sshd防护措施
用户限制、黑白名单、更改验证方式(密码--> 密钥对),防火墙
sshd基本安全配置 /etc/ssh/sshd_config
修改端口和监听主机(默认端口为22)
[root@server ~] # vim /etc/ssh/sshd_config
17 Port 2222 //修改端口号
18 #AddressFamily any
19 ListenAddress 192.168.4.50 //监听地址
[root@server ~] # systemctl restart sshd.service
[root@client ~]# ssh 192.168.4.50 -p 2222
root@192.168.4.50's password:
Last login: Sat Dec 29 10:57:57 2018
设置黑白名单 (同时存在白名单和黑名单,则登录的用户只能为白名单里面)
DenyUsers user1 user2 ... DenyGroups group1 group2...
AllowUsers user1@host user2... AllowUsers group1 group2...
服务端为192.168.4.50
[root@server ~]# useradd white
[root@server ~]# useradd black
[root@server ~]# useradd blue
[root@server ~]# echo 123456 | passwd --stdin white
[root@server ~]# echo 123456 | passwd --stdin black
[root@server ~]# echo 123456 | passwd --stdin blue
[root@server ~]# vim /etc/ssh/sshd_config
...
AllowUsers white root@192.168.4.254
[root@server ~]# systemctl restart sshd
用192.168.4.254的主机验证
[root@client ~]# ssh white@192.168.4.50 -p 2222
white@192.168.4.50's password:
[white@server ~]$
[root@server ~]# ssh root@192.168.4.50 -p 2222
root@192.168.4.50's password:
Last login: Sat Dec 29 10:58:54 2018 from 192.168.4.254
[root@server ~]# ssh black@192.168.4.50 -p 2222
black@192.168.4.50's password:
Permission denied, please try again.
用192.168.4.51验证root用户
[root@client51 ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.4.51 netmask 255.255.255.0 broadcast 192.168.4.255
[root@client51 ~]#ssh root@192.168.4.50 -p 2222
root@192.168.4.50's password:
Permission denied, please try again.
ssh密钥对验证(生产环境采用方式)
配置宿主机可以无密码链接192.168.4.50主机
在宿主机创建密钥对,并把公钥传递给50主机
[root@guo ~# ssh-keygen
...
The key's randomart image is:
+---[RSA 2048]----+
| ...+*ooo|
| o o =+o.=|
| + * o oo*o|
| o *.X . +oo|
| ..*.&So . |
| .EoB + o |
| ...o . |
| .. |
| .. |
+----[SHA256]-----+
[root@guo ~]# ls /root/.ssh/
id_rsa id_rsa.pub
[root@guo ~]# ssh-copy-id root@192.168.4.50
...
root@192.168.4.50's password:
Now try logging into the machine, with: "ssh 'root@192.168.4.50'"
and check to make sure that only the key(s) you wanted were added.
链接50主机,无需输入密码
[root@guo ~]# ssh-add
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@guo ~]# ssh root@192.168.4.50
Last login: Sat Dec 29 14:34:08 2018 from 192.168.4.254
[root@server50 ~]#
配置50主机仅支持密钥对认证登录方式
[root@server50 ~]# vim /etc/ssh/sshd_config
64 #PermitEmptyPasswords no
65 PasswordAuthentication no
66
[root@server50 ~]# systemctl restart sshd
[root@guo ~]# ssh white@192.168.4.50 //因为公钥只给了50主机的root用户,所以其他用户不能采用密钥对登录
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
将宿主机的私钥传给192.168.4.51主机,这样52主机也可以远程登录50主机
[root@server51 ~]# scp id_rsa root@192.168.4.51:/root/.ssh
root@192.168.4.51's password:
id_rsa 100% 1675 3.3MB/s 00:00
[root@redisa ~]# cd /root/.ssh/
[root@server51 .ssh]# rm -rf id_rsa.pub //需要删除原来的公钥
[root@server51 .ssh]# ssh root@192.168.4.50
Last login: Sat Dec 29 14:40:23 2018 from 192.168.4.254