[SSH服务]——一些安全性配置和补充实验

SSH 安全性和配置

转载于 http://www.ibm.com/developerworks/cn/aix/library/au-sshsecurity/

        对于一些之前列举的代码示例,许多系统管理员担心 SSH 使用情况和功能的一些安全性实现。尽管已经口头和书面说明了常见的各种 SSH 安全性和远程主机安全性方法,下面有一系列流程和配置可用于加强有关远程主机访问的 SSH 安全性:

  • 将 root 账户仅限制为控制台访问:
    # vi /etc/ssh/sshd_config
    PermitRootLogin no

  • 为私有密钥使用一个强大的口令和密码保护来创建公私密钥对(绝不要生成一个无密码的密钥对或一个无密码口令无密钥的登录):
    (Use a higher bit rate for the encryption for more security)
    ssh-keygen -t rsa -b 4096

  • 配置 TCP 包装程序,以便仅允许选定的远程主机并拒绝不合意的主机:
    # vi /etc/hosts.deny
    ALL: 192.168.200.09		# IP Address of badguy

  • 在工作站或笔记本电脑上,关闭 SSH 服务禁用 SSH 服务器,然后删除 ssh 服务器包:
    # chkconfig sshd off 
    # yum erase openssh-server

  • 通过控制用户访问限制 SSH 访问:
    # vi /etc/ssh/sshd_config 
    AllowUsers fsmythe bnice swilson
    DenyUsers jhacker joebadguy jripper

  • 仅使用 SSH Protocol 2:
    # vi /etc/ssh/sshd_config
    Protocol 2

  • 不要支持闲置会话,并配置 Idle Log Out Timeout 间隔:
    # vi /etc/ssh/sshd_config
    ClientAliveInterval 600		# (Set to 600 seconds = 10 minutes)
    ClientAliveCountMax 0

  • 禁用基于主机的身份验证:
    # vi /etc/ssh/sshd_config
    HostbasedAuthentication no

  • 禁用用户的 .rhosts 文件:
    # vi /etc/ssh/sshd_config
    IgnoreRhosts yes

  • 配置防火墙以接受仅来自已知网段的 SSH 连接:
    Update /etc/sysconfig/iptables (Redhat specific file) to accept connection only 
    from 192.168.100.0/24 and 209.64.100.5/27, enter:
    
    -A RH-FW-1-INPUT -s 192.168.100.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
    -A RH-FW-1-INPUT -s 209.64.100.5/27 -m state --state NEW -p tcp --dport 22 -j ACCEPT

  • 限制 SSH 将侦听和绑定到的可用接口:
    # vi /etc/ssh/sshd_config
    ListenAddress 192.168.100.17
    ListenAddress 209.64.100.15

  • 设置用户策略,实施强大的密码来防御强力攻击、社会工程企图(social engineering attempts)和字典攻击:
    # < /dev/urandom tr -dc A-Za-z0-9_ | head -c8
    oP0FNAUt[

  • 使用 Chroot SSHD 将 SFTP 用户局限于其自己的主目录:
    # vi /etc/ssh/sshd_config 
    ChrootDirectory /data01/home/%u
    X11Forwarding no
    AllowTcpForwarding no

  • 禁用空密码:
    # vi /etc/ssh/sshd_config
    PermitEmptyPasswords no

  • 在指定时间内对传入端口 2022 连接的数量限速:
    Redhat iptables example (Update /etc/sysconfig/iptables): 
    
    -A INPUT  -i eth0 -p tcp --dport 2022 -m state --state NEW -m limit --limit 3/min
    --limit-burst 3 -j ACCEPT
    
    -A INPUT  -i eth0 -p tcp --dport 2022 -m state --state ESTABLISHED -j ACCEPT
    -A OUTPUT -o eth0 -p tcp --sport 2022 -m state --state ESTABLISHED -j ACCEPT

  • 配置 iptables,以便在 30 秒内仅允许在端口 2022 上有三个连接尝试:
    Redhat iptables example (Update /etc/sysconfig/iptables): 
    -I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --set
    
