本文详细介绍了如何在Ubuntu 18.04服务器上增强OpenSSH的安全性,包括禁止root用户通过SSH登录、限制认证尝试次数、禁用密码认证、禁用X11转发等,以降低服务器被攻击的风险。同时,文章还提供了通过配置authorized_keys文件实现针对特定密钥的限制,以进一步加强安全性。通过这些强化措施,可以有效保护OpenSSH服务器,防止恶意访问。
The author selected the Electronic Frontier Foundation Inc to receive a donation as part of the Write for DOnations program.
作者选择Electronic Frontier Foundation Inc接受捐赠,作为Write for DOnations计划的一部分。
介绍 (Introduction)
Linux servers are often administered remotely using SSH by connecting to an OpenSSH server, which is the default SSH server software used within Ubuntu, Debian, CentOS, FreeBSD, and most other Linux/BSD-based systems.
Linux服务器通常通过连接到OpenSSH服务器来使用SSH进行远程管理, OpenSSH服务器是Ubuntu,Debian,CentOS,FreeBSD和大多数其他基于Linux / BSD的系统中使用的默认SSH服务器软件。
OpenSSH server is the server side of SSH, also known as SSH daemon or sshd. You can connect to an OpenSSH server using the OpenSSH client—the ssh command. You can learn more about the SSH client-server model in SSH Essentials: Working with SSH Servers, Clients, and Keys. Properly securing your OpenSSH server is very important, as it acts as the front door or entry into your server.
OpenSSH服务器是SSH的服务器端,也称为SSH守护程序或sshd 。 您可以使用OpenSSH客户端ssh命令连接到OpenSSH服务器。 您可以在SSH Essentials:使用SSH服务器,客户端和密钥中了解有关SSH客户端-服务器模型的更多信息。 正确保护OpenSSH服务器非常重要,因为它充当服务器的前门或入口。
In this tutorial, you will harden your OpenSSH server by using different configuration options to ensure that remote access to your server is as secure as possible.
在本教程中,您将通过使用不同的配置选项来强化OpenSSH服务器,以确保对服务器的远程访问尽可能安全。
先决条件 (Prerequisites)
To complete this tutorial, you will need:
要完成本教程,您将需要:
An Ubuntu 18.04 server set up by following the Initial Server Setup with Ubuntu 18.04, including a sudo non-root user.
通过对Ubuntu 18.04进行初始服务器设置来设置Ubuntu 18.04服务器 ,包括sudo非root用户。
Once you have this ready, log in to your server as your non-root user to begin.
准备就绪后,以非root用户身份登录服务器开始。
步骤1 —常规强化 (Step 1 — General Hardening)
In this first step, you will implement some initial hardening configurations to improve the overall security of your SSH server.
在第一步中,您将实施一些初始强化配置,以提高SSH服务器的整体安全性。
The exact hardening configuration that is most suitable for your own server depends heavily on your own threat model and risk threshold. However, the configuration you’ll use in this step is a general secure configuration that will suit the majority of servers.
最适合您自己的服务器的确切强化配置在很大程度上取决于您自己的威胁模型和风险阈值 。 但是,您将在此步骤中使用的配置是适用于大多数服务器的常规安全配置。
Many of the hardening configurations for OpenSSH you implement using the standard OpenSSH server configuration file, which is located at /etc/ssh/sshd_config. Before continuing with this tutorial, it is recommended to take a backup of your existing configuration file, so that you can restore it in the unlikely event that something goes wrong.
您可以使用标准OpenSSH服务器配置文件(位于/etc/ssh/sshd_config为OpenSSH实施许多强化配置。 在继续本教程之前,建议对现有的配置文件进行备份,以便在出现问题的极少数情况下可以将其还原。
Take a backup of the file using the following command:
使用以下命令备份文件:
- sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak 须藤cp / etc / ssh / sshd_config /etc/ssh/sshd_config.bak
This will save a backup copy of the file to /etc/ssh/sshd_config.bak.
这会将文件的备份副本保存到/etc/ssh/sshd_config.bak 。
Before editing your configuration file, you can review the options that are currently set. To do this, run the following command:
在编辑配置文件之前,您可以查看当前设置的选项。 为此,请运行以下命令:
- sudo sshd -T 须藤sshd -T
This will run OpenSSH server in extended test mode, which will validate the full configuration file and print out the effective configuration values.
