可以应用到的Fedora版本
ALL
基本要求
一个SSH SERVER被安装,如果没有安装,请执行以下命令
yum install openssh-servier
/etc/init.d/sshd start
完全过程
以下大多数配置的文件是/etc/ssh/ssh_config;对于配置地址访问的文件是/etc/hosts.allow和/etc/hosts.deny.
实现步骤
以下步骤会完全的放到SSH SERVER里,这些对于阻止那些恶意的攻击是一个很明智的步骤.
1. 改变默认端口;
2. 禁止不安全的协议一,只充许协议二;
3. 禁止ROOT登陆;
4. 减少无效登陆次数
5. 减少同时登陆的USER
6. 减少重新登陆的时间
7. 安装DenyHosts;
8. 充许一部份用户或组来来登录;
9. 充许一部份IP连接;
10. 仅仅充许拥用KEY去登录;
11. bind SSH SERVER到一个网络接口
详细说明
1:大量的攻击是通过靠着僵尸机器对22端口的侦听。通过改变默认端口可以改减少攻击。通过编辑/etc/ssh/sshd_config改变Port 22成为Port 22222.
#Port 22Port 2222
2:SSH会话有两个协议,协议一不安全,协议二比较安全,因此编辑/etc/ssh/sshd_config,只充许协议二.
#Protocol 2,1Protocol 2
3:没人任何原因要用ROOT来登录,因此禁止它,作为一个普通用户登录后,再使用su来进入root这个权限下,编辑sshd_conifg
#PermitRootLogin yesPermitRootLogin no
如果你要远程BACKUP,必须ROOT远程登录,可以仅使用ssh key。不必输入password ,就可以登录。照下面这样做
PermitRootLogin forced-commands-only
4:无效的登录从默认的6次减少到2次,编辑sshd_config
#MaxAuthTries 6MaxAuthTries 2
5:限制同时登录的用户的个数,这样可以限制脚本小子的攻击。编辑sshd_config,所默认的10改成3:50:10.,3表示同时登录的人数最多为三个。
#MaxStartups 10MaxStartups 3:50:10
6:减少非成功登录的时间,通常是二分钟,现在改成30秒钟。
#LoginGraceTime 2mLoginGraceTime 30
7:Install the “denyhosts” server which watches the /var/log/secure logfile for invalid ssh login attempts, and if a configurable threshold is crossed, they are automatically blocked by being added to /etc/hosts.deny. Install denyhosts, and optionally edit the good default configuration in /etc/denyhosts.conf:
yum install denyhostschkconfig denyhosts on/etc/init.d/denyhosts start
8: By default, all valid users on the system are allowed to log in. A more secure policy is to only allow a whitelist of users or groups to log in. For example, to allow only the users “john”, “mary”, “joeblow”, “joeschmoe”, “joejoe”, and any username that starts with “joe” to login, add the following line to sshd_config:
AllowUsers john mary joe*
Alternatively, you may instead allow only users who are members of certain groups to login. For example, to allow only the members of the “sshusers” group to connect, first make sure the group exists (groupadd sshusers) and add your users to it (usermod -a -G sshusers username), then add the following line to sshd_config:
AllowGroups sshusers
9: Allow only users from certain IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. edit /etc/hosts.deny and add the following line:
sshd: ALL
Next add to /etc/hosts.allow the networks you will to allow. For example, to allow all 253 hosts on the class C network “192.168.1.*”, all 16million hosts from the class A network “10.0.0.0”, and the lonely IP 24.42.69.101, you would add the following to /etc/hosts.allow:
sshd: 192.168.1.0/255.255.255.0sshd: 10.0.0.0/255.0.0.0sshd: 24.42.69.101
You may also allow/deny connections via a firewall, but to maintain sanity it’s best to stick to one method or the other.
10: To remove the possibility of anybody ever guessing a users password, disable password authentication completely, and require that public/private key pairs be used instead. While much more secure than passwords, a users private key can still be compromised, especially if not protected by a passphrase. To disable password logins, add the following to sshd_config:
PasswordAuthentication no
11: By default, the ssh server listens for connections on ALL interfaces (0.0.0.0). If a ssh server is to only be accessible internally, bind it to a LAN IP. For example: edit sshd_config:
ListenAddress 192.168.1.10
Troubleshooting
How to test
1: If your changes don’t seem to be working, remember to restart the sshd server, but DO NOT CLOSE THE ACTIVE SSH CONNECTION in case something goes wrong; attempt to make a new connection first, and undo any changes if necessary, or you may find that you’ve remotely locked yourself out of the system.
/etc/init.d/sshd restart
个人总结,以上文章注意的地方是,当firewall是默认设置的时,如何打开你所要这个端口很重要。