    -I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --update 
    --seconds 30 --hitcount 3 -j DR

  • 使用一个日志分析器,比如 logcheckloggrepsplunk 或 logwatch 来更好地理解日志并创建日志报告。另外,在 SSH 应用程序自身内增加日志记录的详细度:
    Installation of the logwatch package on Redhat Linux 
    # yum install logwatch

  • 通过配置增加 SSH 日志记录的详细度:
    # vi /etc/ssh/sshd_config
    LogLevel DEBUG

  • 在补丁上总是将 SSH 程序包和需要的库保持为最新:
    # yum update openssh-server openssh openssh-clients -y

  • 隐藏 OpenSSH 版本,要求 SSH 源代码并进行重新编译。然后进行以下更新:
    # vi /etc/ssh/sshd_config
    VerifyReverseMapping yes	# Turn on  reverse name checking
    UsePrivilegeSeparation yes	# Turn on privilege separation
    StrictModes yes			# Prevent the use of insecure home directory    
    				# and key file permissions
    AllowTcpForwarding no		# Turn off , if at all possible 
    X11Forwarding no		# Turn off , if at all possible
    PasswordAuthentication no	# Specifies whether password authentication is 
    				# allowed.  The default is yes. Users must have 
    				# another authentication method available .

  • 从系统上删除 rlogin 和 rsh 二进制程序,并将它们替代为 SSH 的一个 symlink
    # find /usr -name rsh
    /usr/bin/rsh
    # rm -f /usr/bin/rsh
    # ln -s /usr/bin/ssh /usr/bin/rsh

    SSH 支持可启用或禁用的多种不同的身份验证方法和技术。在 /etc/ssh/sshd_config 文件中,您可以进行这些配置更改,方法就是输入为身份验证方法列出的关键字,然后紧接 yes 或 no。下面是一些常见的配置更改:

# RSAAuthentication yes		
# PubkeyAuthentication yes		
# RhostsRSAAuthentication no
# HostbasedAuthentication no
# RhostsRSAAuthentication and HostbasedAuthentication
PasswordAuthentication yes
ChallengeResponseAuthentication no
# KerberosAuthentication no
GSSAPIAuthentication yes

  sshd_config 文件内的 AllowedAuthentications 和 RequiredAuthentications 决定哪些身份验证方法和配置仅用于 SSH Protocol 2,且它们支持密码和公钥身份验证的语法如下:

# vi /etc/ssh/sshd_config AllowedAuthentications publickey, password RequiredAuthentications publickey, password


 其他/补充

1.建议把端口号改成9000以上

[root@lyj1 ~]# ssh 10.0.80.10
ssh: connect to host 10.0.80.10 port 22: Connection refused

[root@lyj1 ~]# ssh -p 9001 10.0.80.10
The authenticity of host '[10.0.80.10]:9001 ([10.0.80.10]:9001)' can't be established.
RSA key fingerprint is 55:e5:85:f1:45:19:0b:a7:b7:c0:af:fe:f4:57:20:dc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.0.80.10]:9001' (RSA) to the list of known hosts.
root@10.0.80.10's password: 

  

2.服务器A和服务器B相互信任实验

    实验描述:

  服务器A:10.0.10.158,有普通用户user_00

  服务器B:10.0.10.191,有普通用户user_00

  实现A和B之间相互可以无密码SSH登陆

[user_00@lyj1 .ssh]$ su - user_00   #切换至用户user_00
[user_00@lyj1 .ssh]$ ssh-keygen     #生成公钥和密钥
......略......
[user_00@lyj1 .ssh]$ ls
authorized_keys  id_rsa  id_rsa.pub

[user_00@lyj1 .ssh]$ su - user_00
[user_00@lyj2 .ssh]$ ssh-keygen
......略......
[user_00@lyj2 .ssh]$ ls
authorized_keys  id_rsa  id_rsa.pub

 

