攻擊。編輯sshd_config,所默認的10改成3:50:10.,3表示同時登錄的人數最多為三個。
#MaxStartups 10MaxStartups 3:50:10
6:減少非成功登錄的時間,通常是二分鐘,現在改成30秒鐘。
#LoginGraceTime 2mLoginGraceTime 30
7:Install the "denyhosts" server which watches the /var/log/secure logfile for invalid ssh login attempts, and if a configurable threshold is crossed, they are automatically blocked by being added to /etc/hosts.deny. Install denyhosts, and optionally edit the good default configuration in /etc/denyhosts.conf:
yum install denyhostschkconfig denyhosts on/etc/init.d/denyhosts start
8: By default, all valid users on the system are allowed to log in. A more secure policy is to only allow a whitelist of users or groups to log in. For example, to allow only the users "john", "mary", "joeblow", "joeschmoe", "joejoe", and any username that starts with "joe" to login, add the following line to sshd_config:
AllowUsers john mary joe* www.linuxidc.com
Alternatively, you may instead allow only users who are members of certain groups to login. For example, to allow only the members of the "sshusers" group to connect, first make sure the group exists (groupadd sshusers) and add your users to it (usermod -a -G sshusers username), then add the following line to sshd_config:
AllowGroups sshusers
9: Allow only users from certain IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. edit /etc/hosts.deny and add the following line:
sshd: ALL
Next add to /etc/hosts.allow the networks you will to allow. For example, to allow all 253 hosts on the class C network "192.168.1.*", all 16million hosts from the class A network "10.0.0.0", and the lonely IP 24.42.69.101, you would add the following to /etc/hosts.allow:
sshd: 192.168.1.0/255.255.255.0sshd: 10.0.0.0/255.0.0.0sshd: 24.42.69.101
You may also allow/deny connections via a firewall, but to maintain sanity it's best to stick to one method or the other.
10: To remove the possibility of anybody ever guessing a users password, disable password authentication completely, and require that public/private key pairs be used instead. While much more secure than passwords, a users private key can still be compromised, especially if not protected by a passphrase. To disable password logins, add the following to sshd_config:
PasswordAuthentication no
11: By default, the ssh server listens for connections on ALL interfaces (0.0.0.0). If a ssh server is to only be accessible internally, bind it to a LAN IP. For example: edit sshd_config:
ListenAddress 192.168.1.10
Troubleshooting
How to test
1: If your changes don't seem to be working, remember to restart the sshd server, but DO NOT CLOSE THE ACTIVE SSH CONNECTION in case something goes wrong; attempt to make a new connection first, and undo any changes if necessary, or you may find that you've remotely locked yourself out of the system.
/etc/init.d/sshd restart
