添加用户
不推荐直接使用root用户远程登录系统,建议创建本地用户,并给予管理员权限(sudo权限)。直接上命令(新用户的用户名为nuser):
useradd nuser
passwd nuser
chmod -v u+w /etc/sudoers
vim /etc/sudoers
找到root ALL=(ALL) ALL
然后添加nuser ALL=(ALL) ALL
chmod -v u-w /etc/sudoers
使用密钥登录
- 在本地电脑使用ssh-keygen创建密钥对
ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/XXX/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): ****
Enter same passphrase again:
Your identification has been saved in /Users/XXX/.ssh/id_rsa.
Your public key has been saved in /Users/XXX/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:********@****
The key's randomart image is:
+---[RSA 4096]----+
****
+----[SHA256]-----+
- 服务器上为新用户创建.ssh目录
mkdir ~/.ssh
chmod 700 ~/.ssh
- 本地电脑上传公钥到服务器
scp /Users/XXX/.ssh/id_rsa.pub nuser@xxx.xxx.xxx.xxx:~/.ssh/
- 在服务器添加公钥
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
rm ~/.ssh/id_rsa.pub
以上步骤完成后,在本地电脑可以使用密钥直接登录服务器。
SSH安全加固
编辑sshd_config文件,进行安全加固。具体为
- 修改默认端口号
- 限制ipv4登录ssh
- 禁用root登录ssh
- 禁用密码登录ssh
vim /etc/ssh/ssd_config
相关配置修改为以下设置(此处端口号使用2222,可按个人偏好选择一个不常用的端口即可)
Port 2222
AddressFamily inet
PermitRootLogin no
PasswordAuthentication no
修改后先不要重启ssh服务,以免生效后,防火墙阻止端口无法登录。
防火墙加固
查看系统开放的端口情况
$ ss -tupln
查看防火墙规则
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: dhcpv6-client https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=“ipv4” source address=“x.x.x.x1” port port=“22” protocol=“tcp” accept
rule family=“ipv4” source address=“x.x.x.x2” port port=“22” protocol=“tcp” accept
首先是将SSH端口修改为设置的端口
新增规则
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="x.x.x.x1" port port="2222" protocol="tcp" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="x.x.x.x2" port port="2222" protocol="tcp" accept'
删除无用的规则
firewall-cmd --permanent --remove-service=dhcpv6-client
禁止其他终端对服务器的ping
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" protocol value="icmp" drop'
允许特定IP地址范围(假设为x.x.x.x1,x.x.x1.0/24)可以ping
firewall-cmd --permanent --new-zone=XXXX
firewall-cmd --permanent --zone=XXXX --add-source='x.x.x.x1'
firewall-cmd --permanent --zone=XXXX --add-source='x.x.x1.0/24'
firewall-cmd --permanent --zone=XXXX --add-protocol=icmp
防火墙默认规则是允许icmp的,因此以上策略添加后,对应的IP地址范围就可以ping该服务器了。
收尾
以上修改了SSH服务的配置和防火墙的策略,需要重启相关服务后才可以生效。
systemctl restart firewalld
systemctl restart sshd.service
然后就可以本地电脑上通过新端口使用密钥登录服务器了
☞ssh nuser@10.10.10.32 -p 2222
Enter passphrase for key '/Users/xxx/.ssh/id_rsa':
Last login: Fri Mar 19 17:30:16 2021 from 10.10.10.3
[nuser@localhost ~]$
登录服务器后删除原先的SSH规则
[nuser@localhost ~]$ su - root
[root@localhost ~]$ firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="x.x.x.x1" port port="22" protocol="tcp" accept'
[root@localhost ~]$ firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="x.x.x.x2" port port="22" protocol="tcp" accept'
[root@localhost ~]$ firewall-cmd --reload
大功告成!!