SSH是管理VPS的重要途径,所以SSH经常会受到攻击,所以我们需要将SSH武装起来,保护我们VPS的安全。
SSH服务的配置文件位于/etc/ssh/sshd_config,我们的安全设置都是围绕此文件展开,所以修改前最好先备份一次,以免出现无法登陆的情况。
修改完不要忘了执行
service sshd restart
如何打开
| # vi nano 等其他编辑器都是可以的,但vim具有语法高亮等功能,推荐使用 | |
| vim /etc/ssh/sshd_config |
修改端口
禁止ROOT用户登陆
| # vim /etc/ssh/sshd_config | |
| PermitRootLogin no |
限制其他用户登陆
| vim /etc/ssh/sshd_config | |
| AllowUsers fsmythe bnice swilson | |
| DenyUsers jhacker joebadguy jripper |
使用 Chroot SSHD 将 SFTP 用户局限于其自己的主目录:
| # vim /etc/ssh/sshd_config | |
| ChrootDirectory /home/%u | |
| X11Forwarding no | |
| AllowTcpForwarding no |
登陆IP限制
| # vim /etc/hosts.deny | |
| ALL: 192.168.200.09 # 希望禁止的IP |
禁止空密码登陆
| # vim /etc/ssh/sshd_config | |
| PermitEmptyPasswords no |
禁用用户的 .rhosts 文件:
.rhosts 文件通常许可 UNIX 系统的网络访问权限。.rhosts 文件列出可以访问远程计算机的计算机名及关联的登录名。在正确配置了 .rhosts 文件的远程计算机上运行 rcp、rexec 或 rsh 命令时,您不必提供远程计算机的登录和
| # vim /etc/ssh/sshd_config | |
| IgnoreRhosts yes |
禁用基于主机的身份验证
| # vim /etc/ssh/sshd_config | |
| HostbasedAuthentication no |
删除不安全文件
从系统上删除 rlogin 和 rsh 二进制程序,并将它们替代为 SSH 的一个 symlink:
| find /usr -name rsh | |
| /usr/bin/rsh | |
| rm -f /usr/bin/rsh | |
| ln -s /usr/bin/ssh /usr/bin/rsh |
设置自动掉线
| # vim /etc/ssh/sshd_config | |
| ClientAliveInterval 600 # (Set to 600 seconds = 10 minutes) 10分钟无操作自动掉线 | |
| ClientAliveCountMax 0 |
指纹登陆
生成4096位密钥
ssh-keygen -t rsa -b 4096
将公钥拷贝至服务器对应用户的.ssh下,重命名为authorized_keys
scp -P xxxxx ~/.ssh/id_rsa.pub server:/root/.ssh/authorized_keys
如果已经存在authorized_keys,需要将公钥追加至authorized_keys
| scp -P xxxxx ~/.ssh/id_rsa.pub server:/root/.ssh/tmp.pub | |
| # 在服务器端执行 | |
| cat /root/.ssh/tmp.pub >> /root/.ssh/authorized_keys |
禁止使用密码登陆
| # vim /etc/ssh/sshd_config | |
| PasswordAuthentication no |
报错
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
删除~/.ssh/known_hosts文件
rm ~/.ssh/known_hosts
检查登录日志
如果你的服务器一直很正常,那也可能不正常的表现,最好的办法就是定期查询ssh的登录日志,手动发现系统的异常!
| # vim /etc/ssh/sshd_config | |
| # add | |
| LogLevel DEBUG | |
| # 查看最近100条登录日志 | |
| tail -100 /var/log/secure | |
| # 登录成功日志 | |
| who /var/log/wtmp | |
| last |
fail2ban
这个小巧的软件可以代替你做很多事情,以暴力破解ssh密码为例,当我们安装fail2ban后,经过合理的配置,我们可以自动屏蔽某个攻击IP的所有请求。
项目地址:https://github.com/fail2ban/fail2ban
需求:
Python2 >= 2.6 or Python >= 3.2 or PyPy
| # install | |
| # clone repo | |
| git clone https://github.com/fail2ban/fail2ban.git | |
| cd fail2ban | |
| # do installation | |
| python setup.py install | |
| # copy to init.d | |
| cp files/redhat-initd /etc/init.d/fail2ban | |
| # make it executable | |
| chmod 755 /etc/init.d/fail2ban | |
| # run on boot | |
| chkconfig --add fail2ban | |
| chkconfig --level 35 fail2ban on | |
| # config | |
| vim /etc/fail2ban/jail.conf | |
| # add | |
| [ssh-iptables] | |
| enabled = true | |
| filter = sshd | |
| action = iptables[name=SSH, port=ssh, protocol=tcp] | |
| sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"] | |
| logpath = /var/log/secure | |
| maxretry = 2 | |
| [ssh-ddos] | |
| enabled = true | |
| filter = sshd-ddos | |
| action = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp] | |
| logpath = /var/log/messages | |
| maxretry = 2 | |
| # mkdir | |
| mkdir -p /var/run/fail2ban | |
| # restart | |
| service fail2ban restart | |
| # check if the jail is working | |
| service fail2ban status | |
| # fail2ban-server (pid 5408) is running... | |
| # Status | |
| # |- Number of jail: 2 | |
| # `- Jail list: ssh-ddos, ssh-iptables |
禁止IP访问
| vim /etc/hosts.deny | |
| # add | |
| all:1.1.1.1 | |
| # make it work | |
| service network restart |
Reference:
http://www.ibm.com/developerworks/cn/aix/library/au-sshsecurity/ http://zhidao.baidu.com/link?url=lk0vycK63DsC8x3mO2FkSoPXMIXCPmm9vYkrt35pZ_Ans5KsyRXPRs6SPMC63FVxYj30uGOvueFnmSt5eMwMQK