Linux服务部署Centos7.9之配置SSH实现远程连接方法过程

Linux服务部署Centos7.9之安装Lixux系统后调优以及安全设置（二）

前言

CentOS7.9配置SSH实现远程连接方法过程、服务器的时间同步操作、

一、CentOS7.9配置SSH实现远程连接方法过程

为什么要更改ssh服务远程登录配置？因为黑客都知道Linux远程连接默认端口为22，管理员用户默认为root，采取默认配置会增大我们系统被黑客入侵成功的概率。

确认是否安装ssh
yum list installed | grep openssh-server
有输出内容，说明已安装；

安装SSH服务
yum install openssh-server
已安装的可以直接跳过。

编辑配置
vim /etc/ssh/sshd_config

Port 2222
PermitRootLogin no #是否允许root登录
PermitEmptyPasswords no #是否允许空密码登录
UseDNS yes #是否对远程主机名进行反向解析，关闭会提高连接的速度
GSSAPIAuthentication no #解决Linux之间使用ssh连接慢的问题

开启服务
sudo service sshd start

查看服务启动情况
ps -e | grep sshd

亲测有效，通过以上配置后,22端口被替换成2222，通过root用户远程连接不上，普通用户可以通过2222端口正常连接

二、CentOS7.9服务设置时间同步

1、设置时间同步

• 安装ntpdate工具

yum -y install ntp ntpdate

• 设置系统时间与网络同步

任选一个
ntpdate ntp1.aliyun.com
ntpdate ntp2.aliyun.com
ntpdate ntp3.aliyun.com
ntpdate ntp4.aliyun.com
ntpdate ntp5.aliyun.com
ntpdate ntp6.aliyun.com

• 将系统时间写入硬件时间

hwclock --systohc

2、查看和设置时区

• 查看时区

1）使用date命令查看Centos时区
date -R

2）查看系统的硬件时间，即BIOS时间
hwclock -r

• 修改时区

1)修改Centos的时区
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime -R

2）Centos系统修改BIOS硬件时间
hwclock -w

三、历史记录数以及登录超时环境变量设置

• 1、设置闲置账号超时时间

临时设置
export TMOUT=10 <==10秒提示超时

• 2、设置linux历史命令行记录数

临时设置
export HISTSIZE=10 <==设置
history <==查看历史命令,记录在~/.bash_history文件里

• 3、永久设置

[root@root ~]# echo “export HISTSIZE=10” >> /etc/profile
[root@root ~]# . /etc/profile

四、Linux服务器内核参数优化

vi /etc/sysctl.conf,添加如下配置：

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# # Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# # Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296




# TCP kernel paramater
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1

# socket buffer
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 20480
net.core.optmem_max = 81920


# TCP conn
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_retries2 = 15

# tcp conn reuse
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 1


net.ipv4.tcp_max_tw_buckets = 20000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_timestamps = 1 #?
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syncookies = 1

# keepalive conn
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.ip_local_port_range = 10001    65000

# swap
vm.overcommit_memory = 0
vm.swappiness = 10

#net.ipv4.conf.eth1.rp_filter = 0
#net.ipv4.conf.lo.arp_ignore = 1
#net.ipv4.conf.lo.arp_announce = 2
#net.ipv4.conf.all.arp_ignore = 1
#net.ipv4.conf.all.arp_announce = 2

五、CentOS7.9的/tmp目录自动清理规则

在CentOS7下，系统使用systemd管理易变与临时文件，与之相关的系统服务有3个
systemd-tmpfiles-setup.service ：Create Volatile Files and Directories
systemd-tmpfiles-setup-dev.service：Create static device nodes in /dev
systemd-tmpfiles-clean.service ：Cleanup of Temporary Directories
相关配置在一下文件：
/etc/tmpfiles.d/.conf
/run/tmpfiles.d/.conf
/usr/lib/tmpfiles.d/*.conf

/tmp目录的清理规则主要取决于/usr/lib/tmpfiles.d/tmp.conf文件的设定，默认的配置内容为：

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

# Clear tmp directories separately, to make them easier to override
v /tmp 1777 root root 10d           #   清理/tmp下10天前的目录和文件
v /var/tmp 1777 root root 30d       #   清理/var/tmp下30天前的目录和文件

# Exclude namespace mountpoints created with PrivateTmp=yes
x /tmp/systemd-private-%b-*
X /tmp/systemd-private-%b-*/tmp
x /var/tmp/systemd-private-%b-*
X /var/tmp/systemd-private-%b-*/tmp

我们可以配置这个文件，比如你不想让系统自动清理/tmp下以tomcat开头的目录，那么增加下面这条内容到配置文件中即可：
x /tmp/tomcat.*

六、CentOS7.9禁止服务器被ping

生产环境中很少配置这个，如果ping不同可以通过这个排查问题。

• 1、通过防火墙

firewall-cmd --add-rich-rule=‘rule protocol value=icmp drop’ --permanent
firewall-cmd --complete-reload

• 2、

vi /etc/sysctl.conf
添加配置：net.ipv4.icmp_echo_ignore_all=1
sysctl -p <==配置生效命令

七、CentOS7.9升级具有典型漏洞的软件版本

yum install openssl openssh bash -y