vi /etc/sshd/sshd_config

port 2222
PasswordAuthentication no

重启服务
注意sshd 免密登录 的authorized_keys 权限
只能让本用户读写，其他用户不能写
-rw-r--r-- 644

fail2ban

放行22端口

firewall-cmd --zone=public --add-port=2/tcp --permanent

重载配置

firewall-cmd --reload

查看已放行端口

firewall-cmd --zone=public --list-ports

和firewall-ipset结合

CentOS内置源并未包含fail2ban，需要先安装epel源

yum -y install epel-release

安装fial2ban

yum -y install fail2ban

vi /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = -1
findtime = 120
maxretry = 1
banaction = firewallcmd-ipset
action = %(action_mwl)s


[sshd]
enabled = true
filter  = sshd
port    = 22
action = %(banaction)s[name=%(__name__)s, bantime=0, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
logpath = /var/log/secure

action要自己定义，firewall独有的ipset规则，0.9版本fail2ban才支持
bantime=-1 代表永久封禁