CentOS8 修改SSH端口,禁用root登录,修改SSH协议

[root@centos8 ~]# cat /etc/redhat-release
CentOS Linux release 8.2.2004 (Core)

1. Create Test SUDO user and add to wheel group.
[root@centos8 ~]# useradd testuser
[root@centos8 ~]# passwd testuser
Changing password for user testuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@centos8 ~]# usermod -aG wheel testuser
[root@centos8 ~]# id testuser
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser),10(wheel)

2. Change SSH root, Disable Root login, Diable SSH protocol 1.
[root@centos8 ~]# vi /etc/ssh/sshd_config
Port 8888
PermitRootLogin no

# Protocol 2,1
Protocol 2

3. Add custom port SSH service to firewalld and reload.
[root@centos8 ~]# cp -av /usr/lib/firewalld/services/ssh.xml /usr/lib/firewalld/services/ssh-custom.xml
[root@centos8 ~]# vi /usr/lib/firewalld/services/ssh-custom.xml
port="8888"
[root@centos8 ~]# firewall-cmd --permanent --remove-service='ssh'
success
[root@centos8 ~]# firewall-cmd --permanent --add-service='ssh-custom'
success
[root@centos8 ~]# firewall-cmd --reload
success
[root@centos8 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh-custom
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

4. Restart SSH service and check if SSH service has started listening on new port 8888
[root@centos8 ~]# netstat -plunt | grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1299/sshd
[root@centos8 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-08-06 11:23:33 +04; 5h 46min ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1299 (sshd)
Tasks: 1 (limit: 17914)
Memory: 7.2M
CGroup: /system.slice/sshd.service
└─1299 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm>

Aug 06 11:23:32 centos8 systemd[1]: Starting OpenSSH server daemon...
Aug 06 11:23:33 centos8 sshd[1299]: Server listening on 0.0.0.0 port 22.
Aug 06 11:23:33 centos8 systemd[1]: Started OpenSSH server daemon.
Aug 06 11:24:20 centos8 sshd[8824]: Accepted password for root from 192.168.1.100 port 62079 ssh2
[root@centos8 ~]# systemctl restart sshd
[root@centos8 ~]# netstat -plunt | grep ssh
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 28513/sshd
[root@centos8 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-08-06 17:10:16 +04; 51s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 28513 (sshd)
Tasks: 1 (limit: 17914)
Memory: 1.2M
CGroup: /system.slice/sshd.service
└─28513 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gc>

Aug 06 17:10:16 centos8 systemd[1]: Starting OpenSSH server daemon...
Aug 06 17:10:16 centos8 sshd[28513]: Server listening on 0.0.0.0 port 8888.
Aug 06 17:10:16 centos8 systemd[1]: Started OpenSSH server daemon.


5. Test.
[testuser@centos8 ~]$ ip a | grep enp0s3
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.1.102/24 brd 192.168.1.255 scope global noprefixroute enp0s3

[testuser@centos8 ~]$ ssh root@192.168.1.102 #默认22端口已失效。
ssh: connect to host 192.168.1.102 port 22: Connection refused

[testuser@centos8 ~]$ ssh root@192.168.1.102 -p 8888 #已禁止root帐号登录
The authenticity of host '[192.168.1.102]:8888 ([192.168.1.102]:8888)' can't be established.
ECDSA key fingerprint is SHA256:R0pE89wn1wUodRxuGLkFjQMKnGDKUAVmlrjO6LLEtMc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.1.102]:8888' (ECDSA) to the list of known hosts.
root@192.168.1.102's password:
Permission denied, please try again.

[testuser@centos8 ~]$ ssh testuser@192.168.1.102 -p 8888 #普通帐号可以正常登录
testuser@192.168.1.102's password:
Last login: Thu Aug 6 17:17:50 2020 from 192.168.1.100

[testuser@centos8 ~]$ su
Password:
[root@centos8 testuser]#

[root@centos8 ~]# ssh -1 testuser@192.168.1.102 -p 8888 # Protocol 1 已经不支持
SSH protocol v.1 is no longer supported
[root@centos8 ~]# ssh -2 testuser@192.168.1.102 -p 8888 # Protocol 2 正常
The authenticity of host '[192.168.1.102]:8888 ([192.168.1.102]:8888)' can't be established.
ECDSA key fingerprint is SHA256:R0pE89wn1wUodRxuGLkFjQMKnGDKUAVmlrjO6LLEtMc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.1.102]:8888' (ECDSA) to the list of known hosts.
testuser@192.168.1.102's password:
Web console: https://centos8:9090/ or https://192.168.1.102:9090/

Last login: Thu Aug 6 17:19:09 2020 from 192.168.1.102
[testuser@centos8 ~]$

posted on 2020-08-06 21:30  遠離塵世の方舟  阅读(4782)  评论(0编辑  收藏  举报

导航