如何保护SSH安全
IP
你应当限制ssh端口可访问ip,由于各大vps服务商操作并不相同,便不举例。
同时最好更改ssh端口
txt
Port PORT_YOU_WANT_CHANG更改后可通过, ssh -p PORT 指定端口进行登录
公钥
shell
ssh-keygen -t rsa -b 4096 -f vps-ssh同时键入passphrase,我们得到两个不同的密钥。private key不能在任何地方或与任何人共享。第二个.pub是public key
将公钥写入vps ~/.ssh/authorized_keys,同时此文件的权限应当为 600
更改后可通过, ssh -i PRIVATE_KEY 指定私钥进行登录
Fail2ban
安装
shell
sudo apt install fail2ban配置
配置文件位于
txt
[sshd]
enabled = true
bantime = 4w
maxretry = 3
# 开启sshd配置,最多尝试三次登录,登录错误三次后禁止4星期的连接尝试然后配置ssh服务 /etc/ssh/sshd_config
| Settings | Description |
|---|---|
| LogLevel VERBOSE | 给出从 SSH 守护程序记录消息时使用详细级别。 |
| PermitRootLogin no | 禁止ROOT登录 |
| MaxAuthTries 3 | 尝试连接最大次数三次 |
| MaxSessions 5 | 每个网络连接允许的最大开放 shell、登录或子系统(例如 SFTP)会话数。 |
| HostbasedAuthentication no | 是否允许 rhosts 或 /etc/hosts.equiv 身份验证以及成功的公钥客户端主机身份验证(基于主机的身份验证)。 |
| PermitEmptyPasswords no | 当允许密码验证时,指定服务器是否允许密码字符串为空的帐户登录。 |
| ChallengeResponseAuthentication yes | 是否允许质询-响应身份验证。 |
| UsePAM yes | 是否应使用 PAM 模块进行身份验证。 |
| X11Forwarding no | 是否允许X11转发。 |
| PrintMotd no | 当用户交互登录时 SSH 守护进程是否应打印 /etc/motd。 |
| ClientAliveInterval 600 | 设置超时间隔(以秒为单位),在此之后如果没有从客户端收到数据,SSH 守护程序将通过加密通道发送消息以请求客户端响应。 |
| ClientAliveCountMax 0 | 设置在 SSH 守护程序未收到客户端返回的任何消息的情况下可以发送的客户端活动消息的数量。 |
| AllowUsers USERNAME | 该关键字后面可以跟一个用户名模式列表,以空格分隔。如果指定,则仅允许与其中一种模式匹配的用户名登录。 |
| Protocol 2 | 使用更安全的较新协议。 |
| AuthenticationMethods publickey,keyboard-interactive | 必须成功完成才能授予用户访问权限的身份验证方法。 |
| PasswordAuthentication no | 是否允许密码验证。 |
2步认证
2步认证的软件有很多,本次使用 Google Authenticator 作为演示
安装
shell
sudo apt install libpam-google-authenticator运行
shell
$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/......
[ ---- QR Code ---- ]
Your new secret key is: ***************
Enter code from app (-1 to skip):
Enter code from app (-1 to skip): <Google-Auth Code>
Code confirmed
Your emergency scratch codes are:
21323478
43822347
60232018
73234726
45456791
Do you want me to update your "/home/cry0l1t3/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the
window from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4
minutes between client and server.
Do you want to do so? (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y二维码和key将出现在终端,然后使用 Google Authenticator 扫描或输入key。完成后就会看到六位数的OTP(One-Time-Password)。在终端中输入。 同时最后会生成emergency scratch codes( backup codes),安全地保存它们。如果我们丢失智能手机,这些将被使用。
配置
txt
#@include common-auth
auth required pam_google_authenticator.so
auth required pam_permit.sotxt
AuthenticationMethods publickey,keyboard-interactive重启ssh服务
shell
sudo service ssh restart