因为网络安全问题,需要对centos7下的ssh服务进行安全加固,下面会给出详细操作步骤及思路。
由于centos7系统默认安装启用了系统高级防火墙,ssh服务默认开启是22端口,如果直接在ssh的配置文件中对监听端口进行更改,重启sshd服务后不会成功,提示无法绑定端口,所以要修改ssh的端口,需要首先修改系统防火墙配置
一、ssh登陆端口修改
1、防火墙上新增ssh监听端口
firewall-cmd --permanent --zone=public --add-port=3333/tcp #对public区域新增一个端口3333协议为tcp
firewall-cmd --reload #新增完成后需要重载配置文件生效配置
2、查看新增情况
firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh
ports: 3333tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
3、修改ssh配置文件中的监听端口为3333
vim /etc/ssh/sshd_config
找到port 22,替换为Port 3333,并且把前面的#号去掉
完成修改后保存退出。
service sshd restart #重启服务使监听端口更换为3333
4、这时通过nmap对主机进行扫描可以发现ssh 22已经关闭
PORT STATE SERVICE VERSION
22/tcp closed ssh
5、对22端口进行流量处理,使nmap无法探测出任何信息
firewall-cmd --permanent --zone=public --remove-port=22/tcp #防火墙删除原来的22端口
firewall-cmd --permanen --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=127.0.0.1 #将 22 端口的访问流量转向访问者本地
firewall-cmd --reload
6、此时再次扫描,无任何端口信息显示,端口已经完美更改
二、网络层IP地址限制
端口隐藏无法完全保障安全,最好可以基于服务+IP地址的限制,通过对/etc/hosts.allow文件进行编辑,规则是只允许白名单内的IP地址可以访问本机的ssh,其它IP地址一律不允许;
[root@localhost ~]# vim /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.1.11:allow #允许192.168.1.11通过访问本机的ssh服务
sshd:192.168.1.12:allow #允许192.168.1.12通过访问本机的ssh服务
sshd:all:deny #默认全部拒绝访问
三、应用层对账号+IP进行限制
通过对/etc/ssh/sshd_config文件进行配置,可以实现比hosts.allow更加丰富的限制,hosts.allow是基于网络层的限制,这里可以实现业务层限制,限制规则是IP+账号,限制指定登陆IP只能通过指定账号登陆。
Allowusers [email protected] #192.168.1.11可以使用root登陆
Allowusers [email protected] #192.168.1.12只能使用test账号登陆
四、加固总结
加固思路,首先要确保信息泄露的越少越好,不要泄露服务类型,系统类型,通过第一步修改端口加引流操作,使得外部探测失去准星,然后还要在操作系统中基于网络层对可以访问的IP地址列白名单,最后是对白名单用户进行账号权限登陆指定,通过三步操作,完成对centos7操作系统ssh业务的加固。
加固效果要随时通过nmap进行扫描确认,下面是加固以后的效果。所有操作涉及ssh配置文件/etc/ssh/sshd_config,操作系统网络层ip限制文件/etc/hosts.allow,测试加固效果的软件是nmap。
nmap -sS -v -A 192.168.1.1
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2017-05-11 21:58 CST
NSE: Loaded 122 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating Ping Scan at 21:58
Scanning 192.168.1.1 [4 ports]
Completed Ping Scan at 21:58, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.01s elapsed
Initiating SYN Stealth Scan at 21:58
Scanning 192.168.1.1 [1000 ports]
Completed SYN Stealth Scan at 21:58, 14.38s elapsed (1000 total ports)
Initiating Service scan at 21:58
Initiating OS detection (try #1) against 192.168.1.1
Initiating Traceroute at 21:58
Completed Traceroute at 21:58, 0.01s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.01s elapsed
NSE: Script scanning 192.168.1.1
Initiating NSE at 21:58
Completed NSE at 21:58, 0.01s elapsed
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Nmap scan report for 192.168.1.1
Host is up (0.00064s latency).
All 1000 scanned ports on 192.168.1.1 are filtered
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|firewall
Running: Asus embedded, Palo Alto embedded
OS CPE: cpe:/h:asus:rt-53n cpe:/h:paloalto:pa-500
OS details: Asus RT-53N WAP, Palo Alto PA-500 firewall #如果不做加固,会直接识别为linux具体版本和服务,暴露非常多的信息
Network Distance: 1 hop
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.86 ms 192.168.1.1
NSE: Script Post-scanning.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.11 seconds
Raw packets sent: 2021 (90.330KB) | Rcvd: 35 (2.570KB)
--------------------下面显示加固前的nmap扫描结果
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0) #直接显示端口服务及具体openssh的版本信息
| ssh-hostkey:
| 2048 79:38:a3:18:ce:9d:a7:16:5c:bd:61:12:95:30:aa:6c (RSA)
|_ 256 2f:a7:3e:d8:fd:b1:2b:9a:af:03:38:44:73:f2:55:ad (ECDSA)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|WAP|load balancer|firewall
Running (JUST GUESSING): Linux 2.6.X (94%), Netgear Linux 2.6.X (93%), Linksys embedded (91%), Ubiquiti Linux 2.6.X (90%), F5 Networks embedded (87%), Palo Alto embedded (87%), F5 Networks TMOS 11.1.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:netgear:linux_kernel:2.6 cpe:/h:linksys:befw11s4 cpe:/o:ubiquiti:linux_kernel:2.6 cpe:/h:paloalto:pa-500 cpe:/o:f5:tmos:11.1
Aggressive OS guesses: Linux 2.6.32 (94%), Netgear ReadyNAS 3200 NAS device (Linux 2.6) (93%), Linksys BEFW11S4 WAP (91%), Linux 2.6.11 - 2.6.18 (90%), Ubiquiti WAP (Linux 2.6.32) (90%), F5 BIG-IP load balancer (87%), Palo Alto PA-500 firewall (87%), F5 3600 LTM load balancer (85%), Netgear WNDAP660 WAP (Linux 2.6.36) (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 1.245 days (since Thu May 11 08:42:05 2017)