linux基础服务sshd简介-ag真人游戏

• ssh 协议：secure shell，安全的shell协议。
• ssh 为建立在应用层和传输层基础上的安全协议。
• sshd服务使用ssh协议可以用来进行远程控制， 或在计算机之间传送文件。
• sshd使用加密传输，较之使用明文传输的telnet传输文件要安全很多。

sshd配置文件

/etc/ssh/sshd_config

• 如果井号开头的和后面参数没有空格的，表示默认值,是生效的
• 如果井号开头和后面有空格的，表示纯注释

调优参数

端口

• 默认端口22，外网生产环境需要修改
  port 22
• 使用参数指定端口连接非22默认端口[-p port]
  ssh -p 1234 [email protected]

监听地址

• 默认缺省值为所有网卡的所有地址
• 可以修改为指定ip

#listenaddress 0.0.0.0
#listenaddress ::

登陆等待时间

• 从输入用户名到敲入密码的登陆等待时间
• 默认是2分钟，可以调的小一些
  #logingracetime 2m

允许root登录

• 生产环境应该禁止root直接登录
• debian系列例如ubuntu是默认禁止root登陆的
  permitrootlogin yes

默认认证公钥文件

authorizedkeysfile .ssh/authorized_keys

是否允许使用密码认证登录

• 做过密钥认证以后可关闭密码认证登录，防止暴力破解
  passwordauthentication yes

打印登陆提示信息和最后登录日志

• 发现被黑线索
  printmotd no
#printlastlog yes

[14:56:49 root@c8-88[ ~]#ssh 10.0.0.189
last login: sat jul  3 22:00:12 2021 from 10.0.0.88

使用dns反向解析

• 如果敲完密码一直卡着，半天才进系统，可以将此项改为no
  #usedns no

修改登录提示

• 创建或修改motd文件
  /etc/motd
• 在文件中添加需要登录显示的内容
• 修改配置文件打开printmotd
  sed -ri.bak 's/(printmotd )no/\1yes/' /etc/ssh/sshd_config

fail2ban防止暴力破解

• 监控日志系统，匹配日志信息，将过分的ip加入到ipatble中
• python写的用python装py包
• 主配置文件jail.conf
• 模板服务文件在源码包的files中，fail2ban.service,redhat-initd
• 查找古时候的启动文件,文件内容带有chkconfig相关字样
  grep chkconfig ./* -r --color
• 老版本使用chkconfig添加启动项
  chekconfig --add fail2ban
• 登录日志

相关主要文件说明：

• jail [dʒeɪl]监狱

/etc/fail2ban/action.d #动作文件夹，内含默认文件。iptables以及mail等动作配置
/etc/fail2ban/fail2ban.conf    #定义了fai2ban日志级别、日志位置及sock文件位置
/etc/fail2ban/filter.d                     #条件文件夹，内含默认文件。过滤日志关键内容设置
/etc/fail2ban/jail.conf     #主要配置文件，模块化。主要设置启用ban动作的服务及动作阀值

应用案例

• 远程ssh用户5分钟三次失败则禁用1小时
• 防止频繁试密码
• 修改[ssh-iptables]
• 先启用功能
  enabled = ture
• 指定日志
  logpath = /var/log/secure
• 发一批邮件改sentmail，系统中需要已启用sentmail
• 如果ssh服务器不是22端口，则需要改配置文件，
• iptables配置文件也要改

查看ban的状态

fail2ban-client status ssh-iptable

使用shell脚本实现fail2ban功能

• 利用定时任务查看安全日志
• 将超过阈值的ip加入系统黑名单hosts.deny中去

#!/bin/bash
cat var/log/secure | awk '/failed/{print $(nf-3)}' | sort | uniq -c | awk '{print $2"="$1;}' > /root/satools/black.txt
define='10'
for i in `cat /root/satools/black.txt`;do
    ip=`echo $i | awk -f= '{print $1}'`
    num=`echo $i | awk -f= '{print $2}'`
    if [ $num -gt $define ];then
        grep $ip /etc/hosts.deny > /dev/null
        if [ $? -gt 0 ];then
            echo "sshd:$ip" >> /etc/hosts/deny
        fi
    fi
done