这将在扩展测试模式下运行OpenSSH服务器,它将验证完整的配置文件并打印出有效的配置值。
You can now open the configuration file using your favorite text editor to begin implementing the initial hardening measures:
现在,您可以使用喜欢的文本编辑器打开配置文件,以开始实施初始强化措施:
- sudo nano /etc/ssh/sshd_config 须藤纳米/ etc / ssh / sshd_config
Note: The OpenSSH server configuration file includes many default options and configurations. Depending on your existing server configuration, some of the recommended hardening options may already have been set.
注意: OpenSSH服务器配置文件包含许多默认选项和配置。 根据您现有的服务器配置,可能已经设置了一些建议的强化选项。
When editing your configuration file, some options may be commented out by default using a single hash character (#) at the start of the line. In order to edit these options, or have the commented option be recognized, you’ll need to uncomment them by removing the hash.
在编辑配置文件时,默认情况下,某些行可能会在行首使用一个井号( # )注释掉。 为了编辑这些选项,或者使注释的选项被识别,您需要通过删除哈希来取消注释它们。
Firstly, disable logging in via SSH as the root user by setting the following option:
首先,通过设置以下选项,以root用户身份禁用通过SSH登录:
PermitRootLogin noThis is massively beneficial, as it will prevent a potential attacker from logging in directly as root. It also encourages good operational security practices, such as operating as a non-privileged user and using sudo to escalate privileges only when absolutely needed.
这是非常有益的,因为它将阻止潜在的攻击者直接以root用户身份登录。 它还鼓励良好的操作安全性惯例,例如以非特权用户身份进行操作以及仅在绝对需要时才使用sudo提升特权。
Next, you can limit the maximum number of authentication attempts for a particular login session by configuring the following:
接下来,您可以通过配置以下内容来限制特定登录会话的最大身份验证尝试次数:
MaxAuthTries 3A standard value of 3 is acceptable for most setups, but you may wish to set this higher or lower depending on your own risk threshold.
对于大多数设置,可接受的标准值为3 ,但是您可能希望根据自己的风险阈值将其设置为更高或更低。
If required, you can also set a reduced login grace period, which is the amount of time a user has to complete authentication after initially connecting to your SSH server:
如果需要,您还可以设置减少的登录宽限期,这是用户最初连接到SSH服务器后必须完成身份验证的时间:
LoginGraceTime 20The configuration file specifies this value in seconds.
配置文件以秒为单位指定此值。
Setting this to a lower value helps to prevent certain denial-of-service attacks where multiple authentication sessions are kept open for a prolonged period of time.
将此值设置为较低的值有助于防止某些拒绝服务攻击 ,在该服务中 ,多个身份验证会话长时间保持打开状态。
If you have configured SSH keys for authentication, rather than using passwords, disable SSH password authentication to prevent leaked user passwords from allowing an attacker to log in:
如果您配置了用于身份验证的SSH密钥,而不是使用密码,请禁用SSH密码身份验证,以防止泄露的用户密码允许攻击者登录:
PasswordAuthentication noAs a further hardening measure related to passwords, you may also wish to disable authentication with empty passwords. This will prevent logins if a user’s password is set to a blank or empty value:
作为与密码有关的进一步强化措施,您可能还希望禁用使用空密码的身份验证。 如果用户密码设置为空白或空值,则将阻止登录:
PermitEmptyPasswords noIn the majority of use cases, SSH will be configured with public key authentication as the only in-use authentication method. However, OpenSSH server also supports many other authentication methods, some of which are enabled by default. If these are not required, you can disable them to further reduce the attack surface of your SSH server:
在大多数使用情况下,SSH将配置有公钥身份验证作为唯一的使用中身份验证方法。 但是,OpenSSH服务器还支持许多其他身份验证方法,其中一些默认启用。 如果不需要这些,则可以禁用它们以进一步减小SSH服务器的攻击面:
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication noIf you’d like to know more about some of the additional authentication methods available within SSH, you may wish to review these resources:
如果您想进一步了解SSH中可用的一些其他身份验证方法,则不妨查看以下资源:
X11 forwarding allows for the display of remote graphical applications over an SSH connection, but this is rarely used in practice. It is recommended to disable it if it isn’t needed on your server:
X11转发允许通过SSH连接显示远程图形应用程序,但这在实践中很少使用。 如果您的服务器上不需要它,建议将其禁用:
X11Forwarding noOpenSSH server allows connecting clients to pass custom environment variables, that is, to set a $PATH or to configure terminal settings. However, like X11 forwarding, these are not commonly used, so can be disabled in most cases:
OpenSSH服务器允许连接的客户端传递自定义环境变量,即设置$PATH或配置终端设置。 但是,像X11转发一样,这些不常用,因此在大多数情况下可以禁用:
PermitUserEnvironment noIf you decide to configure this option, you should also make sure to comment out any references to AcceptEnv by adding a hash (#) to the beginning of the line.
