SSH 的一些安全小技巧

一, 前言

关于ssh 的好处, 相信不用我多说了吧? 

简而言之, 之前的rpc command 与telnet 都全可用ssh 代替.

比方如下的这些常见功能:

- 远端登录

ssh user@remote.machine

- 远端执行

ssh user@remote.machine 'command ...'

- 远端复制

scp user@remote.machine:/remote/path /local/path

scp /local/path user@remote.machine:/remote/path

- X forward

ssh -X user@remote.machine

xcommand ...

- Tunnel / Portforward

ssh -L 1234:remote.machine:4321 user@remote.machine

ssh -R 1234:local.machine:4321 user@remote.machine

ssh -L 1234:other.machine:4321 user@remote.machine

至于详细的用法, 我这就不说了. 请读者自行研究吧.我这里要说的, 是针对ssh 服务为大家介绍一些安全技巧, 希望大家用得更安心些.

二, 实作(实作以RedHat 9 为范例)

--------------------------------------------------

转往client 端:

$ ssh-keygen -t rsa

* 按三下enter 完成﹔不需设密码，除非您会用ssh-agent .

$ scp ~/.ssh/id_rsa.pub user1@server.machine:id_rsa.pub

* 若是windows client, 可用puttygen.exe 产生public key,然后复制到server 端后修改之, 使其内容成为单一一行.

* 如果server 端已经禁止密码登入, 那请用其它放法复制publick key.

-------------------------------------------------- 

-登入server 端:

1) 禁止root 登录

# vi /etc/ssh/sshd_config

PermitRootLogin no

2) 废除密码登录, 强迫使用RSA 验证(假设ssh 帐户为user1 )

# vi /etc/ssh/sshd_config

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

PasswordAut​​hentication no

# service sshd restart

# su - user1

$ mkdir ~/.ssh 2>/dev/null

$ chmod 700 ~/.ssh

$ touch ~/.ssh/authorized_keys

$ chmod 644 ~/.ssh/authorized_keys

$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys

$ rm ~/id_rsa.pub

$ exit

3) 限制su / sudo 名单:

# vi /etc/pam.d/su

auth required /lib/security/

$ISA/pam_wheel.so use_uid

# visudo

%wheel ALL=(ALL) ALL

# gpasswd -a user1 wheel

4) 限制ssh 使用者名单

# vi /etc/pam.d/sshd

auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail

# echo user1 >> /etc/ssh_users

5) 封锁ssh 连线并改用web 控管清单

# iptables -I INPUT -p tcp --dport 22 -j DROP

# mkdir /var/www/html/ssh_open

# cat > /var/www/html/ssh_open/.htaccess <<END

AuthName "ssh_open"

AuthUserFile /var/www/html/ssh_open/.htpasswd

AuthType basic

require valid-user

END

# htpasswd -c /var/www/html/ssh_open/.htpasswd user1

(最好还将SSL 设起来, 或只限https 连线更佳, 我这里略过SSL 设定, 请读者自补.)

(如需控制连线来源, 那请再补Allow/Deny 项目, 也请读者自补.)

# cat > /var/www/html/ssh_open/ssh_open.php <<END

<?//Set dir path for ip list

$dir_path=".";

//Set filename for ip list

$ip_list="ssh_open.txt";

//Get client ip$user_ip=

$_SERVER['REMOTE_ADDR'];

//allow specifying ip if needed

if (@$_GET['myip']) 

{$user_ip=$_GET['myip'];

}

//checking IP format if ($user_ip==long2ip(ip2long($user_ip))) { //Put client ip to a file if(@!($file = fopen("$dir_path/$ip_list","w+" ))) { echo "Permission denied!!<br>"; echo "Pls Check your rights to dir $dir_path or file $ip_list"; } else { fputs($file,"$user_ip"); fclose($file) ; echo "client ip($user_ip) has put into $dir_path/$ip_list"; } } else { echo "Invalid IP format!!<br>ssh_open.txt was not changed."; } ?> END # touch /var /www/html/ssh_open/ssh_open.txt # chmod 640 /var/www/html/ssh_open/* # chgrp apache /var/www/html/ssh_open/* # chmod g+w /var/www/html/ssh_open/ ssh_open.txt # chmod o+t /var/www/html/ssh_open # service httpd restart # mkdir /etc/iptables # cat > /etc/iptables/sshopen.sh <<END #!/bin/bash PATH=/sbin :/bin:/usr/sbin:/usr/bin list_dir=/var/www/html/ssh_open list_file=$list_dir/allow_ssh.txt bad_list=$list_dir/bad_ip.txt auth_log=$list_dir/xinetd.log trusted_ip=" 127.0.0.1 4.3.2.1" chain_name=ssh_rules mail_to=root # clear chain if exits, or create chain. iptables -L -n | /bin/grep -q "^Chain $chain_name" && { iptables -F $chain_name true } || { iptables -N $chain_name ipt