Linux基础服务sshd简介

sshd由OpenSSH来提供

SSH 协议：Secure Shell，安全的shell协议。SSH 为建立在应用层和传输层基础上的安全协议。sshd服务使用SSH协议可以用来进行远程控制， 或在计算机之间传送文件。sshd使用加密传输，较之使用明文传输的telnet传输文件要安全很多。

sshd配置文件

/etc/ssh/sshd_config

如果井号开头的和后面参数没有空格的，表示默认值,是生效的如果井号开头和后面有空格的，表示纯注释

调优参数

端口

默认端口22，外网生产环境需要修改

Port 22使用参数指定端口连接非22默认端口[-p port]

ssh -p 1234 root@10.0.0.88

监听地址

默认缺省值为所有网卡的所有地址可以修改为指定IP

#ListenAddress 0.0.0.0

#ListenAddress ::

登陆等待时间

从输入用户名到敲入密码的登陆等待时间默认是2分钟，可以调的小一些

#LoginGraceTime 2m

允许root登录

生产环境应该禁止root直接登录Debian系列例如Ubuntu是默认禁止root登陆的

PermitRootLogin yes

默认认证公钥文件

AuthorizedKeysFile .ssh/authorized_keys

是否允许使用密码认证登录

做过密钥认证以后可关闭密码认证登录，防止暴力破解

PasswordAuthentication yes

打印登陆提示信息和最后登录日志

发现被黑线索

PrintMotd no

#PrintLastLog yes

[14:56:49 root@C8-88[ ~]#ssh 10.0.0.189

Last login: Sat Jul 3 22:00:12 2021 from 10.0.0.88

使用DNS反向解析

如果敲完密码一直卡着，半天才进系统，可以将此项改为no

#UseDNS no

修改登录提示

创建或修改motd文件

/etc/motd在文件中添加需要登录显示的内容修改配置文件打开PrintMotd

sed -ri.bak 's/(PrintMotd )no/\1yes/' /etc/ssh/sshd_config

fail2ban防止暴力破解

监控日志系统，匹配日志信息，将过分的ip加入到ipatble中python写的用python装py包主配置文件jail.conf模板服务文件在源码包的files中，fail2ban.service,redhat-initd查找古时候的启动文件,文件内容带有chkconfig相关字样

grep chkconfig ./* -R --color老版本使用chkconfig添加启动项

chekconfig --add fail2ban登录日志

相关主要文件说明：

jail [dʒeɪl]监狱

/etc/fail2ban/action.d #动作文件夹，内含默认文件。iptables以及mail等动作配置

/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别、日志位置及sock文件位置

/etc/fail2ban/filter.d #条件文件夹，内含默认文件。过滤日志关键内容设置

/etc/fail2ban/jail.conf #主要配置文件，模块化。主要设置启用ban动作的服务及动作阀值

应用案例

远程ssh用户5分钟三次失败则禁用1小时防止频繁试密码修改[ssh-iptables]先启用功能

enabled = ture指定日志

logpath = /var/log/secure发一批邮件改sentmail，系统中需要已启用sentmail如果ssh服务器不是22端口，则需要改配置文件，iptables配置文件也要改

查看ban的状态

fail2ban-client status ssh-iptable

使用shell脚本实现fail2ban功能

利用定时任务查看安全日志将超过阈值的IP加入系统黑名单hosts.deny中去

#!/bin/bash

cat var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2"="$1;}' > /root/satools/black.txt

DEFINE='10'

for i in `cat /root/satools/black.txt`;do

IP=`echo $i | awk -F= '{print $1}'`

NUM=`echo $i | awk -F= '{print $2}'`

if [ $NUM -gt $DEFINE ];then

grep $IP /etc/hosts.deny > /dev/null

if [ $? -gt 0 ];then

echo "sshd:$IP" >> /etc/hosts/deny

fi

fi

done

利用denyhosts实现

epel中的denyhosts简单实现

系统再带pam模块提供防护功能

系统本身体统pam模块功能

/etc/pam.d/sshd添加错误尝试次数，和锁定时间在第一行下面添加一条规则

auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=1200

pam模块命令

查看用户登录次数

手动解除锁定：

查看某一用户错误登陆次数：

pam_tally –-user

例如，查看work用户的错误登陆次数：

pam_tally –-user work

清空某一用户错误登陆次数：

pam_tally –-user –-reset

例如，清空 work 用户的错误登陆次数，

pam_tally –-user work –-reset

xshell等客户端免密登录服务器

使用xshell等客户端本地生成公钥文件将生成的公钥文件放到服务器对应的用户家目录的.ssh目录中去

==========================================================

配置文件内容：

# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file. See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options override the

# default value.

# If you want to change the port on a SELinux system, you have to tell

# SELinux about this change.

# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key

HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying

#RekeyLimit default none

# System-wide Crypto policy:

# This system is following system-wide crypto policy. The changes to

# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any

# effect here. They will be overridden by command-line options passed on

# the server start up.

# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=

# variable in /etc/sysconfig/sshd to overwrite the policy.

# For more information, see manual page for update-crypto-policies(8).

# Logging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

# but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none

#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

PasswordAuthentication yes

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

#KerberosUseKuserok yes

# GSSAPI options

GSSAPIAuthentication yes

GSSAPICleanupCredentials no

#GSSAPIStrictAcceptorCheck yes

#GSSAPIKeyExchange no

#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication. Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

# WARNING: 'UsePAM no' is not supported in Fedora and may cause several

# problems.

UsePAM yes

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PermitTTY yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,

# as it is more configurable and versatile than the built-in version.

PrintMotd no

#PrintLastLog yes

#TCPKeepAlive yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS no

#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

#VersionAddendum none

# no default banner path

#Banner none

# Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

# override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

# X11Forwarding no

# AllowTcpForwarding no

# PermitTTY no

# ForceCommand cvs server