如果决定配置此选项,则还应确保通过AcceptEnv添加一个哈希( # )来注释掉对AcceptEnv的所有引用。
Next, you can disable several miscellaneous options related to tunneling and forwarding if you won’t be using these on your server:
接下来,如果您不会在服务器上使用这些选项,则可以禁用与隧道和转发相关的多个其他选项:
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel noFinally, you can disable the verbose SSH banner that is enabled by default, as it shows various information about your system, such as the operating system version:
最后,您可以禁用默认情况下启用的详细SSH标语,因为它显示了有关系统的各种信息,例如操作系统版本:
DebianBanner noNote that this option most likely won’t already be present in the configuration file, so you may need to add it manually. Save and exit the file once you’re done.
请注意,此选项很可能不会出现在配置文件中,因此您可能需要手动添加它。 完成后,保存并退出文件。
Now validate the syntax of your new configuration by running sshd in test mode:
现在,通过在测试模式下运行sshd来验证新配置的语法:
- sudo sshd -t 须藤sshd -t
If your configuration file has a valid syntax, there will be no output. In the event of a syntax error, there will be an output describing the issue.
如果您的配置文件具有有效的语法,将不会有输出。 如果出现语法错误,将有描述该问题的输出。
Once you’re satisfied with your configuration file, you can reload sshd to apply the new settings:
对配置文件满意后,可以重新加载sshd以应用新设置:
- sudo service sshd reload sudo服务sshd重新加载
In this step, you completed some general hardening of your OpenSSH server configuration file. Next, you’ll implement an IP address allowlist to further restrict who can log in to your server.
在此步骤中,您完成了OpenSSH服务器配置文件的常规加固。 接下来,您将实现IP地址允许列表,以进一步限制谁可以登录到您的服务器。
步骤2 —实施IP地址允许列表 (Step 2 — Implementing an IP Address Allowlist)
You can use IP address allowlists to limit the users who are authorized to log in to your server on a per-IP address basis. In this step, you will configure an IP allowlist for your OpenSSH server.
您可以使用IP地址允许列表来限制被授权按每个IP地址登录到服务器的用户。 在此步骤中,您将为您的OpenSSH服务器配置IP允许列表。
In many cases, you will only be logging on to your server from a small number of known, trusted IP addresses. For example, your home internet connection, a corporate VPN appliance, or a static jump box or bastion host in a data center.
在许多情况下,您只会从少数已知的受信任IP地址登录到服务器。 例如,您的家庭Internet连接,公司VPN设备或数据中心中的静态跳转框或堡垒主机 。
By implementing an IP address allowlist, you can ensure that people will only be able to log in from one of the pre-approved IP addresses, greatly reducing the risk of a breach in the event that your private keys and/or passwords are leaked.
通过实施IP地址允许列表,您可以确保人们只能从预先批准的IP地址之一登录,从而大大降低了在您的私钥和/或密码泄露时遭到破坏的风险。
Note: Please take care in identifying the correct IP addresses to add to your allowlist, and ensure that these are not floating or dynamic addresses that may regularly change, for example as is often seen with consumer internet service providers.
注意:请注意识别正确的IP地址以添加到允许列表中,并确保这些IP地址不是浮动或动态地址,这些地址可能会定期更改,例如,消费者互联网服务提供商经常看到的地址。
You can identify the IP address that you’re currently connecting to your server with by using the w command:
您可以使用w命令来标识当前要连接到服务器的IP地址:
- w w
This will output something similar to the following:
这将输出类似于以下内容:
Output
14:11:48 up 2 days, 12:25, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
your_username pts/0 203.0.113.1 12:24 1.00s 0.20s 0.00s w
Locate your user account in the list and take a note of the connecting IP address. Here we use the example IP of 203.0.113.1
在列表中找到您的用户帐户,并记下连接的IP地址。 这里我们使用IP示例203.0.113.1
In order to begin implementing your IP address allowlist, open the OpenSSH server configuration file in your favorite text editor:
为了开始实施您的IP地址允许列表,请在您喜欢的文本编辑器中打开OpenSSH服务器配置文件:
- sudo nano /etc/ssh/sshd_config 须藤纳米/ etc / ssh / sshd_config
You can implement IP address allowlists using the AllowUsers configuration directive, which restricts user authentications based on username and/or IP address.
