Linux SSH服务器(sshd)配置和安全选项(带示例)
Secure Shell or with its most know name SSH is a protocol developed to connect IT systems remotely and securely. SSH works as expected client-server architecture. In this post, we will look at various
Secure Shell or with its most know name SSH is a protocol developed to connect IT systems remotely and securely. SSH works as expected client-server architecture. In this post, we will look at various security-related configuration options of the SSH daemon service or sshd. The tutorial about the client-side ssh configuration can be found in the following link.
Secure Shell或其最著名的名称SSH是为远程安全地连接IT系统而开发的协议。 SSH按照预期的客户端-服务器体系结构运行。 在本文中,我们将介绍SSH守护程序服务或sshd的各种与安全性相关的配置选项。 可以在以下链接中找到有关客户端ssh配置的教程。
SSH服务器配置文件(SSH Server Configuration File)
Ssh generally works as a service or daemon. This service starts by reading some configure file about the service. This configuration file is located at /etc/ssh/sshd_config
. In most Linux distributions the file is used as startup-config. In order to modify the configuration file, we need root privileges.
SSH通常用作服务或守护程序。 该服务首先读取有关该服务的一些配置文件。 该配置文件位于/etc/ssh/sshd_config
。 在大多数Linux发行版中,该文件用作启动配置。 为了修改配置文件,我们需要root特权。
$ head /etc/ssh/sshd_config
SSH服务器配置文件注释(SSH Server Configuration File Comment)
Some rules require comments about them. Comments are created with # lines. Comments have no effect on the SSH configuration.
一些规则要求对其进行注释。 用#行创建注释。 注释对SSH配置无效。
#This is just a comment.
重新启动SSH服务以应用配置更改 (Restart SSH Service To Apply Configuration Changes)
After ssh configuration file changes ssh service or daemon should be restart to take effect new configuration. There are different ways to restart ssh service but the most global way to restart ssh daemon is using systemctl
command like below.
ssh配置文件更改后,应重新启动ssh服务或守护程序以使新配置生效。 有多种方法可以重新启动ssh服务,但最全局的重新启动ssh守护程序的方法是使用systemctl
命令,如下所示。
$ sudo systemctl restart sshd
停止SSH服务 (Stop SSH Service)
If the ssh is not used and we have direct access to the system stopping ssh service is a more secure choice. We will stop ssh service with systemctl
command.
如果不使用ssh并且我们可以直接访问系统,则停止ssh服务是一个更安全的选择。 我们将使用systemctl
命令停止ssh服务。
$ sudo systemctl stop sshd
检查SSH服务状态 (Check SSH Service Status)
After configuration changes we restart the ssh service but how can be sure it is working. There are different ways but the most appropriate way is using systemctl to get the status of the service. This command also provides last logs about the service that can provide hints about configurations errors or similar things.
更改配置后,我们将重新启动ssh服务,但是如何确定它可以正常工作。 有多种方法,但是最合适的方法是使用systemctl获取服务状态。 此命令还提供有关服务的最新日志,这些日志可以提供有关配置错误或类似情况的提示。
$ sudo systemctl status sshd
指定SSH协议版本(Specify SSH Protocol Version)
SSH has two versions. As we expect version 1 is the old and nonsecure version. It is abandoned a long time ago but some ssh configurations may contain this version enabled. We will only enable version 2 with the following line.
SSH有两个版本。 如我们所料,版本1是旧的非安全版本。 它早已被放弃,但是某些ssh配置可能包含启用了该版本的版本。 我们仅在下面的行中启用版本2。
Protocol 2
允许的用户 (Allowed Users)
By default, all users created on the system can log in remotely. Enabling all users remote login opportunity is not a good security practice. We can limit login for specified users like below. In this example, we only allow user ismail
to login remotely by using ssh.
默认情况下,系统上创建的所有用户都可以远程登录。 为所有用户提供远程登录机会不是一个好的安全习惯。 我们可以限制指定用户的登录,如下所示。 在此示例中,我们仅允许用户smail
使用ssh远程登录。
AllowUsers ismail
被拒绝的用户 (Denied Users)
Another way to limit users’ login is by specifying a user account that does not have the right to log in remotely by using ssh. All other users than specified ones will have remote access. In this example, we deny remote access for user root
. Denying access for root is a good security practice.
限制用户登录的另一种方法是通过指定没有使用ssh远程登录权限的用户帐户。 除指定用户之外的所有其他用户将具有远程访问权限。 在此示例中,我们拒绝用户root
远程访问。 拒绝root用户访问是一种很好的安全措施。
DenyUser root
指定要运行的SSH服务或端口IP地址和接口 (Specify SSH Service or Port IP Address and Interface To Run)
By default when ssh service is started it runs on all interfaces and IP addresses. This may create some security problems if the system has more than one network interface where some of them are insecure side. We can restrict the ssh service interface to run. Ssh service will not accept connections from other interfaces.
默认情况下,启动ssh服务时,它将在所有接口和IP地址上运行。 如果系统具有多个网络接口(其中一些接口不安全),则可能会产生一些安全问题。 我们可以限制ssh服务接口的运行。 Ssh服务将不接受来自其他接口的连接。
ListenAddress 10.0.0.20
配置会话超时 (Configure Session Timeout)
After the connection is established the connection is stayed in the open state forever if not closed explicitly. This is not a wanted situation for resource usage and security. We should define a timeout value that will close the session after this time of inactivity. In this example, we set these values as 120
seconds.
