ssh服务安全配置

<!-- @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } -->

参考:
http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/
http://www.foogazi.com/2006/11/29/modify-ssh-to-maximize-security/

ssh的配置文件位于 /etc/ssh/sshd_config
推荐配置:

  1. 使 sshd服务运行在非标准端口上
  2. 设置方法:编辑/etc/ssh/sshd_config文件,添加一行内容为(假定设置监听端口是12345):port 12345
    在客户端,用ssh <server addr> -p 12345登录服务器。
  3. 只允许 ssh v2的连接
  4. protocol 2
  5. 禁止 root用户通过ssh登录
  6. PermitRootLogin no
  7. 禁止用户使 用空密码登录
  8. PermitEmptyPasswords no
  9. 限制登录失 败后的重试次数
  10. MaxAuthTries 3
  11. 只允许在列 表中指定的用户登录
  12. AllowUsers user1 user2
设置完成以后,运行命令使之生效:
[root@jcwkyl ssh]# /etc/init.d/sshd reload

直接使用root操作是很危险的事情,不能依靠用户的自律来保证无失。推荐使用证书认证的方式,既安全,又方便。在windows客户端中使用putty进行免密码登录的方法在http://blog.csdn.net/jcwKyl/archive/2009/09/17/4562599.aspx记录过,在linux下:

登录到服务器:

[whb@jcwkyl ~]$ ssh whb@server
whb@server's password:
Last login: Thu Jan  7 19:17:28 2010 from jcwkyl.gridlab

生成一对公/私密钥:

[whb@server ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/whb/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/whb/.ssh/id_rsa.
Your public key has been saved in /home/whb/.ssh/id_rsa.pub.
The key fingerprint is:
b5:fb:a1:9f:25:e1:48:80:70:06:b3:9b:29:3b:df:1f [email protected]

公钥改名为authorized_keys,把私钥传送给客户端:

[whb@server ~]$ cd .ssh/
[whb@server .ssh]$ ls
id_rsa  id_rsa.pub  known_hosts
[whb@server .ssh]$ mv id_rsa.pub authorized_keys
[whb@server .ssh]$ scp id_rsa [email protected]:~whb/.ssh/serverkey
The authenticity of host '10.60.56.90 (10.60.56.90)' can't be established.
RSA key fingerprint is 19:51:4b:38:47:43:da:b9:e1:d0:53:75:95:07:ed:c4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.60.56.90' (RSA) to the list of known hosts.
[email protected]'s password:
id_rsa                                                            100% 1675     1.6KB/s   00:00

客户端登录:

[whb@jcwkyl ~]$ ssh-add .ssh/serverkey
Identity added: .ssh/serverkey (.ssh/serverkey)
[whb@jcwkyl ~]$ ssh whb@server
Last login: Thu Jan 14 21:50:03 2010 from jcwkyl.gridlab

证书认证的原理就是PKI的认证过程。

 

你可能感兴趣的:(windows,server,ssh,服务器,user,login)