Linux SSH端口安全设置（服务器架设篇）

我在自己一台老旧的DELL电脑上安装了cent os7作为平常的开发服务器，在家庭局域网里面，我们还是要注意安全的，和线上服务器一样，对常用的端口进行修改的话，可以大幅度的降低恶意暴力破解的危险，毕竟端口不再是常见的端口后，通用的暴力破解请求会直接被服务器拒收无视。更多请看（wwww.omob.cc）

SSH 端口更改

#先防火墙开放SSH的目标端口
[root@thinkcent network-scripts]# firewall-cmd --zone=public --add-port=123/tcp --permanent
success
#重启防火墙
[root@thinkcent network-scripts]# firewall-cmd --reload
success
#修改ssh配置文件
[root@thinkcent network-scripts]# vi /etc/ssh/sshd_config

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
# 这里改端口
Port 123
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#LoginGraceTime 2m
# 建议这里也改，禁止root ssh登陆，只允许普通用户登陆
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10



#重启SSH 但是失败
[root@thinkcent network-scripts]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
# 查看原因，是Selinux安全限制问题，我不建议关闭Selinux，那么我们修改Selinux即可
[root@thinkcent network-scripts]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Sat 2018-07-14 14:45:29 CST; 18s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 19159 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255)
 Main PID: 19159 (code=exited, status=255)

Jul 14 14:45:29 thinkcent systemd[1]: Failed to start OpenSSH server daemon.
Jul 14 14:45:29 thinkcent systemd[1]: Unit sshd.service entered failed state.
Jul 14 14:45:29 thinkcent systemd[1]: sshd.service failed.

# 安装semanage
[root@thinkcent network-scripts]# yum -y install policycoreutils-python
# Selinx允许123端口
[root@thinkcent network-scripts]# semanage port -a -t ssh_port_t -p tcp 123
#查看状态
[root@thinkcent network-scripts]# semanage port -l | grep ssh
ssh_port_t                     tcp      123, 22
# 再次重启SSH成功
[root@thinkcent network-scripts]# systemctl restart sshd.service
# 123端口已经被监听
[root@thinkcent thinktik]# netstat -lnp|grep 123
tcp        0      0 0.0.0.0:123              0.0.0.0:*               LISTEN      19302/sshd          
tcp6       0      0 :::123                  :::*                    LISTEN      19302/sshd          
unix  2      [ ACC ]     STREAM     LISTENING     22728    1686/master          private/verify