1. 安装
ubuntu9.04默认不安装ssh服务器端,需要自己安装:sudo apt-get install ssh
2. 设置开机启动
ubuntu好像默认也没安装图形界面开机系统服务管理工具,安装sysvconfig,设置ssh开机启动
3. 配置文件详解
#cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22 #开放端口
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0 #监听主机适配卡
Protocol 2 #默认协议
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key #version 2 使用的RSA私钥
HostKey /etc/ssh/ssh_host_dsa_key #version 2 使用的DSA私钥
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600 #重新创建Public key建立连接
ServerKeyBits 768 #Sever key的长度
# Logging
SyslogFacility AUTH #日志登录文件相关
LogLevel INFO
# Authentication:
LoginGraceTime 120 # - - 还不知道
PermitRootLogin yes #重要的,是否允许root登录
StrictModes yes #当host key改变sever不接受联机
RSAAuthentication yes #使用RSA认证
PubkeyAuthentication yes #允许使用Public Key针对version 2
#AuthorizedKeysFile %h/.ssh/authorized_keys #用于设置不需要密码用户登录
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes #不用.rhosts 认证
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no #不允许空密码登录
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no #允许任何密码认证,默认设置为no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes #应该是用密码认证
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes #X-Window相关设置
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60 #允许的未登录窗口数
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_* #语系变量设置
Subsystem sftp /usr/lib/openssh/sftp-server #sftp设置项目
UsePAM yes #用PAM管理认证
4. 安全设置
其实ssh的配置文件已经设置的很到位了,不建议随便修改,只是为了安全起见要修改几点:
1)取消root登录: PermitRootLogin no
2)不允许多个用户登录,把这几个用户加入同一个组,然后拒绝这个组: DenyGroups nossh
3)听鸟哥说ssh软件本身并不安全,所以我们最好还是不要设成开机启动了
1.更改ssh默认的端口:22
# vi /etc/ssh/ssh_config
#将Port注释去掉 Port 1433(端口号)
# vi /etc/ssh/sshd_config
#将Port注释去掉 Port 1433(端口号)
2.限制ssh用户登录次数(防止别人使用密码穷举)
# vi /etc/ssh/sshd_config
#将MaxAuthTries注释去掉 MaxAuthTries 2(登录次数)
3.限制登录用户
3.1 禁止root用户使用ssh登录
# vi /etc/ssh/sshd_config PermitRootLogin no(原本是yes)
3.2 只允许指定的用户登录
# vi /etc/ssh/sshd_config 在最后新增加一行: AllowUsers nbadv(指定的用户名)
3.3 只允许某个网段的用户登录
# vi /etc/hosts.deny
增加
sshd:ALL EXCEPT 192.168.1.0/255.255.255.0(只允许192.168.1.0的网段访问ssh)
4.使用防火墙
设置过滤端口
5.重启ssh服务
service sshd restart
或 service sshd stop
service sshd start