您可以使用AllowUsers配置指令来实现IP地址AllowUsers ,该指令根据用户名和/或IP地址限制用户身份验证。
Your own system setup and requirements will determine which specific configuration is the most appropriate. The following examples will help you to identify the most suitable one:
您自己的系统设置和要求将确定最合适的特定配置。 以下示例将帮助您确定最合适的示例:
- Restrict all users to a specific IP address: 将所有用户限制为特定的IP地址:
AllowUsers *@203.0.113.1Restrict all users to a specific IP address range using Classless Inter-Domain Routing (CIDR) notation:
使用无类域间路由(CIDR)标记将所有用户限制为特定的IP地址范围:
AllowUsers *@203.0.113.0/24- Restrict all users to a specific IP address range (using wildcards): 将所有用户限制为特定的IP地址范围(使用通配符):
AllowUsers *@203.0.113.*- Restrict all users to multiple specific IP addresses and ranges: 将所有用户限制为多个特定的IP地址和范围:
AllowUsers *@203.0.113.1 *@203.0.113.2 *@192.0.2.0/24 *@172.16.*.1- Disallow all users except for named users from specific IP addresses: 禁止除特定IP地址中的命名用户外的所有用户:
AllowUsers sammy@203.0.113.1 alex@203.0.113.2<^>- Restrict a specific user to a specific IP address, while continuing to allow all other users to log in without restrictions: 将特定用户限制为特定IP地址,同时继续允许所有其他用户不受限制地登录:
Match User ashley
AllowUsers ashley@203.0.113.1Warning: Within an OpenSSH configuration file, all configurations under a Match block will only apply to connections that match the criteria, regardless of indentation or line breaks. This means that you must be careful and ensure that configurations intended to apply globally are not accidentally put within a Match block. It is recommended to put all Match blocks at the bottom/end of your configuration file to help avoid this.
警告:在OpenSSH配置文件中,“ Match块下的所有配置将仅适用于符合条件的连接,而不管缩进或换行符如何。 这意味着您必须小心,并确保不会将旨在全局应用的配置意外地放入Match块中。 建议将所有Match块放在配置文件的底部/结尾,以帮助避免这种情况。
Once you have finalized your configuration, add it to the bottom of your OpenSSH server configuration file:
完成配置后,将其添加到OpenSSH服务器配置文件的底部:
AllowUsers *@203.0.113.1Save and close the file, and then proceed to test your configuration syntax:
保存并关闭文件,然后继续测试您的配置语法:
- sudo sshd -t 须藤sshd -t
If no errors are reported, you can reload OpenSSH server to apply your configuration:
如果未报告任何错误,则可以重新加载OpenSSH服务器以应用您的配置:
- sudo service sshd reload sudo服务sshd重新加载
In this step, you implemented an IP address allowlist on your OpenSSH server. Next, you will restrict the shell of a user to limit the commands that they are allowed to use.
在此步骤中,您在OpenSSH服务器上实现了IP地址允许列表。 接下来,将限制用户的外壳,以限制允许他们使用的命令。
步骤3 —限制用户的外壳 (Step 3 — Restricting the Shell of a User)
In this step, you’ll look at the various options for restricting the shell of an SSH user.
在此步骤中,您将查看用于限制SSH用户外壳的各种选项。
In addition to providing remote shell access, SSH is also great for transferring files and other data, for example, via SFTP. However, you may not always want to grant full shell access to users when they only need to be able to carry out file transfers.
除了提供远程外壳程序访问之外,SSH还非常适合传输文件和其他数据,例如通过SFTP。 但是,当用户仅需要能够执行文件传输时,您可能并不总是希望向用户授予完全Shell访问权限。
There are multiple configurations within OpenSSH server that you can use to restrict the shell environment of particular users. For instance, in this tutorial, we will use these to create SFTP-only users.
