centos7下ssh登陆加固方案

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/firehadoop/article/details/71703093

     因为网络安全问题，需要对centos7下的ssh服务进行安全加固，下面会给出详细操作步骤及思路。

     由于centos7系统默认安装启用了系统高级防火墙，ssh服务默认开启是22端口，如果直接在ssh的配置文件中对监听端口进行更改，重启sshd服务后不会成功，提示无法绑定端口，所以要修改ssh的端口，需要首先修改系统防火墙配置

    一、ssh登陆端口修改

        1、防火墙上新增ssh监听端口

              firewall-cmd --permanent --zone=public --add-port=3333/tcp  #对public区域新增一个端口3333协议为tcp

              firewall-cmd --reload   #新增完成后需要重载配置文件生效配置

       2、查看新增情况

              firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh
  ports: 3333tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

     3、修改ssh配置文件中的监听端口为3333

          vim /etc/ssh/sshd_config

          找到port 22，替换为Port 3333，并且把前面的#号去掉

          完成修改后保存退出。

         service sshd restart   #重启服务使监听端口更换为3333

     4、这时通过nmap对主机进行扫描可以发现ssh 22已经关闭

        PORT   STATE  SERVICE VERSION
             22/tcp closed ssh    

      5、对22端口进行流量处理，使nmap无法探测出任何信息

  firewall-cmd --permanent --zone=public --remove-port=22/tcp     #防火墙删除原来的22端口

      firewall-cmd --permanen --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=127.0.0.1  #将 22 端口的访问流量转向访问者本地

   firewall-cmd --reload   

       6、此时再次扫描，无任何端口信息显示，端口已经完美更改

   二、网络层IP地址限制

      端口隐藏无法完全保障安全，最好可以基于服务+IP地址的限制，通过对/etc/hosts.allow文件进行编辑，规则是只允许白名单内的IP地址可以访问本机的ssh，其它IP地址一律不允许；

     [root@localhost ~]# vim  /etc/hosts.allow 
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.1.11:allow    #允许192.168.1.11通过访问本机的ssh服务
sshd:192.168.1.12:allow   #允许192.168.1.12通过访问本机的ssh服务
sshd:all:deny                       #默认全部拒绝访问

   三、应用层对账号+IP进行限制

    通过对/etc/ssh/sshd_config文件进行配置，可以实现比hosts.allow更加丰富的限制，hosts.allow是基于网络层的限制，这里可以实现业务层限制，限制规则是IP+账号，限制指定登陆IP只能通过指定账号登陆。

Allowusers [email protected]   #192.168.1.11可以使用root登陆
Allowusers [email protected]   #192.168.1.12只能使用test账号登陆

  四、加固总结

   加固思路，首先要确保信息泄露的越少越好，不要泄露服务类型，系统类型，通过第一步修改端口加引流操作，使得外部探测失去准星，然后还要在操作系统中基于网络层对可以访问的IP地址列白名单，最后是对白名单用户进行账号权限登陆指定，通过三步操作，完成对centos7操作系统ssh业务的加固。

   加固效果要随时通过nmap进行扫描确认，下面是加固以后的效果。所有操作涉及ssh配置文件/etc/ssh/sshd_config，操作系统网络层ip限制文件/etc/hosts.allow,测试加固效果的软件是nmap。

nmap -sS -v -A 192.168.1.1


Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2017-05-11 21:58 CST
NSE: Loaded 122 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating Ping Scan at 21:58
Scanning 192.168.1.1 [4 ports]
Completed Ping Scan at 21:58, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.01s elapsed
Initiating SYN Stealth Scan at 21:58
Scanning 192.168.1.1 [1000 ports]
Completed SYN Stealth Scan at 21:58, 14.38s elapsed (1000 total ports)
Initiating Service scan at 21:58
Initiating OS detection (try #1) against 192.168.1.1
Initiating Traceroute at 21:58
Completed Traceroute at 21:58, 0.01s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.01s elapsed
NSE: Script scanning 192.168.1.1
Initiating NSE at 21:58
Completed NSE at 21:58, 0.01s elapsed
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Nmap scan report for 192.168.1.1
Host is up (0.00064s latency).
All 1000 scanned ports on 192.168.1.1 are filtered
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|firewall
Running: Asus embedded, Palo Alto embedded
OS CPE: cpe:/h:asus:rt-53n cpe:/h:paloalto:pa-500
OS details: Asus RT-53N WAP, Palo Alto PA-500 firewall  #如果不做加固，会直接识别为linux具体版本和服务，暴露非常多的信息
Network Distance: 1 hop


TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.86 ms 192.168.1.1


NSE: Script Post-scanning.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.11 seconds
           Raw packets sent: 2021 (90.330KB) | Rcvd: 35 (2.570KB)

--------------------下面显示加固前的nmap扫描结果

22/tcp open  ssh     OpenSSH 6.6.1 (protocol 2.0)               #直接显示端口服务及具体openssh的版本信息
| ssh-hostkey: 
|   2048 79:38:a3:18:ce:9d:a7:16:5c:bd:61:12:95:30:aa:6c (RSA)
|_  256 2f:a7:3e:d8:fd:b1:2b:9a:af:03:38:44:73:f2:55:ad (ECDSA)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|WAP|load balancer|firewall
Running (JUST GUESSING): Linux 2.6.X (94%), Netgear Linux 2.6.X (93%), Linksys embedded (91%), Ubiquiti Linux 2.6.X (90%), F5 Networks embedded (87%), Palo Alto embedded (87%), F5 Networks TMOS 11.1.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:netgear:linux_kernel:2.6 cpe:/h:linksys:befw11s4 cpe:/o:ubiquiti:linux_kernel:2.6 cpe:/h:paloalto:pa-500 cpe:/o:f5:tmos:11.1
Aggressive OS guesses: Linux 2.6.32 (94%), Netgear ReadyNAS 3200 NAS device (Linux 2.6) (93%), Linksys BEFW11S4 WAP (91%), Linux 2.6.11 - 2.6.18 (90%), Ubiquiti WAP (Linux 2.6.32) (90%), F5 BIG-IP load balancer (87%), Palo Alto PA-500 firewall (87%), F5 3600 LTM load balancer (85%), Netgear WNDAP660 WAP (Linux 2.6.36) (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 1.245 days (since Thu May 11 08:42:05 2017)