ssh服务安全配置

               

<!--@page { size: 8.5in 11in; margin: 0.79in }P { margin-bottom: 0.08in }-->

参考：
http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/
http://www.foogazi.com/2006/11/29/modify-ssh-to-maximize-security/

ssh的配置文件位于/etc/ssh/sshd_config
推荐配置：

1. 使sshd服务运行在非标准端口上设置方法：编辑/etc/ssh/sshd_config文件，添加一行内容为(假定设置监听端口是12345)：port 12345
   在客户端，用ssh <server addr> -p 12345登录服务器。
2. 只允许ssh v2的连接protocol 2
3. 禁止root用户通过ssh登录PermitRootLogin no
4. 禁止用户使用空密码登录PermitEmptyPasswords no
5. 限制登录失败后的重试次数MaxAuthTries 3
6. 只允许在列表中指定的用户登录AllowUsers user1 user2

设置完成以后，运行命令使之生效：
[root@jcwkyl ssh]# /etc/init.d/sshd reload

直接使用root操作是很危险的事情，不能依靠用户的自律来保证无失。推荐使用证书认证的方式，既安全，又方便。在windows客户端中使用putty进行免密码登录的方法在http://blog.csdn.net/jcwKyl/archive/2009/09/17/4562599.aspx记录过，在linux下:

登录到服务器：

[whb@jcwkyl ~]$ ssh whb@server
whb@server's password:
Last login: Thu Jan  7 19:17:28 2010 from jcwkyl.gridlab

生成一对公/私密钥：

[whb@server ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/whb/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/whb/.ssh/id_rsa.
Your public key has been saved in /home/whb/.ssh/id_rsa.pub.
The key fingerprint is:
b5:fb:a1:9f:25:e1:48:80:70:06:b3:9b:29:3b:df:1f [email protected]

公钥改名为authorized_keys，把私钥传送给客户端：

[whb@server ~]$ cd .ssh/
[whb@server .ssh]$ ls
id_rsa  id_rsa.pub  known_hosts
[whb@server .ssh]$ mv id_rsa.pub authorized_keys
[whb@server .ssh]$ scp id_rsa [email protected]:~whb/.ssh/serverkey
The authenticity of host '10.60.56.90 (10.60.56.90)' can't be established.
RSA key fingerprint is 19:51:4b:38:47:43:da:b9:e1:d0:53:75:95:07:ed:c4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.60.56.90' (RSA) to the list of known hosts.
[email protected]'s password:
id_rsa                                                            100% 1675     1.6KB/s   00:00

客户端登录：

[whb@jcwkyl ~]$ ssh-add .ssh/serverkey
Identity added: .ssh/serverkey (.ssh/serverkey)
[whb@jcwkyl ~]$ ssh whb@server
Last login: Thu Jan 14 21:50:03 2010 from jcwkyl.gridlab

证书认证的原理就是PKI的认证过程。

           

再分享一下我老师大神的人工智能教程吧。零基础！通俗易懂！风趣幽默！还带黄段子！希望你也加入到我们人工智能的队伍中来！https://blog.csdn.net/jiangjunshow