SSH 的一些安全小技巧
----------------------------------------------------
一, 前言
關於 ssh 的好處, 相信不用我多說了吧?
簡而言之, 之前的 rpc command 與 telnet 都全可用 ssh 代替.
比方如下的這些常見功能:
- 遠端登錄
ssh user@remote.machine
- 遠端執行
ssh user@remote.machine ';command ...';
- 遠端複制
scp user@remote.machine:/remote/path /local/path
scp /local/path user@remote.machine:/remote/path
- X forward
ssh -X user@remote.machine
xcommand ...
- Tunnel / Portforward
ssh -L 1234:remote.machine:4321 user@remote.machine
ssh -R 1234:local.machine:4321 user@remote.machine
ssh -L 1234:other.machine:4321 user@remote.machine
至於詳細的用法, 我這就不說了. 請讀者自行研究吧.
我這裡要說的, 是針對 ssh 服務為大家介紹一些安全技巧, 希望大家用得更安心些.
二, 實作
(實作以 RedHat 9 為範例)
1) 禁止 root 登錄
# vi /etc/ssh/sshd_config
PermitRootLogin no
2) 廢除密碼登錄, 強迫使用 RSA 驗證(假設 ssh 帳戶為 user1 )
# vi /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
# service sshd restart
# su - user1
$ mkdir ~/.ssh 2>/dev/null
$ chmod 700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ chmod 644 ~/.ssh/authorized_keys
--------------------------------------------------
轉往 client 端:
$ ssh-keygen -t rsa
(按三下 enter 完成﹔不需設密碼,除非您會用 ssh-agent 。)
$ scp ~/.ssh/id_rsa.pub user1@server.machine:id_rsa.pub
(若是 windows client, 可用 puttygen.exe 產生 public key,
然後複制到 server 端後修改之, 使其內容成為單一一行.)
---------------------------------------------------
回到 server 端:
$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
$ rm ~/id_rsa.pub
$ exit
3) 限制 su / sudo 名單:
# vi /etc/pam.d/su
auth required /lib/security/$ISA/pam_wheel.so use_uid
# visudo
%wheel ALL=(ALL) ALL
# gpasswd -a user1 wheel
4) 限制 ssh 使用者名單
# vi /etc/pam.d/sshd
auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail
# echo user1 >> /etc/ssh_users
5) 封鎖 ssh 連線並改用 web 控管清單
# iptables -I INPUT -p tcp --dport 22 -j DROP
# mkdir /var/www/html/ssh_open
# cat > /var/www/html/ssh_open/.htaccess < /var/www/html/ssh_open/ssh_open.php <";
echo "Pls Check your rights to dir $dir_path or file $ip_list";
}
else
{
fputs($file,"$user_ip");
fclose($file);
echo "client ip($user_ip) has put into $dir_path/$ip_list";
}
} else {
echo "Invalid IP format!!
ssh_open.txt was not changed.";
}
?>
END
# touch /var/www/html/ssh_open/ssh_open.txt
# chmod 640 /var/www/html/ssh_open/*
# chgrp apache /var/www/html/ssh_open/*
# chmod g+w /var/www/html/ssh_open/ssh_open.txt
# chmod o+t /var/www/html/ssh_open
# service httpd restart
# mkdir /etc/iptables
# cat > /etc/iptables/sshopen.sh <> /etc/services
# cat > /etc/xinetd.d/sshopen < /etc/cron.d/sshopen < /etc/iptables/sshblock.sh <> $PERM_LIST
}
done
END
# chmod +x /etc/firewall/sshblock.sh
# cat >> /etc/hosts.allow < /etc/xinetd.d/finger <> /etc/hosts.allow < |
