[SSH服务]——一些安全性配置和补充实验
SSH 安全性和配置
转载于 http://www.ibm.com/developerworks/cn/aix/library/au-sshsecurity/
对于一些之前列举的代码示例,许多系统管理员担心 SSH 使用情况和功能的一些安全性实现。尽管已经口头和书面说明了常见的各种 SSH 安全性和远程主机安全性方法,下面有一系列流程和配置可用于加强有关远程主机访问的 SSH 安全性:
- 将 root 账户仅限制为控制台访问:
# vi /etc/ssh/sshd_config PermitRootLogin no
- 为私有密钥使用一个强大的口令和密码保护来创建公私密钥对(绝不要生成一个无密码的密钥对或一个无密码口令无密钥的登录):
(Use a higher bit rate for the encryption for more security) ssh-keygen -t rsa -b 4096
- 配置 TCP 包装程序,以便仅允许选定的远程主机并拒绝不合意的主机:
# vi /etc/hosts.deny ALL: 192.168.200.09 # IP Address of badguy
- 在工作站或笔记本电脑上,关闭 SSH 服务禁用 SSH 服务器,然后删除 ssh 服务器包:
# chkconfig sshd off # yum erase openssh-server
- 通过控制用户访问限制 SSH 访问:
# vi /etc/ssh/sshd_config AllowUsers fsmythe bnice swilson DenyUsers jhacker joebadguy jripper
- 仅使用 SSH Protocol 2:
# vi /etc/ssh/sshd_config Protocol 2
- 不要支持闲置会话,并配置 Idle Log Out Timeout 间隔:
# vi /etc/ssh/sshd_config ClientAliveInterval 600 # (Set to 600 seconds = 10 minutes) ClientAliveCountMax 0
- 禁用基于主机的身份验证:
# vi /etc/ssh/sshd_config HostbasedAuthentication no
- 禁用用户的 .rhosts 文件:
# vi /etc/ssh/sshd_config IgnoreRhosts yes
- 配置防火墙以接受仅来自已知网段的 SSH 连接:
Update /etc/sysconfig/iptables (Redhat specific file) to accept connection only from 192.168.100.0/24 and 209.64.100.5/27, enter: -A RH-FW-1-INPUT -s 192.168.100.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT -A RH-FW-1-INPUT -s 209.64.100.5/27 -m state --state NEW -p tcp --dport 22 -j ACCEPT
- 限制 SSH 将侦听和绑定到的可用接口:
# vi /etc/ssh/sshd_config ListenAddress 192.168.100.17 ListenAddress 209.64.100.15
- 设置用户策略,实施强大的密码来防御强力攻击、社会工程企图(social engineering attempts)和字典攻击:
# < /dev/urandom tr -dc A-Za-z0-9_ | head -c8 oP0FNAUt[
- 使用
Chroot SSHD
将 SFTP 用户局限于其自己的主目录:# vi /etc/ssh/sshd_config ChrootDirectory /data01/home/%u X11Forwarding no AllowTcpForwarding no
- 禁用空密码:
# vi /etc/ssh/sshd_config PermitEmptyPasswords no
- 在指定时间内对传入端口 2022 连接的数量限速:
Redhat iptables example (Update /etc/sysconfig/iptables): -A INPUT -i eth0 -p tcp --dport 2022 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 2022 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 2022 -m state --state ESTABLISHED -j ACCEPT
- 配置
iptables
,以便在 30 秒内仅允许在端口 2022 上有三个连接尝试:Redhat iptables example (Update /etc/sysconfig/iptables): -I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --set -I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DR
- 使用一个日志分析器,比如
logcheck
、loggrep
、splunk
或logwatch
来更好地理解日志并创建日志报告。另外,在 SSH 应用程序自身内增加日志记录的详细度:Installation of the logwatch package on Redhat Linux # yum install logwatch
- 通过配置增加 SSH 日志记录的详细度:
# vi /etc/ssh/sshd_config LogLevel DEBUG
- 在补丁上总是将 SSH 程序包和需要的库保持为最新:
# yum update openssh-server openssh openssh-clients -y
- 隐藏 OpenSSH 版本,要求 SSH 源代码并进行重新编译。然后进行以下更新:
# vi /etc/ssh/sshd_config VerifyReverseMapping yes # Turn on reverse name checking UsePrivilegeSeparation yes # Turn on privilege separation StrictModes yes # Prevent the use of insecure home directory # and key file permissions AllowTcpForwarding no # Turn off , if at all possible X11Forwarding no # Turn off , if at all possible PasswordAuthentication no # Specifies whether password authentication is # allowed. The default is yes. Users must have # another authentication method available .
