ssh与服务器安全实战
修改ssh的默认端口
禁止root登录
禁止用密码登录,只能被信任的机器,用公私钥登录
[root@localhost ~]# ls /root/.ssh/
authorized_keys chaoge1 id_rsa.pub
authorized_keys.bak id_rsa known_hosts
[root@localhost ~]# ssh-copy-id root@192.168.3.120
[root@localhost ~]# grep -Ev '^$|^[# ]' /etc/ssh/sshd_config
Port 22 --------------------------------------修改ssh默认端口
AddressFamily any
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin yes ----------------------------是否root登录
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes --------------------是否公私钥登录
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
配置完成后重启服务
[root@localhost ~]# systemctl restart sshd
查询服务是否正常启用
[root@localhost ~]# systemctl status sshd