一, 前言

关于 ssh 的好处, 相信不用我多说了吧?
简而言之, 之前的 rpc command 与 telnet 都全可用 ssh 代替.
比方如下的这些常见功能:
- 远程登录
ssh [email protected]
- 远程执行
ssh [email protected] ’command ...’
- 远程粗?
scp [email protected]:/remote/path /local/path
scp /local/path [email protected]:/remote/path
- X forward
ssh -X [email protected]
xcommand ...
- Tunnel / Portforward
ssh -L 1234:remote.machine:4321 [email protected]
ssh -R 1234:local.machine:4321 [email protected]
ssh -L 1234:other.machine:4321 [email protected]

至于详细的用法, 我这就不说了. 请读者自行研究吧.
我这里要说的, 是针对 ssh 服务为大家介绍一些安全技巧, 希望大家用得更安心些.

二, 实作

(实作以 RedHat 9 为范例)

1. 禁止 root 登录

vi /etc/ssh/sshd_config

PermitRootLogin no

2. 废除密码登录, 强迫使用 RSA 验证(假设 ssh 账户为 user1 )

vi /etc/ssh/sshd_config

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no

service sshd restart

su - user1

$ mkdir ~/.ssh 2>/dev/null
$ chmod 700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ chmod 644 ~/.ssh/authorized_keys

--------------------------------------------------
转往 client 端:
$ ssh-keygen -t rsa
(按三下 enter 完成﹔不需设密码，除非您会用 ssh-agent 。)
$ scp ~/.ssh/id_rsa.pub [email protected]:id_rsa.pub
(若是 windows client, 可用 puttygen.exe 产生 public key,
然后复制到 server 端后修改之, 使其内容成为单一一行.)
---------------------------------------------------

回到 server 端:
$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
$ rm ~/id_rsa.pub
$ exit

3. 限制 su / sudo 名单:

vi /etc/pam.d/su

auth required /lib/security/$ISA/pam_wheel.so use_uid

visudo

%wheel ALL=(ALL) ALL

gpasswd -a user1 wheel

4. 限制 ssh 使用者名单

vi /etc/pam.d/sshd

auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail

echo user1 >> /etc/ssh_users

5. 封锁 ssh 联机并改用 web 控管清单

iptables -I INPUT -p tcp --dport 22 -j DROP

mkdir /var/www/html/ssh_open

cat > /var/www/html/ssh_open/.htaccess <

 1<end "ssh_open"="" #="" (如需控制联机来源,="" (最好还将="" -c="" .htpasswd="" allow="" authname="" authtype="" authuserfile="" basic="" cat="" deny="" end="" html="" htpasswd="" https="" require="" ssh_open="" ssl="" user1="" valid-user="" var="" www="" 也请读者自补.)="" 我这里略过="" 或只限="" 联机更佳,="" 设定,="" 设起来,="" 请读者自补.)="" 那请再补="" 项目,=""> /var/www/html/ssh_open/ssh_open.php &lt;<end "permission="" $dir_path="." $ip_list="ssh_open.txt" $user_ip="$_GET[’myip’];" ($user_ip="long2ip(ip2long($user_ip)))" (@$_get[’myip’])="" ;="" <?="" a="" allow="" checking="" client="" denied!!<br="" dir="" echo="" file="" filename="" for="" format="" get="" if="" if(@!($file='fopen("$dir_path/$ip_list","w+")))' ip="" list="" needed="" path="" put="" set="" specifying="" to="" {="" }="">";   
 2echo "Pls Check your rights to dir $dir_path or file $ip_list";   
 3}   
 4else   
 5{   
 6fputs($file,"$user_ip");   
 7fclose($file);   
 8echo "client ip($user_ip) has put into $dir_path/$ip_list";   
 9}   
10} else {   
11echo "Invalid IP format!!<br/>ssh_open.txt was not changed.";   
12}   
13?&gt;   
14END   
15# touch /var/www/html/ssh_open/ssh_open.txt   
16# chmod 640 /var/www/html/ssh_open/*   
17# chgrp apache /var/www/html/ssh_open/*   
18# chmod g+w /var/www/html/ssh_open/ssh_open.txt   
19# chmod o+t /var/www/html/ssh_open   
20# service httpd restart   
21# mkdir /etc/iptables   
22# cat &gt; /etc/iptables/sshopen.sh &lt;&lt;END   
23#!/bin/bash   
24  
25PATH=/sbin:/bin:/usr/sbin:/usr/bin 
26
27本新闻共  2  页,当前在第  1  页  1  2</end></end>