OpenSSH服务器中有多种配置,可用于限制特定用户的外壳环境。 例如,在本教程中,我们将使用它们来创建仅SFTP用户。
Firstly, you can use the /usr/sbin/nologin shell to disable interactive logins for certain user accounts, while still allowing non-interactive sessions to function, like file transfers, tunneling, and so on.
首先,您可以使用/usr/sbin/nologin shell禁用某些用户帐户的交互式登录,同时仍然允许非交互式会话运行,例如文件传输,隧道传输等。
To create a new user with the nologin shell, use the following command:
要使用nologin shell创建新用户,请使用以下命令:
sudo adduser --shell /usr/sbin/nologin alex
sudo adduser --shell / usr / sbin / nologin alex
Alternatively, you can change the shell of an existing user to be nologin:
另外,您可以将现有用户的外壳更改为nologin :
sudo usermod --shell /usr/sbin/nologin sammy
sudo usermod --shell / usr / sbin / nologin 萨米
If you then attempt to interactively log in as one of these users, the request will be rejected:
如果您随后尝试以这些用户之一的身份交互式登录,则该请求将被拒绝:
sudo su alex
苏多·苏· 亚历克斯
This will output something similar to the following message:
这将输出类似于以下消息的内容:
Output
This account is currently not available.
Despite the rejection message on interactive logins, other actions such as file transfers will still be allowed.
尽管交互式登录上出现拒绝消息,但仍将允许其他操作,例如文件传输。
Next, you should combine your usage of the nologin shell with some additional configuration options to further restrict the relevant user accounts.
接下来,应将nologin shell的用法与其他一些配置选项结合起来,以进一步限制相关的用户帐户。
Begin by opening the OpenSSH server configuration file in your favorite text editor again:
首先,在您喜欢的文本编辑器中再次打开OpenSSH服务器配置文件:
- sudo nano /etc/ssh/sshd_config 须藤纳米/ etc / ssh / sshd_config
There are two configuration options that you can implement together to create a tightly restricted SFTP-only user account: ForceCommand internal-sftp and ChrootDirectory.
您可以一起实现两个配置选项,以创建受严格限制的仅SFTP用户帐户: ForceCommand internal-sftp和ChrootDirectory 。
The ForceCommand option within OpenSSH server forces a user to execute a specific command upon login. This can be useful for certain machine-to-machine communications, or to forcefully launch a particular program.
OpenSSH服务器中的ForceCommand选项强制用户在登录时执行特定命令。 这对于某些机器对机器的通信或强制启动特定程序很有用。
However, in this case, the internal-sftp command is particularly useful. This is a special function of OpenSSH server that launches a basic in-place SFTP daemon that doesn’t require any supporting system files or configuration.
但是,在这种情况下, internal-sftp命令特别有用。 这是OpenSSH服务器的一项特殊功能,它将启动基本的就地SFTP守护程序,该守护程序不需要任何支持的系统文件或配置。
This should ideally be combined with the ChrootDirectory option, which will override/change the perceived root directory for a particular user, essentially restricting them to a specific directory on the system.
理想情况下,应将此选项与ChrootDirectory选项结合使用,该选项将覆盖/更改特定用户的感知根目录,从本质上将其限制为系统上的特定目录。
Add the following configuration section to your OpenSSH server configuration file for this:
为此,将以下配置部分添加到您的OpenSSH服务器配置文件中:
Match User alex
ForceCommand internal-sftp
ChrootDirectory /home/alex/Warning: As noted in Step 2, within an OpenSSH configuration file, all configurations under a Match block will only apply to connections that match the criteria, regardless of indentation or line breaks. This means that you must be careful and ensure that configurations intended to apply globally are not accidentally put within a Match block. It is recommended to put all Match blocks at the bottom/end of your configuration file to help avoid this.
警告:如步骤2所述,在OpenSSH配置文件中,“ Match块下的所有配置将仅适用于符合条件的连接,而不管缩进或换行符如何。 这意味着您必须谨慎,并确保不会将旨在全局应用的配置意外放入Match块中。 建议将所有Match块放在配置文件的底部/结尾,以帮助避免这种情况。
Save and close your configuration file, and then test your configuration again:
保存并关闭您的配置文件,然后再次测试您的配置:
- sudo sshd -t 须藤sshd -t
If there are no errors, you can then apply your configuration:
如果没有错误,则可以应用您的配置:
- sudo service sshd reload sudo服务sshd重新加载
This has created a robust configuration for the alex user, where interactive logins are disabled, and all SFTP activity is restricted to the home directory of the user. From the perspective of the user, the root of the system, that is, /, is their home directory, and they will not be able to traverse up the file system to access other areas.
