sshd服务
SSH协议:安全外壳协议。Secure Shell的缩写。SSH 为建立在应用层和传输层基础上的安全协议
作用:sshd服务使用SSH协议可以用来进行远程控制, 或在计算机之间传送文件,相比较之前用telnet方式来传输文件要安全很多,因为telnet使用明文传输,是加密传输。
sshd服务管理
- 开启、关闭、重启等操作
# sshd重启、关闭、启动、查看状态、开机启动
systemctl restart/stop/start/status/enable sshd
# 查看是否开机启动
systemctl list-unit-files | grep sshd
- 连接远程主机
# 使用ssh连接远程主机
ssh root@ip
- 配置文件
/etc/ssh/sshd_config
sshd服务默认监听的端口,建议修改为其他端口
Port 22
#AddressFamily any
表示侦听所有地址
ListenAddress 0.0.0.0
#ListenAddress ::
SSH 协议版本
Protocol 2
秘钥文件
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
sshd服务日志存放在: /var/log/secure,为什么sshd配置文件中没有指定日志,但日志却存放在/var/log/secure ? 查看/etc/rsyslog.conf
当有人使用 SSH 登入系统的时候,SSH 会记录信息,这个信息要记录的类型为AUTHPRIV
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
登录记录的等级!INFO级别以上
#LogLevel INFO
# Authentication:
当使用者连上 SSH server 之后,会出现输入密码的画面,在该画面中,在多久时间内没有成功连上 SSH server 就强迫断线!若无单位则默认时间为秒
#LoginGraceTime 2m
是否允许 root 登入!预设是允许的,但是建议设定成 no !
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# To disable tunneled clear text passwords, change to no here!
密码验证当然是需要的!所以这里写 yes,也可以设置为no
#PasswordAuthentication yes
这个项目在是否允许以空的密码登入!当然不许!
#PermitEmptyPasswords no
PasswordAuthentication yes
省略......
登入后是否显示出一些信息呢?例如上次登入的时间、地点等等,预设是 yes , 打印出 /etc/motd这个文档的内容
#PrintMotd yes
显示上次登入的信息!预设也是 yes
#PrintLastLog yes
省略.....
sshd服务防止暴力破解
- 配置安全的sshd服务
1.密码足够复杂
2.修改默认端口
3.不允许root账户直接登陆,添加普通账号,授予root的权限(是否可以禁止root身份登陆,不行,因为有些程序需要root省份登陆并运行)
4.不允许密码登陆,只能通过认证的秘钥来登陆系统
[root@centos7-1 ~]# ssh-keygen
Generating public/private rsa key pair.
# 提示输入密匙文件的保存路径,直接回车默认/root/.ssh/id_rsa
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
# 提示输入私钥保护口令,可以不输
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
# 私钥
Your identification has been saved in /root/.ssh/id_rsa.
# 公钥
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:HshMRdH9ughZsJYOJrXNdjUNDU6BRZXtCrTc062P5AE root@centos7-1
The key's randomart image is:
+---[RSA 2048]----+
| .+o =BB.o |
| ... oo= + .|
| ..+ + +.= o.|
| .++.B o E + +|
| o+=S+ + + |
| .+. . = |
| .. . + + |
| . . o .|
| |
+----[SHA256]-----+
[root@centos7-1 ~]# cd /root/.ssh/
[root@centos7-1 .ssh]# ls
id_rsa id_rsa.pu
# 使用ssh-copy-id命令发布公钥到服务端
[root@centos7-1 .ssh]# ssh-copy-id -i 192.168.5.131
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.5.131's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.5.131'"
and check to make sure that only the key(s) you wanted were added.
# 服务器端(192.168.5.131)会多出一个authorized_keys文件
[root@centos7-base ~]# ll /root/.ssh/
总用量 4
-rw-------. 1 root root 396 10月 14 11:43 authorized_keys
# 这个时候远程服务器端无需密码直接登陆
ssh root@192.168.5.131
- 通过开源的防护软件
网站被别人暴力破解sshd服务,虽然没有成功,但是由于破解的时候,会不断的认证用户,会导致系统负载过高,从而增加了系统资源的额外开销,导致服务器响应速度变慢。
我们可以使用fail2ban来监控日至系统,然后匹配日志的错误信息执行相应的屏蔽动作,而且还可以发送e-mail通过系统管理员。
fail2ban官网
安装
# 1.解压安装包
tar -zxvf fail2ban-0.8.14.tar.gz
cd cd fail2ban-0.8.14
# 2.安装
python setup.py install
注: 查看目录下的README.md, 里面有安装步骤
Required:
- [Python >= 2.4](http://www.python.org)
Optional:
- [pyinotify >= 0.8.3](https://github.com/seb-m/pyinotify)
- Linux >= 2.6.13
- [gamin >= 0.0.21](http://www.gnome.org/~veillard/gamin)
To install, just do:
tar xvfj fail2ban-0.8.12.tar.bz2
cd fail2ban-0.8.12
python setup.py install
相关文件目录
/etc/fail2ban/
├── action.d # 动作文件夹,内含默认文件。iptables以及mail等动作配置
├── fail2ban.conf #定义了fai2ban日志级别、日志位置及sock文件位置
├── fail2ban.d
├── filter.d #条件文件夹,内含默认文件。过滤日志关键内容设置
├── jail.conf #主要配置文件,模块化。主要设置启用ban动作的服务及动作阀值
└── jail.d # 监狱
生成服务启动脚本
cp files/redhat-initd /etc/rc.d/init.d/fail2ban
chkconfig --add fail2ban #开机自动启动
注:
怎么可以知道哪个文件是启动脚本文件?
启动脚本里都包含chkconfig字段
grep chkconfig ./* -R --color
配置
# /etc/fail2ban/jail.conf
[ssh-iptables]
enabled = true # 开启
filter = sshd #过滤规则filter的名字,对应filter.d目录下的sshd.conf
# 如果端口不是22需要修改port=端口号
# dest=发送邮件(前提电脑安装了sendmail服务并启动了)
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=779212786@qq.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
# 日志文件路径
logpath = /var/log/secure
# 3次密码校验失败
maxretry = 3
# 300秒内
findtime = 300
# 禁止用户300秒内再次访问主机
bantime = 300
启动
systemctl start fail2ban
多一条规则
[root@centos7-1 fail2ban]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
查看fail2ban拦截情况
[root@centos7-1 fail2ban]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
[root@centos7-1 fail2ban]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/secure
| |- Currently failed: 0
| `- Total failed: 3
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 1
清空拦截信息
[root@centos7-1 fail2ban]# > /var/log/secure
[root@centos7-1 fail2ban]# systemctl restart fail2ban.service
[root@centos7-1 fail2ban]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/secure
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
网友评论