SSH的一些安全小技巧.doc

SSH的一些安全小技巧前言关于 ssh 的好处, 相信不用我多说了吧? 簡而言之, 之前的 rpc command 于 telnet 都全可用 ssh 代替. 比方如下的這些常見功能:- 远程登录 ssh userremote.machine- 远程执行 ssh userremote.machine command .- 远程复制 scp userremote.machine:/remote/path /local/path scp /local/path userremote.machine:/remote/path- X forward ssh -X userremote.machine xcommand .- Tunnel / Portforward ssh -L 1234:remote.machine:4321 userremote.machine ssh -R 1234:local.machine:4321 userremote.machine ssh -L 1234:other.machine:4321 userremote.machine至於详细的用法, 我這就不說了. 请读者自行研究吧.我这里要说的, 是针对 ssh 服务为大家介绍一些安全技巧, 希望大家用得更安心些实例(以 RedHat 9 为例)轉往 client 端:$ ssh-keygen -t rsa+ 按三下 enter 完成不需設密碼，除非您會用 ssh-agent .$ scp /.ssh/id_rsa.pub user1server.machine:id_rsa.pub+ 若是 windows client, 可用 puttygen.exe 產生 public key, 然後複制到 server 端後修改之, 使其內容成為單一一行.+ 如果 server 端已經禁止密碼登入, 那請用其它放法復製 publick key.登入 server 端:1) 禁止 root 登錄# vi /etc/ssh/sshd_configPermitRootLogin no2) 廢除密碼登錄, 強迫使用 RSA 驗證(假設 ssh 帳戶為 user1 )# vi /etc/ssh/sshd_configRSAAuthentication yesPubkeyAuthentication yesAuthorizedKeysFile .ssh/authorized_keysPasswordAuthentication no# service sshd restart# su - user1$ mkdir /.ssh 2/dev/null$ chmod 700 /.ssh$ touch /.ssh/authorized_keys$ chmod 644 /.ssh/authorized_keys$ cat /id_rsa.pub /.ssh/authorized_keys$ rm /id_rsa.pub$ exit3) 限制 su / sudo 名單:# vi /etc/pam.d/suauth required /lib/security/$ISA/pam_wheel.so use_uid# visudo%wheel ALL=(ALL) ALL# gpasswd -a user1 wheel4) 限制 ssh 使用者名單# vi /etc/pam.d/sshdauth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail# echo user1 /etc/ssh_users5) 封鎖 ssh 連線並改用 web 控管清單# iptables -I INPUT -p tcp -dport 22 -j DROP# mkdir /var/www/html/ssh_open# cat /var/www/html/ssh_open/.htaccess /var/www/html/ssh_open/ssh_open.php END?/Set dir path for ip list$dir_path=.;/Set filename for ip list$ip_list=ssh_open.txt;/Get client ip$user_ip=$_SERVERREMOTE_ADDR;/allow specifying ip if neededif ($_GETmyip) $user_ip=$_GETmyip;/checking IP formatif ($user_ip#long2ip(ip2long($user_ip) /Put client ip to a fileif(!($file = fopen($dir_path/$ip_list,w+) echo Permission denied!; echo Pls Check your rights to dir $dir_path or file $ip_list;else fputs($file,$user_ip); fclose($file); echo client ip($user_ip) has put into $dir_path/$ip_list; else echo Invalid IP format!ssh_open.txt was not changed.;?.END# touch /var/www/html/ssh_open/ssh_open.txt# chmod 640 /var/www/html/ssh_open/*# chgrp apache /var/www/html/ssh_open/*# chmod g+w /var/www/html/ssh_open/ssh_open.txt# chmod o+t /var/www/html/ssh_open# service httpd restart# mkdir /etc/iptables# cat /etc/iptables/sshopen.sh $list_file exit 0# do nothing while list is empty -s $list_file | exit 1# deny connection if host dosnt math to listhost_ip=$(grep myssh from= $auth_log | tail -1 | awk -F= print $NF)list_ip=$(cat $list_file)if -n $host_ip -a $host_ip != $list_ip ; then echo -e $trusted_ip/ /n | grep -q $host_ip | /sbin/iptables-save | grep -q INPUT -s $host_IP -j DROP$ | /sbin/iptables -I INPUT -s $host_ip -j DROP echo $host_ip $bad_list echo $host_ip is blocked by $0 on $(date) | mail -s block ip $mail_to exit 2fi# add ruleiptables -A $chain_name -p tcp -dport 22 -s $( $list_file) -j ACCEPT & echo ssh opened to $( /etc/services# cat /etc/xinetd.d/sshopen /etc/cron.d/sshopen /etc/iptables/sshblock.sh $PERM_LIST doneEND# chmod +x /etc/firewall/sshblock.sh# cat /etc/hosts.allow ENDsshd: ALL: spawn ( /etc/firewall/sshblock.sh )& : ALLOWEND這樣, 那些亂 try SSH 的家夥, 頂多能試 5 次(LIMIT 可調整), 然後就給 BLOCK 掉了. 此外, 在 PERM_LIST 的 ip, 也可提供給 iptables 的初始 script , 來個永久性封閉: for i in $( /etc/xinetd.d/finger /etc/hosts.allow ENDin.fingerd: ALL : spawn ( echo -e nWAR