- 从系统上删除 rlogin 和 rsh 二进制程序,并将它们替代为 SSH 的一个
symlink
:# find /usr -name rsh /usr/bin/rsh # rm -f /usr/bin/rsh # ln -s /usr/bin/ssh /usr/bin/rsh
SSH 支持可启用或禁用的多种不同的身份验证方法和技术。在 /etc/ssh/sshd_config 文件中,您可以进行这些配置更改,方法就是输入为身份验证方法列出的关键字,然后紧接 yes
或 no
。下面是一些常见的配置更改:
# RSAAuthentication yes # PubkeyAuthentication yes # RhostsRSAAuthentication no # HostbasedAuthentication no # RhostsRSAAuthentication and HostbasedAuthentication PasswordAuthentication yes ChallengeResponseAuthentication no # KerberosAuthentication no GSSAPIAuthentication yes
sshd_config 文件内的AllowedAuthentications
和RequiredAuthentications
决定哪些身份验证方法和配置仅用于 SSH Protocol 2,且它们支持密码和公钥身份验证的语法如下:
# vi /etc/ssh/sshd_config AllowedAuthentications publickey, password RequiredAuthentications publickey, password
其他/补充
1.建议把端口号改成9000以上
[root@lyj1 ~]# ssh 10.0.80.10 ssh: connect to host 10.0.80.10 port 22: Connection refused [root@lyj1 ~]# ssh -p 9001 10.0.80.10 The authenticity of host '[10.0.80.10]:9001 ([10.0.80.10]:9001)' can't be established. RSA key fingerprint is 55:e5:85:f1:45:19:0b:a7:b7:c0:af:fe:f4:57:20:dc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[10.0.80.10]:9001' (RSA) to the list of known hosts. root@10.0.80.10's password:
2.服务器A和服务器B相互信任实验
实验描述:
服务器A:10.0.10.158,有普通用户user_00
服务器B:10.0.10.191,有普通用户user_00
实现A和B之间相互可以无密码SSH登陆
[user_00@lyj1 .ssh]$ su - user_00 #切换至用户user_00 [user_00@lyj1 .ssh]$ ssh-keygen #生成公钥和密钥 ......略...... [user_00@lyj1 .ssh]$ ls authorized_keys id_rsa id_rsa.pub [user_00@lyj1 .ssh]$ su - user_00 [user_00@lyj2 .ssh]$ ssh-keygen ......略...... [user_00@lyj2 .ssh]$ ls authorized_keys id_rsa id_rsa.pub
[user_00@lyj1 .ssh]$ cat -n authorized_keys #把B的公钥复制到A的authorized 1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouMkukq0j5cinhEMvbDzbLmozHBeolqQ0nmDBxk7ViHF1lOxR/GCiME6D9GnSGHIMMqYIvRTNjgoQxzl7BHvAp0a3gTV28Q7F/hPKp3Uu9ab5ihdRraSU3N0HPxPka8U6jANn4UK6tAq7kZGx7Q5OjD7iZGY1ZDsgZS6BDgPPvyMQpUluy6ave0FwBCWYSHfWvqGK+2BlQ5L7fwieMYPYUPly4HKbrUAkuAPa7lH7vbwYzKe2FhqJlJ41ZCla88NKhZAt3WUZgNdY9/k1kwTbFZZttYVVFPc3aJnAXrZtF1aQv5iwkQ7cpuEBjcwFmcbZwSu8Qbk6rQv0HBsvtj18w== user_00@localhost.localdomain 2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxKhaOwUKoYkIDMYsja8eJUoJd0rr6C6urPNBEl33d86mWfgt2Qq23krPmxScRMK3QRJV7J1UiWlumwq6PfWkLCU3POlL2goEmgqfeKwn9ZlCTgnB3cjNef/6TdgcOESksj2xsprShBjT5djWC82xQbmieNHK+MiMwtvz1ITm4ZeyVfZgRoIRe3Lm1eWaUuMmve0kU7qFOJNvDV0+YHJu+ntOvpz17NXLHhzzWbHk9Ulnbz5brBPwQ8xBdFt+DSLYZMFNj+EVatvAg0YE5kAMFL6iuA49sgsKL70WN3VaGU++25PdrcU+Bw9YbtgmXGBzcbhjcWf8HdK22QuPOS+3jw== user_00@lyj2 [user_00@lyj2 .ssh]$ cat -n authorized_keys #把A的公钥复制到B的authorized 1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouMkukq0j5cinhEMvbDzbLmozHBeolqQ0nmDBxk7ViHF1lOxR/GCiME6D9GnSGHIMMqYIvRTNjgoQxzl7BHvAp0a3gTV28Q7F/hPKp3Uu9ab5ihdRraSU3N0HPxPka8U6jANn4UK6tAq7kZGx7Q5OjD7iZGY1ZDsgZS6BDgPPvyMQpUluy6ave0FwBCWYSHfWvqGK+2BlQ5L7fwieMYPYUPly4HKbrUAkuAPa7lH7vbwYzKe2FhqJlJ41ZCla88NKhZAt3WUZgNdY9/k1kwTbFZZttYVVFPc3aJnAXrZtF1aQv5iwkQ7cpuEBjcwFmcbZwSu8Qbk6rQv0HBsvtj18w== user_00@localhost.localdomain 2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwijcQXHMCIPupkTQm0q6S/BmKm9qL5yjxftCr2P0Ql+6+ZCL7Infv3DSL9qsRVkrOAgx0ADFA+qJ3vfN2EWux/yqRF6pjkQqFbW7CLu963O4ZmQjsVkzovWGen1rXI7yfZ342NPjmrGllqFFJxkQ210xztl/z0go1EZrN0GC2RQV/HLC7HQdgh9fzQXIdcJhfEga6WMh/uMCVZz/yWcaN0P9QcG8OGr7Px2rhz9hT51wtnHlavi+y32HVmoqqW1KYhY2r2GmKK+aE+YUakM5ghnoKl0lvSXNPn/S3IQx4gZg4oyLXz4u0R1cyOnAUBHg1zAIvy3ntw62tEIhoGDmbw== user_00@lyj1 [user_00@lyj2 .ssh]$ ll -d authorized_keys #检查authorized文件的权限(644)和属主属组(user_00) -rw-r--r--. 1 user_00 user_00 805 11月 26 09:52 authorized_keys [user_00@lyj1 .ssh]$ ll -d authorized_keys -rw-r--r--. 1 user_00 user_00 805 11月 26 00:08 authorized_keys
实验结果: