一, 前言
关于 ssh 的好处, 相信不用我多说了吧?
简而言之, 之前的 rpc command 与 telnet 都全可用 ssh 代替.
比方如下的这些常见功能:
- 远程登录
ssh [email protected]
- 远程执行
ssh [email protected] ’command ...’
- 远程粗?
scp [email protected]:/remote/path /local/path
scp /local/path [email protected]:/remote/path
- X forward
ssh -X [email protected]
xcommand ...
- Tunnel / Portforward
ssh -L 1234:remote.machine:4321 [email protected]
ssh -R 1234:local.machine:4321 [email protected]
ssh -L 1234:other.machine:4321 [email protected]
至于详细的用法, 我这就不说了. 请读者自行研究吧.
我这里要说的, 是针对 ssh 服务为大家介绍一些安全技巧, 希望大家用得更安心些.
二, 实作
(实作以 RedHat 9 为范例)
- 禁止 root 登录
vi /etc/ssh/sshd_config
PermitRootLogin no
- 废除密码登录, 强迫使用 RSA 验证(假设 ssh 账户为 user1 )
vi /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
service sshd restart
su - user1
$ mkdir ~/.ssh 2>/dev/null
$ chmod 700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ chmod 644 ~/.ssh/authorized_keys
--------------------------------------------------
转往 client 端:
$ ssh-keygen -t rsa
(按三下 enter 完成﹔不需设密码,除非您会用 ssh-agent 。)
$ scp ~/.ssh/id_rsa.pub [email protected]:id_rsa.pub
(若是 windows client, 可用 puttygen.exe 产生 public key,
然后复制到 server 端后修改之, 使其内容成为单一一行.)
---------------------------------------------------
回到 server 端:
$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
$ rm ~/id_rsa.pub
$ exit
- 限制 su / sudo 名单:
vi /etc/pam.d/su
auth required /lib/security/$ISA/pam_wheel.so use_uid
visudo
%wheel ALL=(ALL) ALL
gpasswd -a user1 wheel
- 限制 ssh 使用者名单
vi /etc/pam.d/sshd
auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail
echo user1 >> /etc/ssh_users
- 封锁 ssh 联机并改用 web 控管清单
iptables -I INPUT -p tcp --dport 22 -j DROP
mkdir /var/www/html/ssh_open
cat > /var/www/html/ssh_open/.htaccess <
1<end "ssh_open"="" #="" (如需控制联机来源,="" (最好还将="" -c="" .htpasswd="" allow="" authname="" authtype="" authuserfile="" basic="" cat="" deny="" end="" html="" htpasswd="" https="" require="" ssh_open="" ssl="" user1="" valid-user="" var="" www="" 也请读者自补.)="" 我这里略过="" 或只限="" 联机更佳,="" 设定,="" 设起来,="" 请读者自补.)="" 那请再补="" 项目,=""> /var/www/html/ssh_open/ssh_open.php <<end "permission="" $dir_path="." $ip_list="ssh_open.txt" $user_ip="$_GET[’myip’];" ($user_ip="long2ip(ip2long($user_ip)))" (@$_get[’myip’])="" ;="" <?="" a="" allow="" checking="" client="" denied!!<br="" dir="" echo="" file="" filename="" for="" format="" get="" if="" if(@!($file='fopen("$dir_path/$ip_list","w+")))' ip="" list="" needed="" path="" put="" set="" specifying="" to="" {="" }="">";
2echo "Pls Check your rights to dir $dir_path or file $ip_list";
3}
4else
5{
6fputs($file,"$user_ip");
7fclose($file);
8echo "client ip($user_ip) has put into $dir_path/$ip_list";
9}
10} else {
11echo "Invalid IP format!!<br/>ssh_open.txt was not changed.";
12}
13?>
14END
15# touch /var/www/html/ssh_open/ssh_open.txt
16# chmod 640 /var/www/html/ssh_open/*
17# chgrp apache /var/www/html/ssh_open/*
18# chmod g+w /var/www/html/ssh_open/ssh_open.txt
19# chmod o+t /var/www/html/ssh_open
20# service httpd restart
21# mkdir /etc/iptables
22# cat > /etc/iptables/sshopen.sh <<END
23#!/bin/bash
24
25PATH=/sbin:/bin:/usr/sbin:/usr/bin
26
27本新闻共 2 页,当前在第 1 页 1 2</end></end>