[user_00@lyj1 .ssh]$ cat -n authorized_keys  #把B的公钥复制到A的authorized
     1	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouMkukq0j5cinhEMvbDzbLmozHBeolqQ0nmDBxk7ViHF1lOxR/GCiME6D9GnSGHIMMqYIvRTNjgoQxzl7BHvAp0a3gTV28Q7F/hPKp3Uu9ab5ihdRraSU3N0HPxPka8U6jANn4UK6tAq7kZGx7Q5OjD7iZGY1ZDsgZS6BDgPPvyMQpUluy6ave0FwBCWYSHfWvqGK+2BlQ5L7fwieMYPYUPly4HKbrUAkuAPa7lH7vbwYzKe2FhqJlJ41ZCla88NKhZAt3WUZgNdY9/k1kwTbFZZttYVVFPc3aJnAXrZtF1aQv5iwkQ7cpuEBjcwFmcbZwSu8Qbk6rQv0HBsvtj18w== user_00@localhost.localdomain
     2	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxKhaOwUKoYkIDMYsja8eJUoJd0rr6C6urPNBEl33d86mWfgt2Qq23krPmxScRMK3QRJV7J1UiWlumwq6PfWkLCU3POlL2goEmgqfeKwn9ZlCTgnB3cjNef/6TdgcOESksj2xsprShBjT5djWC82xQbmieNHK+MiMwtvz1ITm4ZeyVfZgRoIRe3Lm1eWaUuMmve0kU7qFOJNvDV0+YHJu+ntOvpz17NXLHhzzWbHk9Ulnbz5brBPwQ8xBdFt+DSLYZMFNj+EVatvAg0YE5kAMFL6iuA49sgsKL70WN3VaGU++25PdrcU+Bw9YbtgmXGBzcbhjcWf8HdK22QuPOS+3jw== user_00@lyj2

[user_00@lyj2 .ssh]$ cat -n authorized_keys  #把A的公钥复制到B的authorized
     1	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouMkukq0j5cinhEMvbDzbLmozHBeolqQ0nmDBxk7ViHF1lOxR/GCiME6D9GnSGHIMMqYIvRTNjgoQxzl7BHvAp0a3gTV28Q7F/hPKp3Uu9ab5ihdRraSU3N0HPxPka8U6jANn4UK6tAq7kZGx7Q5OjD7iZGY1ZDsgZS6BDgPPvyMQpUluy6ave0FwBCWYSHfWvqGK+2BlQ5L7fwieMYPYUPly4HKbrUAkuAPa7lH7vbwYzKe2FhqJlJ41ZCla88NKhZAt3WUZgNdY9/k1kwTbFZZttYVVFPc3aJnAXrZtF1aQv5iwkQ7cpuEBjcwFmcbZwSu8Qbk6rQv0HBsvtj18w== user_00@localhost.localdomain
     2	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwijcQXHMCIPupkTQm0q6S/BmKm9qL5yjxftCr2P0Ql+6+ZCL7Infv3DSL9qsRVkrOAgx0ADFA+qJ3vfN2EWux/yqRF6pjkQqFbW7CLu963O4ZmQjsVkzovWGen1rXI7yfZ342NPjmrGllqFFJxkQ210xztl/z0go1EZrN0GC2RQV/HLC7HQdgh9fzQXIdcJhfEga6WMh/uMCVZz/yWcaN0P9QcG8OGr7Px2rhz9hT51wtnHlavi+y32HVmoqqW1KYhY2r2GmKK+aE+YUakM5ghnoKl0lvSXNPn/S3IQx4gZg4oyLXz4u0R1cyOnAUBHg1zAIvy3ntw62tEIhoGDmbw== user_00@lyj1

[user_00@lyj2 .ssh]$ ll -d authorized_keys   #检查authorized文件的权限(644)和属主属组(user_00)
-rw-r--r--. 1 user_00 user_00 805 11月 26 09:52 authorized_keys

[user_00@lyj1 .ssh]$ ll -d authorized_keys 
-rw-r--r--. 1 user_00 user_00 805 11月 26 00:08 authorized_keys

实验结果:

       

       

posted @ 2016-06-25 17:43  Jelly_lyj  阅读(682)  评论(0编辑  收藏  举报