建立连接后,如果未明确关闭,则连接将永远保持打开状态。 对于资源使用和安全性而言,这不是通缉的情况。 我们应该定义一个超时值,该值将在这段非活动时间之后关闭会话。 在此示例中,我们将这些值设置为120
秒。
ClientAliveInterval 120
禁用SSH根登录 (Disable SSH Root Login)
One of the best practices is disabling root
account remote login. If there are other high privileged well-known accounts these accounts must be disabled too.
最佳做法之一是禁用root
帐户远程登录。 如果还有其他高特权的知名帐户,则也必须禁用这些帐户。
PermitRootLogin no
配置SSH登录标语 (Configure SSH Login Banner)
While connecting systems remotely with ssh providing information warning information about the system is a good way to prevent some attacks. Even this is not a technical way to protect or prevent attacks it may convenience the attacker physiologically.
当使用ssh远程连接系统时,提供有关系统的警告信息是防止某些攻击的好方法。 即使这不是保护或预防攻击的技术方法,也可能在生理上便利攻击者。
Banner "This system is monitored and logged in real time. In the case of attacks the legal actions will be taken against attacker."
配置或更改SSH端口号 (Configure or Change SSH Port Number)
By default, ssh uses TCP port 22 as port number. Most of the users and attackers assume this default and takes action to the TCP port 22. If there is no operations cost changing the ssh server port is the best way. In the example we use port 1234
as ssh daemon port.
默认情况下,ssh使用TCP端口22作为端口号。 大多数用户和攻击者都采用此默认值,并对TCP端口22采取措施。如果没有任何操作成本,则更改ssh服务器端口是最好的方法。 在示例中,我们使用端口1234
作为ssh守护程序端口。
Port 1234
禁用SSH密码身份验证 (Disable SSH Password Authentication)
Password authentication is a simple method for the user to authenticate themselves. But it is simpler than other methods for attackers to crack too. Users generally prefer simple and easy to remember passwords which make attackers work easy. We can disable password-based authentication.
密码身份验证是用户进行身份验证的一种简单方法。 但这也比其他方法更容易使攻击者破解。 用户通常喜欢简单易记的密码,这使攻击者的工作变得容易。 我们可以禁用基于密码的身份验证。
PasswordAuthentication no
But the users should be already setup Public key-based authentication in order to resume using the SSH server. More information about how to set up public key-based authentication can be found in the following link.
但是,应该已经为用户设置了基于公钥的身份验证,才能继续使用SSH服务器。 有关如何设置基于公钥的身份验证的更多信息,请参见以下链接。
http://www.poftut.com/how-to-setup-ssh-keys/
http://www.poftut.com/how-to-setup-ssh-keys/
仅基于公钥的身份验证(Only Public Key Based Authentication)
By default public key authentication is enabled but enabling it explicitly will make it more reliable.
默认情况下,启用公钥身份验证,但是显式启用它会使其更加可靠。
PubkeyAuthentication yes
禁用空的SSH密码 (Disable Empty SSH Passwords)
Another great risk for ssh daemon is empty passwords. Modern Linux distributions generally prohibit empty passwords but disabling empty passwords will make us sure.
ssh守护程序的另一个巨大风险是空密码。 现代Linux发行版通常禁止使用空密码,但是禁用空密码将使我们确信。
PermitEmptyPasswords no
启用严格(强制安全性)模式 (Enable Strict (Forced Security) Mode)
StrictMode checks some cases before the ssh server starts. Ssh key, configuration files ownership, permission checks are performed before ssh daemon starts. If one of them fails the ssh server daemon does not starts. Strict mode is enabled by default but generally closed by system administrators. For security reasons, it should be enabled.
StrictMode在ssh服务器启动之前检查某些情况。 在ssh守护程序启动之前,将执行ssh密钥,配置文件所有权,权限检查。 如果其中之一失败,ssh服务器守护程序将不会启动。 严格模式默认情况下处于启用状态,但通常由系统管理员关闭。 出于安全原因,应启用它。
StrictMode yes
禁用X11转发 (Disable X11 Forwarding)
One of the best features for ssh is forwarding X11 over remote connections. This is a very useful feature for some system administrators and users. But this can create some security holes in the system. If X11 forwarding is not needed disable it.
ssh的最佳功能之一是通过远程连接转发X11。 对于某些系统管理员和用户来说,这是非常有用的功能。 但这会在系统中创建一些安全漏洞。 如果不需要X11转发,请禁用它。
X11Forwarding no
更新SSH服务器和客户端软件 (Update SSH Server and Client Software)
Now the last but one of the most important rules to make ssh servers and daemons secure. Updating is a magical way to make ssh more secure.
现在是使ssh服务器和守护程序安全的最后但也是最重要的规则之一。 更新是使ssh更安全的一种神奇方法。
Ubuntu,Debian,Mint: (Ubuntu, Debian, Mint:)
$ sudo apt upgrade ssh
Fedora,Kali,CentOS: (Fedora, Kali, CentOS:)
$ sudo yum update ssh
翻译自: https://www.poftut.com/linux-sshd-server-configuration-security-options-examples/
更多推荐
所有评论(0)