概述
在企业中,服务器上只允许通道机IP以root用户登录,要实现这种功能,需要在服务器上设置某一或某些IP登录SSH,并拒绝其他所有IP登录,同时修改SSH端口。有两种方法:
方法一. 修改sshd_config
[root@baihu ~]# vim /etc/ssh/sshd_config
添加 AllowUsers Root@10.132.4.*(通道机IP)
...
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#Port 22
Port 3903
AllowUsers Root@10.132.4.*
#PermitRootLogin no
#AddressFamily any
#ListenAddress 0.0.0.0
...
注释掉Port 22,并修改为规定的端口号,这里我们用的是3903(修改SSH端口)
重启服务:
[root@baihu ~]# systemctl restart sshd
生效。通道机10.132.4.以外的IP将无法登录。
方法二修改hosts.*
修改/etc/hosts.allow,添加 sshd:10.132.4.*:allow
[root@baihu ~]# vim /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:10.132.4.*:allow
~
修改hosts.deny,添加 sshd:all:deny
[root@baihu ~]# vim /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:all:deny
~
~
重启服务:
[root@baihu ~]# systemctl restart sshd
生效。通道机10.132.4.*以外的IP将无法登录。
P.S.
更改端口之后要在防火墙开放端口:
对于CentOS6.x:
[root@baihu1 ~]# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 3903 -j ACCEPT
[root@baihu1 ~]# iptables-save
查看3903是否已经正常开放:
[root@baihu1 ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3903
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
5 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
6 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
7 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
8 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
对于CentOS7.x:
[root@baihu ~]# firewall-cmd --zone=public --add-port=3903/tcp --permanent
success
到此,此项安全加固已完成。