提高SSH服務安全
1.配置基本安全策略(禁止root、禁止空口令)
2.針對SSH訪問採用僅允許的策略,未明確列出的用戶一概拒絕登錄
3.實現密鑰驗證登錄(私鑰口令)、免密碼登入
4.確認密鑰驗證使用正常後,禁用口令驗證
步驟一:配置基本安全策略
1)調整sshd服務配置,並重載服務
[root@proxy ~]# vim /etc/ssh/sshd_config
.. ..
Protocol 2 //SSH協議
PermitRootLogin no //禁止root用戶登錄
PermitEmptyPasswords no //禁止密碼爲空的用戶登錄
UseDNS no //不解析客戶機地址
LoginGraceTime 1m //登錄限時
MaxAuthTries 3 //每連接最多認證次數
.. ..
[root@proxy ~]# systemctl restart sshd
2)測試基本安全策略
嘗試以root用戶SSH登錄,失敗:
[root@proxy ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
將服務器上用戶kate(如無該賬戶則先創建)的密碼設爲空,嘗試SSH登錄,也會失敗:
[root@proxy ~]# passwd -d kate //清空用戶口令
清除用戶的密碼 kate。
passwd: 操作成功
[root@proxy ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
步驟二:針對SSH訪問採用僅允許的策略,未明確列出的用戶一概拒絕登錄
1)調整sshd服務配置,添加AllowUsers策略,僅允許用戶zhangsan、tom、useradm,其中useradm只能從網段192.168.4.0/24登錄。
注意:如果沒有這些用戶,需要提前創建用戶並設置密碼。
[root@proxy ~]# vim /etc/ssh/sshd_config
.. ..
AllowUsers zhangsan tom [email protected]/24 //定義賬戶白名單
##DenyUsers USER1 USER2 //定義賬戶黑名單
##DenyGroups GROUP1 GROUP2 //定義組黑名單
##AllowGroups GROUP1 GROUP2 //定義組白名單
[root@proxy ~]# systemctl restart sshd
2)驗證SSH訪問控制,未授權的用戶將拒絕登錄。
[root@proxy ~]# ssh [email protected] //已授權的用戶允許登錄
[email protected]'s password:
[useradm@proxy ~]$ exit
[root@proxy ~]# ssh [email protected] //未授權的用戶被拒絕登錄
[email protected]'s password:
Permission denied, please try again.
步驟三:實現密鑰對驗證登錄(私鑰口令)、免密碼登入
1)準備客戶機測試環境
爲客戶機的用戶root建立SSH密鑰對
使用ssh-keygen創建密鑰對,將私鑰口令設爲空(直接回車):
[root@client ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): //直接回車將口令設爲空
Enter same passphrase again: //再次回車確認
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
63:6e:cf:45:f0:56:e2:89:6f:62:64:5a:5e:fd:68:d2
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| . . . |
| = = |
| S = B . |
| o B = . o |
| + + = E .|
| . + + o |
| o |
+-----------------+
[root@client ~]$ ls -lh ~/.ssh/id_rsa* //確認密鑰對文件
-rw-------. 1 root root 1.8K 8月 15 10:35 /root/.ssh/id_rsa
-rw-r--r--. 1 root root 403 8月 15 10:35 /root/.ssh/id_rsa.pub
2)將客戶機上用戶root的公鑰部署到SSH服務器
以用戶root登入客戶機,使用ssh-copy-id命令將自己的公鑰部署到服務器:
[root@client ~]$ ssh-copy-id [email protected]
[email protected]'s password:
Now try logging into the machine, with "ssh '[email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
3)在服務器上確認客戶機用戶root上傳的公鑰信息
默認部署位置爲目標用戶的家目錄下 ~/.ssh/authorized_keys文件:
[root@proxy ~]# tail -2 ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzz+5AiFMGQ7LfuiV7eBnOcmRO9JRTcqRoynGO2y5
RyFL+LxR1IpEbkNrUyIZDk5uaX1Y8rwsf+pa7UZ2NyqmUEvNSUo0hQyDGsU9SPyAdzRCCvDgwpOFhaHi/OFnT+zqjAqXH2M9fFYEVUU4PIVL8HT19zCQRVZ/q3acQA34UsQUR0PpLJAobsf1BLe2EDM8BsSHckDGsNoDT9vk+u3e83RaehBMuy1cVEN5sLAaIrIeyM8Q0WxQNlqknL908HRkTlTeKrRoHbMnOBFj8StwlnscKHlkrsKkhUf8A9WWz/vL4GDwGND5jdca3I2hdITAySjMdfL1HMHnMYOgMjPM0Q== [email protected]
4)在客戶機上測試SSH密鑰對驗證
在客戶機用戶root的環境中,以遠程用戶root登入192.168.4.5主機時,無需驗證口令即可登入(因爲私鑰口令爲空):
[root@client ~]$ ssh [email protected] //免交互直接登入
Last login: Thu Aug 15 10:48:09 2013 from 192.168.4.100
步驟四:確認密鑰驗證使用正常後,禁用口令驗證
1)調整sshd服務配置,將PasswordAuthentication設爲no
[root@proxy ~]# vim /etc/ssh/sshd_config
.. ..
PasswordAuthentication no //將此行yes改成no
[root@proxy ~]# systemctl restart sshd