这为alex用户创建了一个健壮的配置,其中禁用了交互式登录,并且所有SFTP活动都限于该用户的主目录。 从用户的角度来看,系统的根目录(即/ )是其主目录,因此他们将无法遍历文件系统以访问其他区域。
You’ve implemented the nologin shell for a user and then created a configuration to restrict SFTP access to a specific directory.
您已经为用户实现了nologin shell,然后创建了配置以限制SFTP对特定目录的访问。
第4步-高级强化 (Step 4 — Advanced Hardening)
In this final step, you will implement various additional hardening measures to make access to your SSH server as secure as possible.
在此最后一步中,您将实施各种其他强化措施,以尽可能安全地访问SSH服务器。
A lesser-known feature of OpenSSH server is the ability to impose restrictions on a per-key basis, that is restrictions that apply only to specific public keys present in the .ssh/authorized_keys file. This is particularly useful to control access for machine-to-machine sessions, as well as providing the ability for non-sudo users to control the restrictions for their own user account.
OpenSSH服务器的鲜为人知的功能是可以对每个密钥强加限制,即仅适用于.ssh/authorized_keys文件中存在的特定公共密钥的限制。 这对于控制机器对机器会话的访问以及为非sudo用户提供控制其自己的用户帐户限制的功能特别有用。
You can apply most of these restrictions at the system or user level too, however it is still advantageous to implement them at the key-level as well, to provide defence-in-depth and an additional failsafe in the event of accidental system-wide configuration errors.
您也可以在系统或用户级别应用这些限制中的大多数,但是在密钥级别实施这些限制仍然是有利的,以便在系统范围内意外发生时提供纵深防御和附加的故障保护。配置错误。
Note: You can only implement these additional security configurations if you’re using SSH public-key authentication. If you’re only using password authentication, or have a more complex setup such as an SSH certificate authority, unfortunately these will not be usable.
注意:仅在使用SSH公钥身份验证时,您才能实施这些其他安全配置。 如果您仅使用密码身份验证,或具有更复杂的设置(例如SSH证书颁发机构),则这些将无法使用。
Begin by opening your .ssh/authorized_keys file in your favorite text editor:
首先在您喜欢的文本编辑器中打开.ssh/authorized_keys文件:
- nano ~/.ssh/authorized_keys 纳米〜/ .ssh / authorized_keys
Note: Since these configurations apply on a per-key basis, you’ll need to edit each individual key within each individual authorized_keys file that you want them to apply to, for all users on your system. Usually you will only need to edit one key/file, but this is worth considering if you have a complex multi-user system.
注意:由于这些配置是基于每个密钥应用的,因此您需要为系统上的所有用户编辑要应用到的每个authorized_keys文件中的每个密钥。 通常,您只需要编辑一个密钥/文件,但是如果您具有复杂的多用户系统,则值得考虑。
Once you’ve opened your authorized_keys file, you will see that each line contains an SSH public key, which will most likely begin with something like ssh-rsa AAAB.... Additional configuration options can be added to the beginning of the line, and these will only apply to successful authentications against that specific public key.
打开您的authorized_keys文件后,您会看到每一行都包含一个SSH公钥,该公钥很可能以ssh-rsa AAAB...类的开头。 可以将其他配置选项添加到该行的开头,这些选项仅适用于针对该特定公共密钥的成功身份验证。
The following restriction options are available:
以下限制选项可用:
no-agent-forwarding: Disable SSH agent forwarding.no-agent-forwarding:禁用SSH代理转发。no-port-forwarding: Disable SSH port forwarding.no-port-forwarding:禁用SSH端口转发。no-pty: Disable the ability to allocate a tty (i.e. start a shell).no-pty:禁用分配tty的能力(即启动shell)。no-user-rc: Prevent execution of the~/.ssh/rcfile.no-user-rc:禁止执行~/.ssh/rc文件。no-X11-forwarding: Disable X11 display forwarding.no-X11-forwarding:禁用X11显示转发。
You can apply these to disable specific SSH features for specific keys. For example, to disable agent forwarding and X11 forwarding for a key, you would use the following configuration:
您可以应用这些来禁用特定密钥的特定SSH功能。 例如,要禁用密钥的代理转发和X11转发,您将使用以下配置:
no-agent-forwarding,no-X11-forwarding ssh-rsa AAAB...By default, these configurations work using an “allow by default, block by exception” methodology; however, it is also possible to use “block by default, allow by exception,” which is generally preferable for ensuring security.
