应客户要求,提升ssh登录安全性,搜索到的方法有:
1 增加账户密码,并指定尝试密码次数,防止暴力破解
2 由于root权限过大,禁止root用户登录
3 更改ssh默认端口22为其他端口
4 采用密钥登录:将公钥添加到服务器的某个账户上,然后在客户端利用私钥即可完成认证并登录
5 增加用户黑白名单,指定用户才能登录
6 增加IP黑白名单,指定IP设备才能登录
最终挑选1,3实施。
1增加密码很简单,登录后直接
passwd
2更改22端口,本来以为也很简单,网上搜索都说更改配置文件
/etc/ssh/sshd_config
可翻遍了整个文件系统,也找不到sshd_config文件,询问飞凌客服,回复说他们的ssh不是用的openssh,而是更轻量级的dropbear.又是上网搜索,终于找到如下的配置文件
/etc/init.d/dropbear
#!/bin/sh
### BEGIN INIT INFO
# Provides: sshd
# Required-Start: $remote_fs $syslog $networking
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 1
# Short-Description: Dropbear Secure Shell server
### END INIT INFO
#
# Do not configure this file. Edit /etc/default/dropbear instead!
#
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/dropbear
NAME=dropbear
DESC="Dropbear SSH server"
PIDFILE=/var/run/dropbear.pid
DROPBEAR_PORT=22
DROPBEAR_EXTRA_ARGS=
NO_START=0
set -e
test ! -r /etc/default/dropbear || . /etc/default/dropbear
test "$NO_START" = "0" || exit 0
test -x "$DAEMON" || exit 0
test ! -h /var/service/dropbear || exit 0
readonly_rootfs=0
for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do
case $flag in
ro)
readonly_rootfs=1
;;
esac
done
if [ $readonly_rootfs = "1" ]; then
mkdir -p /var/lib/dropbear
DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key"
DROPBEAR_DSSKEY_DEFAULT="/var/lib/dropbear/dropbear_dss_host_key"
else
DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
fi
test -z "$DROPBEAR_BANNER" || \
DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
test -n "$DROPBEAR_RSAKEY" || \
DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
test -n "$DROPBEAR_DSSKEY" || \
DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
test -n "$DROPBEAR_KEYTYPES" || \
DROPBEAR_KEYTYPES="rsa"
gen_keys() {
for t in $DROPBEAR_KEYTYPES; do
case $t in
rsa)
if [ -f "$DROPBEAR_RSAKEY" -a ! -s "$DROPBEAR_RSAKEY" ]; then
rm $DROPBEAR_RSAKEY || true
fi
test -f $DROPBEAR_RSAKEY || dropbearkey -t rsa -f $DROPBEAR_RSAKEY $DROPBEAR_RSAKEY_ARGS
;;
dsa)
if [ -f "$DROPBEAR_DSSKEY" -a ! -s "$DROPBEAR_DSSKEY" ]; then
rm $DROPBEAR_DSSKEY || true
fi
test -f $DROPBEAR_DSSKEY || dropbearkey -t dss -f $DROPBEAR_DSSKEY $DROPBEAR_DSSKEY_ARGS
;;
esac
done
}
case "$1" in
start)
echo -n "Starting $DESC: "
gen_keys
KEY_ARGS=""
test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
start-stop-daemon -S -p $PIDFILE \
-x "$DAEMON" -- $KEY_ARGS \
-p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon -K -x "$DAEMON" -p $PIDFILE
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
start-stop-daemon -K -x "$DAEMON" -p $PIDFILE
sleep 1
KEY_ARGS=""
test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
start-stop-daemon -S -p $PIDFILE \
-x "$DAEMON" -- $KEY_ARGS \
-p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
惊喜的发现 DROPBEAR_PORT=22 ,正准备更改,看到提示
Do not configure this file. Edit /etc/default/dropbear instead!
于是又打开 /etc/default/dropbear,发现只有一行
DROPBEAR_EXTRA_ARGS="-B"
于是添加
DROPBEAR_PORT=2222
保存,重启,竟然不生效。
又返回 /etc/init.d/dropbear,强制更改22端口,重启依然无效。
近乎绝望时,意外发现系统存在dropbear.service服务,默认状态为关闭,大喜,
systemctl start dropbear
此时更改的2222端口终于生效了,但重启后再次失效。使能后报错:
systemctl enable dropbear
root@ok5718-idk:~# systemctl enable dropbear
dropbear.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable dropbear
System startup links for /etc/init.d/dropbear already exist.
无奈,只能新建myDropbear.sh,每次开机强制开启dropbear服务
vi /opt/locationServer/myDropbear.sh
#!/bin/sh
systemctl start dropbear
同时创建系统服务myDropbear.service
vi /etc/systemd/system/myDropbear.service
[Unit]
Description = myDropbear
[Service]
ExecStart = /opt/locationServer/myDropbear.sh
Restart = always
Type = simple
[Install]
WantedBy = multi-user.target
最后开启此服务
systemctl enable myDropbear.service
好了,终于可以屏蔽22端口,改用自定义了