| 一, 前言 关于 ssh 的好处, 相信不用我多说了吧? 简而言之, 之前的 rpc command 与 telnet 都全可用 ssh 代替. 比方如下的这些常见功能: - 远程登录 ssh user@remote.machine - 远程执行 ssh user@remote.machine ’command ...’ - 远程粗? scp user@remote.machine:/remote/path /local/path scp /local/path user@remote.machine:/remote/path - X forward ssh -X user@remote.machine xcommand ... - Tunnel / Portforward ssh -L 1234:remote.machine:4321 user@remote.machine ssh -R 1234:local.machine:4321 user@remote.machine ssh -L 1234:other.machine:4321 user@remote.machine 至于详细的用法, 我这就不说了. 请读者自行研究吧. 我这里要说的, 是针对 ssh 服务为大家介绍一些安全技巧, 希望大家用得更安心些. 二, 实作 (实作以 RedHat 9 为范例) 1) 禁止 root 登录 # vi /etc/ssh/sshd_config PermitRootLogin no 2) 废除密码登录, 强迫使用 RSA 验证(假设 ssh 账户为 user1 ) # vi /etc/ssh/sshd_config RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no # service sshd restart # su - user1 $ mkdir ~/.ssh 2>/dev/null $ chmod 700 ~/.ssh $ touch ~/.ssh/authorized_keys $ chmod 644 ~/.ssh/authorized_keys -------------------------------------------------- 转往 client 端: $ ssh-keygen -t rsa (按三下 enter 完成﹔不需设密码,除非您会用 ssh-agent 。) $ scp ~/.ssh/id_rsa.pub user1@server.machine:id_rsa.pub (若是 windows client, 可用 puttygen.exe 产生 public key, 然后复制到 server 端后修改之, 使其内容成为单一一行.) --------------------------------------------------- 回到 server 端: $ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys $ rm ~/id_rsa.pub $ exit 3) 限制 su / sudo 名单: # vi /etc/pam.d/su auth required /lib/security/$ISA/pam_wheel.so use_uid # visudo %wheel ALL=(ALL) ALL # gpasswd -a user1 wheel 4) 限制 ssh 使用者名单 # vi /etc/pam.d/sshd auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail # echo user1 >> /etc/ssh_users 5) 封锁 ssh 联机并改用 web 控管清单 # iptables -I INPUT -p tcp --dport 22 -j DROP # mkdir /var/www/html/ssh_open # cat > /var/www/html/ssh_open/.htaccess <<END AuthName "ssh_open" AuthUserFile /var/www/html/ssh_open/.htpasswd AuthType basic require valid-user END # htpasswd -c /var/www/html/ssh_open/.htpasswd user1 (最好还将 SSL 设起来, 或只限 https 联机更佳, 我这里略过 SSL 设定, 请读者自补.) (如需控制联机来源, 那请再补 Allow/Deny 项目, 也请读者自补.) # cat > /var/www/html/ssh_open/ssh_open.php <<END <? //Set dir path for ip list $dir_path="."; //Set filename for ip list $ip_list="ssh_open.txt"; //Get client ip $user_ip=$_SERVER[’REMOTE_ADDR’]; //allow specifying ip if needed if (@$_GET[’myip’]) { $user_ip=$_GET[’myip’]; } //checking IP format if ($user_ip==long2ip(ip2long($user_ip))) { //Put client ip to a file if(@!($file = fopen("$dir_path/$ip_list","w+"))) { echo "Permission denied!!<br>"; echo "Pls Check your rights to dir $dir_path or file $ip_list"; } else { fputs($file,"$user_ip"); fclose($file); echo "client ip($user_ip) has put into $dir_path/$ip_list"; } } else { echo "Invalid IP format!!<br>ssh_open.txt was not changed."; } ?> END # touch /var/www/html/ssh_open/ssh_open.txt # chmod 640 /var/www/html/ssh_open/* # chgrp apache /var/www/html/ssh_open/* # chmod g+w /var/www/html/ssh_open/ssh_open.txt # chmod o+t /var/www/html/ssh_open # service httpd restart # mkdir /etc/iptables # cat > /etc/iptables/sshopen.sh <<END #!/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin |
正文
linux SSH 的一些安全小技巧 2006-09-21 22:02:00
【评论】 【打印】 【字体:大 中 小】 本文链接:http://blog.pfan.cn/sovf/18630.html
阅读(1931) | 评论(0)
版权声明:编程爱好者网站为此博客服务提供商,如本文牵涉到版权问题,编程爱好者网站不承担相关责任,如有版权问题请直接与本文作者联系解决。谢谢!
评论