Linux基础服务sshd简介
Posted 白-胖-子
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux基础服务sshd简介相关的知识,希望对你有一定的参考价值。
sshd由OpenSSH来提供
- SSH 协议:Secure Shell,安全的shell协议。
- SSH 为建立在应用层和传输层基础上的安全协议。
- sshd服务使用SSH协议可以用来进行远程控制, 或在计算机之间传送文件。
- sshd使用加密传输,较之使用明文传输的telnet传输文件要安全很多。
sshd配置文件
/etc/ssh/sshd_config
- 如果井号开头的和后面参数没有空格的,表示默认值,是生效的
- 如果井号开头和后面有空格的,表示纯注释
调优参数
端口
- 默认端口22,外网生产环境需要修改
Port 22
- 使用参数指定端口连接非22默认端口[-p port]
ssh -p 1234 root@10.0.0.88
监听地址
- 默认缺省值为所有网卡的所有地址
- 可以修改为指定IP
#ListenAddress 0.0.0.0
#ListenAddress ::
登陆等待时间
- 从输入用户名到敲入密码的登陆等待时间
- 默认是2分钟,可以调的小一些
#LoginGraceTime 2m
允许root登录
- 生产环境应该禁止root直接登录
- Debian系列例如Ubuntu是默认禁止root登陆的
PermitRootLogin yes
默认认证公钥文件
AuthorizedKeysFile .ssh/authorized_keys
是否允许使用密码认证登录
- 做过密钥认证以后可关闭密码认证登录,防止暴力破解
PasswordAuthentication yes
打印登陆提示信息和最后登录日志
- 发现被黑线索
PrintMotd no
#PrintLastLog yes
[14:56:49 root@C8-88[ ~]#ssh 10.0.0.189
Last login: Sat Jul 3 22:00:12 2021 from 10.0.0.88
使用DNS反向解析
- 如果敲完密码一直卡着,半天才进系统,可以将此项改为no
#UseDNS no
修改登录提示
- 创建或修改motd文件
/etc/motd
- 在文件中添加需要登录显示的内容
- 修改配置文件打开PrintMotd
sed -ri.bak 's/(PrintMotd )no/\\1yes/' /etc/ssh/sshd_config
fail2ban防止暴力破解
- 监控日志系统,匹配日志信息,将过分的ip加入到ipatble中
- python写的用python装py包
- 主配置文件jail.conf
- 模板服务文件在源码包的files中,fail2ban.service,redhat-initd
- 查找古时候的启动文件,文件内容带有chkconfig相关字样
grep chkconfig ./* -R --color
- 老版本使用chkconfig添加启动项
chekconfig --add fail2ban
- 登录日志
相关主要文件说明:
- jail [dʒeɪl]监狱
/etc/fail2ban/action.d #动作文件夹,内含默认文件。iptables以及mail等动作配置
/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别、日志位置及sock文件位置
/etc/fail2ban/filter.d #条件文件夹,内含默认文件。过滤日志关键内容设置
/etc/fail2ban/jail.conf #主要配置文件,模块化。主要设置启用ban动作的服务及动作阀值
应用案例
- 远程ssh用户5分钟三次失败则禁用1小时
- 防止频繁试密码
- 修改[ssh-iptables]
- 先启用功能
enabled = ture
- 指定日志
logpath = /var/log/secure
- 发一批邮件改sentmail,系统中需要已启用sentmail
- 如果ssh服务器不是22端口,则需要改配置文件,
- iptables配置文件也要改
查看ban的状态
fail2ban-client status ssh-iptable
使用shell脚本实现fail2ban功能
- 利用定时任务查看安全日志
- 将超过阈值的IP加入系统黑名单hosts.deny中去
#!/bin/bash
cat var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2"="$1;}' > /root/satools/black.txt
DEFINE='10'
for i in `cat /root/satools/black.txt`;do
IP=`echo $i | awk -F= '{print $1}'`
NUM=`echo $i | awk -F= '{print $2}'`
if [ $NUM -gt $DEFINE ];then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];then
echo "sshd:$IP" >> /etc/hosts/deny
fi
fi
done
利用denyhosts实现
- epel中的denyhosts简单实现
系统再带pam模块提供防护功能
- 系统本身体统pam模块功能
/etc/pam.d/sshd
- 添加错误尝试次数,和锁定时间
- 在第一行下面添加一条规则
auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=1200
pam模块命令
- 查看用户登录次数
手动解除锁定:
查看某一用户错误登陆次数:
pam_tally –-user
例如,查看work用户的错误登陆次数:
pam_tally –-user work
清空某一用户错误登陆次数:
pam_tally –-user –-reset
例如,清空 work 用户的错误登陆次数,
pam_tally –-user work –-reset
xshell等客户端免密登录服务器
- 使用xshell等客户端本地生成公钥文件
- 将生成的公钥文件放到服务器对应的用户家目录的.ssh目录中去
==========================================================
配置文件内容:
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# System-wide Crypto policy:
# This system is following system-wide crypto policy. The changes to
# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
# effect here. They will be overridden by command-line options passed on
# the server start up.
# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
# variable in /etc/sysconfig/sshd to overwrite the policy.
# For more information, see manual page for update-crypto-policies(8).
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
以上是关于Linux基础服务sshd简介的主要内容,如果未能解决你的问题,请参考以下文章