默认情况下,这些配置使用“默认情况下允许,例外阻止”方法工作; 但是,也可以使用“默认阻止,例外允许”,这通常对于确保安全性是更可取的。
You can do this by using the restrict option, which will implicitly deny all SSH features for the specific key, requiring them to be explicitly re-enabled only where absolutely needed. You can re-enable features using the same configuration options described earlier in this tutorial, but without the no- prefix.
您可以通过使用restrict选项来执行此操作,该选项将隐式拒绝特定密钥的所有SSH功能,要求仅在绝对需要时才显式重新启用它们。 您可以使用本教程前面介绍的相同配置选项来重新启用功能,但没有no-前缀。
For example, to disable all SSH features for a particular key, apart from X11 display forwarding, you can use the following configuration:
例如,要禁用特定密钥的所有SSH功能,除了X11显示转发之外,还可以使用以下配置:
restrict,X11-forwarding ssh-rsa AAAB...You may also wish to consider using the command option, which is very similar to the ForceCommand option described in Step 3. This doesn’t provide a direct benefit if you’re already using ForceCommand, but it is good defense-in-depth to have it in place, just in the unlikely event that your main OpenSSH server configuration file is overwritten, edited, and so on.
您可能还希望考虑使用command选项,该选项与第3步中描述的ForceCommand选项非常相似。如果您已经在使用ForceCommand ,这并没有直接的好处,但是它可以很好地防御将其安装到位,以防万一您的主要OpenSSH服务器配置文件被覆盖,编辑等。
For example, to force users authenticating against a specific key to execute a specific command upon login, you can add the following configuration:
例如,要强制用户使用特定密钥进行身份验证以在登录时执行特定命令,可以添加以下配置:
command="top" ssh-rsa AAAB...Warning: The command configuration option acts purely as a defense-in-depth method, and should not be solely relied on to restrict the activities of an SSH user, as there are potentially ways to override or bypass it depending on your environment. Instead, you should use the configuration in tandem with the other controls described in this article.
警告: command配置选项仅用作深度防御方法,不应仅依靠它来限制SSH用户的活动,因为根据您的环境,存在潜在的方法可以覆盖或绕过它。 相反,您应将配置与本文介绍的其他控件结合使用。
Finally, to best use the per-key restrictions for the SFTP-only user that you created in Step 3, you can use the following configuration:
最后,为了最好地利用在步骤3中创建的仅SFTP用户的每密钥限制,可以使用以下配置:
restrict,command="false" ssh-rsa AAAB...The restrict option will disable all interactive access, and the command="false" option acts as a second line of defense in the event that the ForceCommand option or nologin shell were to fail.
restrict选项将禁用所有交互式访问,并且在ForceCommand选项或nologin shell失败的情况下, command="false"选项将作为第二道防线。
Save and close the file to apply the configuration. This will take effect immediately for all new logins, so you don’t need to reload OpenSSH manually.
保存并关闭文件以应用配置。 这将对所有新登录立即生效,因此您无需手动重新加载OpenSSH。
In this final step, you implemented some additional advanced hardening measures for OpenSSH server by using the custom options within your .ssh/authorized_keys file(s).
在最后一步中,您通过使用.ssh/authorized_keys文件中的自定义选项为OpenSSH服务器实施了一些其他高级强化措施。
结论 (Conclusion)
In this article, you reviewed your OpenSSH server configuration and implemented various hardening measures to help secure your server.
在本文中,您检查了OpenSSH服务器配置,并实施了各种强化措施来帮助保护服务器。
This will have reduced the overall attack surface of your server by disabling unused features and locking down the access of specific users.
通过禁用未使用的功能并锁定特定用户的访问权限,这将减少服务器的总体攻击面。
You may wish to review the manual pages for OpenSSH server and its associated configuration file, to identify any potential further tweaks that you want to make.
您可能希望查看OpenSSH服务器及其相关的配置文件的手册页 ,以识别您要进行的任何潜在调整。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-18-04
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