利用denyhosts实现

• epel中的denyhosts简单实现

系统再带pam模块提供防护功能

• 系统本身体统pam模块功能
  /etc/pam.d/sshd
• 添加错误尝试次数，和锁定时间
• 在第一行下面添加一条规则
  auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=1200

pam模块命令

• 查看用户登录次数
  手动解除锁定：
  查看某一用户错误登陆次数：
  pam_tally –-user
  例如，查看work用户的错误登陆次数：
  pam_tally –-user work
  清空某一用户错误登陆次数：
  pam_tally –-user –-reset
  例如，清空 work 用户的错误登陆次数，
  pam_tally –-user work –-reset

xshell等客户端免密登录服务器

• 使用xshell等客户端本地生成公钥文件
• 将生成的公钥文件放到服务器对应的用户家目录的.ssh目录中去

==========================================================
配置文件内容：

#	$openbsd: sshd_config,v 1.103 2018/04/09 20:41:22 tj exp $
# this is the sshd server system-wide configuration file.  see
# sshd_config(5) for more information.
# this sshd was compiled with path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
# the strategy used for options in the default sshd_config shipped with
# openssh is to specify options with their default value where
# possible, but leave them commented.  uncommented options override the
# default value.
# if you want to change the port on a selinux system, you have to tell
# selinux about this change.
# semanage port -a -t ssh_port_t -p tcp #portnumber
#
#port 22
#addressfamily any
#listenaddress 0.0.0.0
#listenaddress ::
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
# ciphers and keying
#rekeylimit default none
# system-wide crypto policy:
# this system is following system-wide crypto policy. the changes to
# ciphers, macs, kexalgoritms and gssapikexalgorithsm will not have any
# effect here. they will be overridden by command-line options passed on
# the server start up.
# to opt out, uncomment a line with redefinition of  crypto_policy=
# variable in  /etc/sysconfig/sshd  to overwrite the policy.
# for more information, see manual page for update-crypto-policies(8).
# logging
#syslogfacility auth
syslogfacility authpriv
#loglevel info
# authentication:
#logingracetime 2m
permitrootlogin yes
#strictmodes yes
#maxauthtries 6
#maxsessions 10
#pubkeyauthentication yes
# the default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
authorizedkeysfile	.ssh/authorized_keys
#authorizedprincipalsfile none
#authorizedkeyscommand none
#authorizedkeyscommanduser nobody
# for this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#hostbasedauthentication no
# change to yes if you don't trust ~/.ssh/known_hosts for
# hostbasedauthentication
#ignoreuserknownhosts no
# don't read the user's ~/.rhosts and ~/.shosts files
#ignorerhosts yes
# to disable tunneled clear text passwords, change to no here!
#passwordauthentication yes
#permitemptypasswords no
passwordauthentication yes
# change to no to disable s/key passwords
#challengeresponseauthentication yes
challengeresponseauthentication no
# kerberos options
#kerberosauthentication no
#kerberosorlocalpasswd yes
#kerberosticketcleanup yes
#kerberosgetafstoken no
#kerberosusekuserok yes
# gssapi options
gssapiauthentication yes
gssapicleanupcredentials no
#gssapistrictacceptorcheck yes
#gssapikeyexchange no
#gssapienablek5users no
# set this to 'yes' to enable pam authentication, account processing,
# and session processing. if this is enabled, pam authentication will
# be allowed through the challengeresponseauthentication and
# passwordauthentication.  depending on your pam configuration,
# pam authentication via challengeresponseauthentication may bypass
# the setting of "permitrootlogin without-password".
# if you just want the pam account and session checks to run without
# pam authentication, then enable this but set passwordauthentication
# and challengeresponseauthentication to 'no'.
# warning: 'usepam no' is not supported in fedora and may cause several
# problems.
usepam yes
#allowagentforwarding yes
#allowtcpforwarding yes
#gatewayports no
x11forwarding yes
#x11displayoffset 10
#x11uselocalhost yes
#permittty yes
# it is recommended to use pam_motd in /etc/pam.d/sshd instead of printmotd,
# as it is more configurable and versatile than the built-in version.
printmotd no
#printlastlog yes
#tcpkeepalive yes
#permituserenvironment no
#compression delayed
#clientaliveinterval 0
#clientalivecountmax 3
#usedns no
#pidfile /var/run/sshd.pid
#maxstartups 10:30:100
#permittunnel no
#chrootdirectory none
#versionaddendum none
# no default banner path
#banner none
# accept locale-related environment variables
acceptenv lang lc_ctype lc_numeric lc_time lc_collate lc_monetary lc_messages
acceptenv lc_paper lc_name lc_address lc_telephone lc_measurement
acceptenv lc_identification lc_all language
acceptenv xmodifiers
# override default of no subsystems
subsystem	sftp	/usr/libexec/openssh/sftp-server
# example of overriding settings on a per-user basis
#match user anoncvs
#	x11forwarding no
#	allowtcpforwarding no
#	permittty no
#	forcecommand cvs server