系統安裝完成後,默認安裝的openssl跟openssh版本較低,有安全隱患,於是對其進行升級,加固安全,首先升級openssl至1.0.2g版本,升級步驟如下
#!/bin/bash
yum install zlib zlib-devel -y
yum remove openssl-devel
cd /data
wget https://openssl.org/source/openssl-1.0.2g.tar.gz
tar zvxf openssl-1.0.2g.tar.gz
cd openssl-1.0.2g
./config shared zlib
make depend
make && make install
mkdir -pv /tmp/usr/{bin,include}
mv /usr/bin/openssl /tmp/usr/bin/
mv /usr/include/openssl /tmp/usr/include/
ln -sv /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -sv /usr/local/ssl/include/openssl/ /usr/include/openssl
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig -v | grep openssl
openssl version -a
升級openssl完成後再升級openssh,首先添加普通用戶並加入wheel組
groupadd test
useradd tide -g test
usermod -G wheel test
echo "截取以下隨機數設置test用戶密碼,用於升級後登錄服務器"
openssl rand -base64 30
passwd tide
只允許wheel用戶組的用戶su切換,其他用戶切換root,即使輸對密碼也會提示 incorrect password
vim /etc/pam.d/su
auth required pam_wheel.so use_uid取消註釋
下載安裝openssh7.2版本,該版本成功升級後默認不允許root登錄
cd /data
mv /etc/ssh /etc/ssh.bak
yum remove openssh
yum install pam-devel
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p2.tar.gz
tar zxf openssh-7.2p2.tar.gz
cd openssh-7.2p2
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwordsmake
make && make install
chkconfig --add sshd
chkconfig sshd --list
ssh -V
#遠程連接服務器操作不可執行restart或者reload,否則會斷開連接
service sshd start
安裝過程如果服務器啓動不了,可能是缺少sshd服務啓動腳本
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
SSHD=/usr/sbin/sshd
PID_FILE=/var/run/sshd.pid
do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
}
start()
{
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh/ssh_host_key.pub
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
fi
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
stop()
{
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
echo
}
reload()
{
echo -n $"Reloading $prog:"
killproc $SSHD -HUP
RETVAL=$?
echo
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
if [ $RETVAL -eq 0 ] ; then
stop
# avoid race
sleep 3
start
fi
fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL
接下來配置只能使用密鑰文件登錄
ssh-keygen -t rsa -P "%fg8PY4DQg=" #密碼使用隨機openssl生成隨機字符串,默認路徑,回車
mv id_rsa.pub authorized_keys
chmod 600 authorized_keys
而後下載私鑰文件 id_rsa 到本地(可重命名爲IP_user_id_rsa),安全保存。
接下來編輯sshd配置文件,取消註釋
vim /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#關閉密碼認證,建議測試完祕鑰可登錄再開啓此項,否則遠程連接端口,只能去機房操作服務器
PasswordAuthentication no
PermitEmptyPasswords no
#重啓sshd服務,生效配置
service sshd restart
以後登錄這臺主機就必須以 test用戶使用私鑰,配合密碼短語來登錄
其他安全設置
- 限制登錄IP
vim /etc/hosts.deny
sshd:all
vim /etc/hosts.allow
sshd:192.168.1.1 - 在/etc/profile中添加:
登錄超時,用戶在線5分鐘無操作則超時斷開連接,
export TMOUT=300
readonly TMOUT
減少history命令記錄
HISTSIZE=1000 將該值調小
每次退出時清理history
history -c
- 增強特殊文件權限
chattr +i /etc/passwd /etc/shadow /etc/ssh/sshd_config
lsattr /etc/passwd /etc/shadow /etc/ssh/sshd_config
修改配置需要先取消特殊權限chattr -i filename - 禁ping
vim /etc/rc.d/rc.local
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
或者通過iptables規則限制
ping本機
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -j DROP
ping其他主機
iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP