{"id":736,"date":"2014-11-02T16:20:08","date_gmt":"2014-11-02T08:20:08","guid":{"rendered":"http:\/\/ufqi.com\/blog\/?p=736"},"modified":"2014-11-02T16:22:50","modified_gmt":"2014-11-02T08:22:50","slug":"%e8%bd%ac%ef%bc%9aopenssh-%e6%9c%8d%e5%8a%a1%e5%99%a8%e7%9a%84-20-%e4%b8%aa%e6%9c%80%e4%bd%b3%e5%ae%9e%e8%b7%b5","status":"publish","type":"post","link":"https:\/\/ufqi.com\/blog\/%e8%bd%ac%ef%bc%9aopenssh-%e6%9c%8d%e5%8a%a1%e5%99%a8%e7%9a%84-20-%e4%b8%aa%e6%9c%80%e4%bd%b3%e5%ae%9e%e8%b7%b5\/","title":{"rendered":"OpenSSH \u670d\u52a1\u5668\u7684 20 \u4e2a\u6700\u4f73\u5b9e\u8df5\uff08\u8f6c\uff09"},"content":{"rendered":"<p>\u539f\u6587\uff1a<a href=\"http:\/\/labs.people.com.cn\/url4p\/index.php?sid=26486&amp;act=query&amp;shortkey=32Tg\" target=\"_blank\">-R\/32Tg<\/a><\/p>\n<p>OpenSSH \u662f SSH \u534f\u8bae\u7684\u5f00\u6e90\u5b9e\u73b0\u3002 OpenSSH \u53ef\u8fdb\u884c\u8fdc\u7a0b\u767b\u5f55\u3001\u5907\u4efd\u3001\u901a\u8fc7 scp \u6216 sftp \u8fdb\u884c\u8fdc\u7a0b\u6587\u4ef6\u4f20\u8f93\u7b49\u7b49\u3002 SSH \u6700\u5b8c\u7f8e\u7684\u786e\u4fdd\u4e24\u4e2a\u7f51\u7edc\u548c\u7cfb\u7edf\u4e4b\u95f4\u4ea4\u6362\u6570\u636e\u7684\u673a\u5bc6\u6027\u548c\u5b8c\u6574\u6027\u3002\u5176\u4e3b\u8981\u7684\u4f18\u70b9\u662f\u901a\u8fc7\u4f7f\u7528\u516c\u5171\u5bc6\u94a5\u52a0\u5bc6\u8fdb\u884c\u670d\u52a1\u5668\u8eab\u4efd\u9a8c\u8bc1\u3002\u7136\u800c\uff0c\u4e0d\u65f6\u6709\u4f20\u95fb\u5173\u4e8e OpenSSH \u96f6\u65e5\u6f0f\u6d1e\u3002\u8fd9\u91cc\u6211\u4eec\u5217\u51fa\u4e00\u4e9b\u91cd\u8981\u7684\u4e8b\u60c5\uff0c\u4f60\u9700\u8981\u4f5c\u51fa\u8c03\u6574\u6765\u63d0\u9ad8 OpenSSH \u670d\u52a1\u5668\u7684\u5b89\u5168\u6027\u3002<\/p>\n<h2>\u9ed8\u8ba4\u914d\u7f6e\u6587\u4ef6\u548c\u7aef\u53e3<\/h2>\n<ul>\n<li><strong>\/etc\/ssh\/sshd_config\u00a0<\/strong>&#8211; OpenSSH \u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6<\/li>\n<li><strong>\/etc\/ssh\/ssh_config<\/strong>\u00a0&#8211; OpenSSH \u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6<\/li>\n<li><strong>~\/.ssh\/<\/strong>\u00a0&#8211; \u7528\u6237\u72ec\u7acb\u7684 ssh \u914d\u7f6e\u76ee\u5f55<\/li>\n<li><strong>~\/.ssh\/authorized_keys<\/strong>\u00a0or\u00a0<strong>~\/.ssh\/authorized_keys<\/strong>\u00a0&#8211; \u516c\u94a5 (RSA or DSA)<\/li>\n<li><strong>\/etc\/nologin<\/strong>\u00a0&#8211; \u5982\u679c\u8be5\u6587\u4ef6\u5b58\u5728\uff0c\u5219\u53ea\u5141\u8bb8 root \u5e10\u53f7\u767b\u5f55<\/li>\n<li><strong>\/etc\/hosts.allow<\/strong>\u00a0and\u00a0<strong>\/etc\/hosts.deny<\/strong>\u00a0: \u8bbf\u95ee\u63a7\u5236\u5b9a\u4e49<\/li>\n<li><strong>SSH \u9ed8\u8ba4\u7aef\u53e3\u00a0<\/strong>: TCP 22<\/li>\n<\/ul>\n<div><a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-unix-bsd-openssh-server-best-practices.html\/ssh-session\" rel=\"nofollow\"><img loading=\"lazy\" title=\"SSH Session in Action\" alt=\"SSH Session in Action\" src=\"http:\/\/static.oschina.net\/uploads\/img\/201210\/24111359_0tEZ.png\" width=\"590\" height=\"365\" \/><\/a>\u8fde\u63a5\u4e2d\u7684 SSH \u4f1a\u8bdd<\/div>\n<h2>#1: \u7981\u7528 OpenSSH \u670d\u52a1<\/h2>\n<p>\u4e00\u4e9b\u5de5\u4f5c\u7ad9\u6216\u8005\u662f\u7b14\u8bb0\u672c\u662f\u65e0\u9700 OpenSSH \u670d\u52a1\u7684\uff0c\u4f60\u4e0d\u9700\u8981\u63d0\u4f9b\u8fdc\u7a0b\u767b\u5f55\u548c\u6587\u4ef6\u4f20\u8f93\uff0c\u90a3\u4e48\u5c31\u7981\u7528 SSHD \u670d\u52a1\u5427\u3002CentOS\/RHEL\/Fedora Linux \u7528\u6237\u53ef\u901a\u8fc7 yum \u547d\u4ee4\u6765\u7981\u7528\u5e76\u5220\u9664 openssh-server \u670d\u52a1\uff1a<\/p>\n<div>\n<div id=\"highlighter_488214\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<\/td>\n<td>\n<div>\n<div><code># chkconfig sshd off<\/code><\/div>\n<div><code># yum erase openssh-server<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Debian \/ Ubuntu Linux \u7528\u6237\u53ef\u901a\u8fc7 apt-get \u547d\u4ee4\u6765\u5904\u7406\uff1a<\/p>\n<div>\n<div id=\"highlighter_210099\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code># apt-get remove openssh-server<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u4f60\u8fd8\u9700\u8981\u66f4\u65b0 iptables \u811a\u672c\u6765\u79fb\u9664 ssh \u4f8b\u5916\u89c4\u5219\uff0c\u5728 CentOS \/ RHEL \/ Fedora \u4e0b\u53ef\u7f16\u8f91 \/etc\/sysconfig\/iptables \u548c \/etc\/sysconfig\/ip6tables. \u641e\u5b9a\u540e\u91cd\u542f iptables \u670d\u52a1\u5373\u53ef\uff1a<\/p>\n<div>\n<div id=\"highlighter_261756\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<\/td>\n<td>\n<div>\n<div><code># service iptables restart<\/code><\/div>\n<div><code># service ip6tables restart&lt;code&gt;&lt;\/code&gt;<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2>#2: \u53ea\u4f7f\u7528 SSH Protocol 2<\/h2>\n<p>SSH \u534f\u8bae\u7248\u672c 1 \u6709\u5f88\u591a\u6f0f\u6d1e\u548c\u5b89\u5168\u95ee\u9898\uff0c\u5e94\u8be5\u907f\u514d\u4f7f\u7528 SSH-1\uff0c\u53ef\u901a\u8fc7\u5728 sshd_config \u6587\u4ef6\u4e2d\u914d\u7f6e\u5982\u4e0b\u4fe1\u606f\u6765\u542f\u7528 SSH-2\uff1a<\/p>\n<div>\n<div id=\"highlighter_2947\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>Protocol 2<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2>#3: \u9650\u5236\u7528\u6237\u8bbf\u95ee SSH<\/h2>\n<p>\u9ed8\u8ba4\u6240\u6709\u7cfb\u7edf\u7528\u6237\u90fd\u53ef\u4ee5\u901a\u8fc7 SSH \u767b\u5f55\uff0c\u53ea\u9700\u8981\u7528\u5bc6\u7801\u6216\u8005\u516c\u94a5\u5373\u53ef\u3002\u6709\u65f6\u5019\u4f60\u521b\u5efa\u67d0\u4e2a\u7528\u6237\u53ea\u662f\u4e3a\u4e86\u4f7f\u7528\u90ae\u4ef6\u6216\u8005\u662f FTP\uff0c\u4f46\u662f\u8fd9\u4e9b\u7528\u6237\u4e5f\u53ef\u4ee5\u901a\u8fc7 ssh \u767b\u5f55\uff0c\u767b\u5f55\u540e\u5c31\u53ef\u4ee5\u8bbf\u95ee\u5f88\u591a\u7684\u7cfb\u7edf\u5de5\u5177\uff0c\u5305\u62ec\u7f16\u8bd1\u5668\u548c\u811a\u672c\u8bed\u8a00\uff0c\u53ef\u6253\u5f00\u7f51\u7edc\u7aef\u53e3\u4ee5\u53ca\u505a\u5f88\u591a\u5176\u4ed6\u7684\u4e8b\u60c5\u3002\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7 sshd_config \u6587\u4ef6\u4e2d\u7684 AllowUsers \u548c DenyUsers \u6765\u8bbe\u7f6e\u53ef\u8bbf\u95ee SSH \u670d\u52a1\u7684\u7528\u6237\u540d\u5355\u3002<\/p>\n<p>\u4e0b\u9762\u914d\u7f6e\u53ea\u5141\u8bb8 root, vivek \u548c jerry \u4e09\u4e2a\u5e10\u53f7\u4f7f\u7528 SSH \u670d\u52a1<\/p>\n<div>\n<div id=\"highlighter_885996\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>AllowUsers root vivek jerry<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u4f60\u4e5f\u53ef\u4ee5\u8bbe\u7f6e\u54ea\u4e9b\u7528\u6237\u4e0d\u80fd\u8bbf\u95ee SSH\uff1a<\/p>\n<div>\n<div id=\"highlighter_628986\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>DenyUsers saroj anjali foo<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u4f60\u4e5f\u53ef\u4ee5\u00a0<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-pam-configuration-that-allows-or-deny-login-via-the-sshd-server.html\" rel=\"nofollow\">\u914d\u7f6e Linux PAM<\/a>\u00a0\u6765\u5141\u8bb8\u6216\u8005\u62d2\u7edd\u901a\u8fc7 sshd \u670d\u52a1\u5668\u767b\u5f55\uff0c\u4f60\u4e5f\u53ef\u4ee5\u5bf9\u4e00\u4e2a\u5206\u7ec4\u8fdb\u884c\u8bbe\u7f6e\u662f\u5426\u53ef\u4ee5\u8bbf\u95ee ssh \uff08<a href=\"http:\/\/www.cyberciti.biz\/tips\/openssh-deny-or-restrict-access-to-users-and-groups.html\" target=\"_blank\" rel=\"nofollow\">\u8be6\u60c5<\/a>\uff09<\/p>\n<h2>#4: \u914d\u7f6e\u7a7a\u95f2\u767b\u51fa\u7684\u8d85\u65f6\u95f4\u9694<\/h2>\n<p>\u7528\u6237\u901a\u8fc7 ssh \u767b\u5f55\u5230\u670d\u52a1\u5668\u540e\uff0c\u5982\u679c\u957f\u65f6\u95f4\u6ca1\u6709\u4efb\u4f55\u52a8\u4f5c\u7684\u8bdd\uff0c\u53ef\u901a\u8fc7\u8bbe\u7f6e\u7a7a\u95f2\u8d85\u65f6\u65f6\u95f4\u6765\u8ba9\u767b\u5f55\u7684\u7528\u6237\u81ea\u52a8\u767b\u51fa\uff0c\u4ee5\u907f\u514d\u4e00\u4e9b\u4e0d\u5fc5\u8981\u7684 ssh \u4f1a\u8bdd\u8fde\u63a5\u3002\u6253\u5f00 sshd_config \u6587\u4ef6\u67e5\u770b\u5e76\u7f16\u8f91\u5982\u4e0b\u914d\u7f6e\uff1a<\/p>\n<div>\n<div id=\"highlighter_645057\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<\/td>\n<td>\n<div>\n<div><code>ClientAliveInterval 300 <\/code><\/div>\n<div><code>ClientAliveCountMax 0<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u8fd9\u91cc\u6211\u4eec\u8bbe\u7f6e\u4e86 300 \u79d2\uff085\u5206\u949f\uff09\uff0c\u4e00\u65e6\u7528\u6237\u5728 5 \u5206\u949f\u5185\u6ca1\u6709\u52a8\u4f5c\u5219\u4f1a\u81ea\u52a8\u88ab\u8e22\u51fa\u3002\u8bf7\u770b\u00a0<a href=\"http:\/\/www.cyberciti.biz\/faq\/linux-unix-login-bash-shell-force-time-outs\/\" rel=\"nofollow\">\u5982\u4f55\u81ea\u52a8\u767b\u51fa BASH \/ TCSH \/ SSH\u00a0<\/a>\u00a0\u4ee5\u4e86\u89e3\u66f4\u591a\u65e0\u6d3b\u52a8\u72b6\u6001\u81ea\u52a8\u767b\u51fa\u7684\u8be6\u60c5\u3002<\/p>\n<h2>#5: \u7981\u7528 .rhosts \u6587\u4ef6<\/h2>\n<p>\u4e0d\u8bfb\u53d6\u7528\u6237\u547d\u4ee4\u4e0b\u7684 ~\/.rhosts \u548c ~\/.shosts \u6587\u4ef6\uff0c\u53ea\u9700\u5728 sshd_config\u00a0 \u4e2d\u4f7f\u7528\u5982\u4e0b\u8bbe\u7f6e\uff1a<\/p>\n<div>\n<div id=\"highlighter_174921\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>IgnoreRhosts <\/code><code>yes<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>SSH \u53ef\u6a21\u62df\u8fc7\u65f6\u7684 rsh \u547d\u4ee4\u7684\u884c\u4e3a\uff0c\u9700\u8981\u7981\u7528\u901a\u8fc7 RSH \u7684\u975e\u5b89\u5168\u767b\u5f55\u3002<\/p>\n<h2>#6: \u7981\u7528\u57fa\u4e8e\u4e3b\u673a\u7684\u8ba4\u8bc1<\/h2>\n<p>\u5728 sshd_config \u4e2d\u4f7f\u7528\u5982\u4e0b\u914d\u7f6e\uff1a<\/p>\n<div>\n<div id=\"highlighter_337679\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>HostbasedAuthentication no<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2>#7: \u7981\u6b62 root \u5e10\u53f7\u901a\u8fc7 SSH \u767b\u5f55<\/h2>\n<p>\u6ca1\u5fc5\u8981\u8ba9 root \u5e10\u53f7\u53ef\u901a\u8fc7 ssh \u767b\u5f55\uff0c\u53ef\u901a\u8fc7\u6b63\u5e38\u7528\u6237\u767b\u5f55\u540e\u7136\u540e\u6267\u884c su \u6216\u8005 sudo \u6765\u6267\u884c root \u6743\u9650\u7684\u64cd\u4f5c\uff0c\u53ef\u5728 sshd_config \u4e2d\u4f7f\u7528\u5982\u4e0b\u914d\u7f6e\u6765\u7981\u7528 root \u5e10\u53f7\u767b\u5f55\uff1a<\/p>\n<div>\n<div id=\"highlighter_420626\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>PermitRootLogin no<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u5173\u4e8e\u8fd9\u4e2a\u95ee\u9898\uff0cBob \u7ed9\u51fa\u4e86\u5f88\u68d2\u7684<a href=\"http:\/\/archives.neohapsis.com\/archives\/openbsd\/2005-03\/2878.html\" target=\"_blank\" rel=\"nofollow\">\u8bf4\u660e<\/a>\uff1a<\/p>\n<blockquote><p>Saying &#8220;don&#8217;t login as root&#8221; is h******t. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You&#8217;d get your password spoofed but not root&#8217;s pw. Gimme a break. this is 2005 &#8211; We have ssh, used properly it&#8217;s secure. used improperly none of this 1989 will make a damn bit of difference. -Bob<\/p><\/blockquote>\n<h2>#8: \u542f\u7528\u8b66\u544a\u7684 Banner<\/h2>\n<p>\u53ef\u4ee5\u5728 sshd_config \u4e2d\u901a\u8fc7\u5982\u4e0b\u914d\u7f6e\u6765\u542f\u7528\u901a\u8fc7 ssh \u767b\u5f55\u540e\u7684\u8b66\u544a\u4fe1\u606f\uff1a<\/p>\n<div>\n<div id=\"highlighter_152476\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>Banner <\/code><code>\/etc\/issue<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u4e0b\u9762\u662f \/etc\/issue \u6587\u4ef6\u7684\u793a\u4f8b\u5185\u5bb9\uff1a<\/p>\n<pre>----------------------------------------------------------------------------------------------\r\n\u6b22\u8fce\u8bbf\u95ee oschina \u670d\u52a1\u5668\uff0c\u8bf7\u4e0d\u8981\u4e71\u6765\uff01\uff01\uff01\r\n----------------------------------------------------------------------------------------------<\/pre>\n<h2>#8: \u9632\u706b\u5899\u5904\u7406 SSH \u7aef\u53e3 # 22<\/h2>\n<p>\u4f60\u9700\u8981\u5728\u9632\u706b\u5899\u89c4\u5219\u4e2d\u6253\u5f00 22 \u7aef\u53e3\uff0c\u9664\u975e\u4f60\u7684\u670d\u52a1\u5668\u53ea\u5141\u8bb8\u901a\u8fc7\u5c40\u57df\u7f51\u8bbf\u95ee\uff1a<\/p>\n<h3>Netfilter (Iptables) \u914d\u7f6e<\/h3>\n<p>\u7f16\u8f91 \/etc\/sysconfig\/iptables (\u7ea2\u5e3d\u7cfb\u5217 Linux) \u4ee5\u5141\u8bb8\u6765\u81ea 192.168.1.0\/24 \u548c 202.54.1.5\/29 \u4e24\u4e2a\u7f51\u6bb5\u7684\u8fde\u63a5\uff1a<\/p>\n<div>\n<div id=\"highlighter_125217\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<\/td>\n<td>\n<div>\n<div><code>-A RH-Firewall-1-INPUT -s 192.168.1.0<\/code><code>\/24<\/code> <code>-m state --state NEW -p tcp --dport 22 -j ACCEPT<\/code><\/div>\n<div><code>-A RH-Firewall-1-INPUT -s 202.54.1.5<\/code><code>\/29<\/code> <code>-m state --state NEW -p tcp --dport 22 -j ACCEPT<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u5982\u679c\u4f60\u7684\u7cfb\u7edf\u542f\u7528\u4e86 IPv6 \uff0c\u7f16\u8f91 \/etc\/sysconfig\/ip6tables (Redhat and friends specific file):<\/p>\n<div>\n<div id=\"highlighter_71054\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>-A RH-Firewall-1-INPUT -s ipv6network::<\/code><code>\/ipv6mask<\/code> <code>-m tcp -p tcp --dport 22 -j ACCEPT<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u7528\u5b9e\u9645\u7684 IPv6 \u8303\u56f4\u66ff\u6362\u5176\u4e2d\u7684 ipv6network::\/ipv6mask<\/p>\n<h3>*BSD PF \u9632\u706b\u5899\u914d\u7f6e<\/h3>\n<p>\u5982\u679c\u4f60\u4f7f\u7528\u4e86 PF \u9632\u706b\u5899\uff0c\u53ef\u66f4\u65b0 \/etc\/pf.conf \u914d\u7f6e\u5982\u4e0b\uff1a<\/p>\n<div>\n<div id=\"highlighter_238785\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>pass <\/code><code>in<\/code> <code>on $ext_if inet proto tcp from {192.168.1.0<\/code><code>\/24<\/code><code>, 202.54.1.5<\/code><code>\/29<\/code><code>} to $ssh_server_ip port <\/code><code>ssh<\/code> <code>flags S<\/code><code>\/SA<\/code> <code>synproxy state<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2>#9: \u4fee\u6539 SSH \u7aef\u53e3\u548c\u9650\u5236 IP \u7ed1\u5b9a<\/h2>\n<p>\u9ed8\u8ba4 SSH \u7ed1\u5b9a\u5230\u6240\u6709\u7f51\u5361\u7684\u6240\u6709 IP\uff0c\u7aef\u53e3\u53f7\u662f 22\uff0c\u5efa\u8bae\u53ea\u7ed1\u5b9a\u5230\u9700\u8981\u7684\u7f51\u5361 IP \uff0c\u5e76\u4fee\u6539\u9ed8\u8ba4\u7684\u7aef\u53e3\u3002\u53ef\u901a\u8fc7 ssh_config \u914d\u7f6e\u6587\u4ef6\u4e2d\u4f7f\u7528\u5982\u4e0b\u914d\u7f6e\u4fe1\u606f\u5c06\u7aef\u53e3\u4fee\u6539\u4e3a 300\uff1a<\/p>\n<div>\n<div id=\"highlighter_55463\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<div>3<\/div>\n<\/td>\n<td>\n<div>\n<div><code>Port 300 <\/code><\/div>\n<div><code>ListenAddress 192.168.1.5 <\/code><\/div>\n<div><code>ListenAddress 202.54.1.5<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u8fd8\u6709\u4e00\u4e2a\u66f4\u597d\u7684\u65b9\u6cd5\u662f\u4f7f\u7528\u79ef\u6781\u4e3b\u52a8\u7684\u811a\u672c\uff0c\u8bf8\u5982 fail2ban \u6216\u8005\u662f denyhosts<\/p>\n<h2>#10: \u4f7f\u7528\u5f3a\u7684 SSH \u5bc6\u7801<\/h2>\n<p>\u4f7f\u7528\u5f3a\u800c\u590d\u6742\u7684\u5bc6\u7801\u662f\u591a\u4e48\u91cd\u8981\u7684\u4e00\u4ef6\u4e8b\u3002\u86ee\u529b\u653b\u51fb\u4e4b\u6240\u4ee5\u6709\u6548,\u662f\u56e0\u4e3a\u4f60\u4f7f\u7528\u57fa\u4e8e\u5b57\u5178\u7684\u5bc6\u7801\u3002\u4f60\u53ef\u4ee5\u5f3a\u5236\u8981\u6c42\u7528\u6237\u4e0d\u80fd\u4f7f\u7528\u57fa\u4e8e\u5b57\u5178\u7684\u5bc6\u7801\uff0c\u5e76\u901a\u8fc7\u4f7f\u7528\u00a0<a href=\"http:\/\/www.cyberciti.biz\/faq\/unix-linux-password-cracking-john-the-ripper\/\" rel=\"nofollow\">john the ripper tool<\/a>\u00a0\u6765\u627e\u51fa\u5df2\u6709\u7684\u5f31\u5bc6\u7801\uff0c\u4e0b\u9762\u662f\u4e00\u4e2a\u968f\u673a\u5bc6\u7801\u751f\u6210\u5668\u7684\u793a\u4f8b\uff1a(\u653e\u5728\u4f60\u7684 ~\/.bashrc):<\/p>\n<div>\n<div id=\"highlighter_312459\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<div>3<\/div>\n<div>4<\/div>\n<div>5<\/div>\n<\/td>\n<td>\n<div>\n<div><code>genpasswd() {<\/code><\/div>\n<div><code>\u00a0\u00a0\u00a0\u00a0<\/code><code>local<\/code> <code>l=$1<\/code><\/div>\n<div><code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code>[ <\/code><code>\"$l\"<\/code> <code>== <\/code><code>\"\"<\/code> <code>] &amp;&amp; l=20<\/code><\/div>\n<div><code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code>tr<\/code> <code>-<\/code><code>dc<\/code> <code>A-Za-z0-9_ &lt; <\/code><code>\/dev\/urandom<\/code> <code>| <\/code><code>head<\/code> <code>-c ${l} | <\/code><code>xargs<\/code><\/div>\n<div><code>}<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u8fd0\u884c\uff1a\u00a0<code>genpasswd 16<\/code><br \/>\n\u8f93\u51fa\uff1auw8CnDVMwC6vOKgW<\/p>\n<h2>#11: \u4f7f\u7528\u57fa\u4e8e\u516c\u94a5\u7684\u8ba4\u8bc1<\/h2>\n<p>\u4f7f\u7528\u516c\/\u79c1\u94a5\u914d\u5bf9\uff0c\u5e76\u5bf9\u79c1\u94a5\u63d0\u4f9b\u5bc6\u7801\u4fdd\u62a4\uff0c\u8be6\u60c5\u8bf7\u770b\u4f7f\u7528\u57fa\u4e8e\u00a0<a href=\"http:\/\/www.cyberciti.biz\/tips\/ssh-public-key-based-authentication-how-to.html\" rel=\"nofollow\">RSA<\/a>\u00a0\u548c\u00a0<a href=\"http:\/\/www.cyberciti.biz\/faq\/ssh-password-less-login-with-dsa-publickey-authentication\/\" rel=\"nofollow\">DSA key<\/a>\u00a0\u7684\u8ba4\u8bc1\u3002\u7edd\u5bf9\u4e0d\u8981\u4f7f\u7528\u5bc6\u7801\u77ed\u8bed\u514d\u8d39\u5bc6\u94a5(\u5bc6\u7801\u952e\u66f4\u5c11)\u767b\u5f55\u3002<\/p>\n<h2>#12: \u4f7f\u7528 Keychain \u8ba4\u8bc1<\/h2>\n<p>keychain \u662f\u4e00\u4e2a\u7279\u522b\u7684 bash \u811a\u672c\uff0c\u7528\u4e8e\u65b9\u4fbf\u7075\u6d3b\u7684\u751f\u6210\u57fa\u4e8e\u5bc6\u94a5\u8ba4\u8bc1\uff0c\u63d0\u4f9b\u591a\u79cd\u5b89\u5168\u63aa\u65bd\uff0c\u8be6\u60c5\u8bf7\u770b<a href=\"http:\/\/www.cyberciti.biz\/faq\/ssh-passwordless-login-with-keychain-for-scripts\/\" rel=\"nofollow\">keychain software<\/a>.<\/p>\n<h2>#13: Chroot SSHD (\u5c06\u7528\u6237\u9501\u5b9a\u5728\u4ed6\u7684\u4e3b\u76ee\u5f55\u4e0b)<\/h2>\n<p>\u9ed8\u8ba4\u7528\u6237\u5141\u8bb8\u6d4f\u89c8\u670d\u52a1\u5668\u4e0a\u7684\u76ee\u5f55\uff0c\u5982 \/etc\u3001\/bin \u7b49\uff0c\u6211\u4eec\u53ef\u4f7f\u7528 chroot \u6216\u8005\u662f\u00a0<a href=\"http:\/\/www.cyberciti.biz\/tips\/rhel-centos-linux-install-configure-rssh-shell.html\" rel=\"nofollow\">special tools such as rssh<\/a>\u6765\u4fdd\u62a4 ssh\u3002\u800c OpenSSH 4.8p1 \u548c 4.9p1 \u8ba9\u4f60\u4e0d\u518d\u4f9d\u8d56\u7b2c\u4e09\u65b9\u7684\u5de5\u5177\uff08\u5982rssh\u548c\u7ec4\u5408 chroot\uff09\u6765\u5c06\u7528\u6237\u9501\u5b9a\u5728\u4ed6\u7684\u4e3b\u76ee\u5f55\u4e0b\uff0c\u8be6\u60c5\u8bf7\u770b\u00a0<a href=\"http:\/\/www.debian-administration.org\/articles\/590\" target=\"_blank\" rel=\"nofollow\">blog post<\/a>\u00a0\u5173\u4e8e\u5982\u4f55\u4f7f\u7528 ChrootDirectory \u6307\u4ee4\u3002<\/p>\n<h2>#14: \u4f7f\u7528 TCP Wrappers<\/h2>\n<p>TCP Wrapper \u662f\u4e00\u4e2a\u57fa\u4e8e\u4e3b\u673a\u5730\u5740\u7684\u7f51\u7edc ACL \u7cfb\u7edf\uff0c\u7528\u6765\u8fc7\u6ee4\u7f51\u7edc\u5730\u5740\u8bbf\u95ee\u4e92\u8054\u7f51\u3002OpenSSH \u652f\u6301 TCP Wrappers\u3002\u53ea\u9700\u8981\u66f4\u65b0\u4f60\u7684 \/etc\/hosts.allow \u6587\u4ef6\u53ea\u5141\u8bb8\u901a\u8fc7 192.168.1.2 172.16.23.12 \u8bbf\u95ee sshd:<\/p>\n<div>\n<div id=\"highlighter_491489\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>sshd : 192.168.1.2 172.16.23.12<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u8be6\u60c5\u8bf7\u770b\u00a0<a href=\"http:\/\/www.cyberciti.biz\/faq\/tcp-wrappers-hosts-allow-deny-tutorial\/\" rel=\"nofollow\">FAQ about setting and using TCP wrappers<\/a><\/p>\n<h2>#15: \u7981\u7528\u7a7a\u5bc6\u7801<\/h2>\n<p>\u4f60\u5e94\u8be5\u7981\u6b62\u5e10\u53f7\u4f7f\u7528\u7a7a\u5bc6\u7801\u8fdb\u884c\u8fdc\u7a0b\u767b\u5f55\uff0c\u5728 sshd_config \u4f7f\u7528\u5982\u4e0b\u914d\u7f6e\u5373\u53ef\uff1a<\/p>\n<div>\n<div id=\"highlighter_3407\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>PermitEmptyPasswords no<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2>#16: \u963b\u6b62 SSH \u7834\u89e3 (\u86ee\u529b\u7834\u89e3\u653b\u51fb)<\/h2>\n<p>\u86ee\u529b\u7834\u89e3\u662f\u4e00\u79cd\u8bd5\u56fe\u901a\u8fc7\u5927\u91cf\u4f7f\u7528\u5355\u4e00\u6216\u5206\u5e03\u5f0f\u8ba1\u7b97\u673a\u7f51\u7edc\u6765\u6218\u80dc\u4e00\u4e2a\u52a0\u5bc6\u65b9\u6848\u3002\u4e3a\u4e86\u963b\u6b62\u8fd9\u79cd\u65b9\u6cd5\uff0c\u53ef\u7ed3\u5408\u4f7f\u7528\u5982\u4e0b\u8f6f\u4ef6\uff1a<\/p>\n<ul>\n<li><a href=\"http:\/\/www.oschina.net\/p\/denyhosts\" rel=\"nofollow\">DenyHosts<\/a>\u00a0\u662fPython\u8bed\u8a00\u5199\u7684\u4e00\u4e2a\u7a0b\u5e8f\uff0c\u5b83\u4f1a\u5206\u6790SSHD\u7684\u65e5\u5fd7\u6587\u4ef6\uff0c\u5f53\u53d1\u73b0\u91cd\u590d\u7684\u653b\u51fb\u65f6\u5c31\u4f1a\u8bb0\u5f55IP\u5230\/etc\/hosts.deny\u6587 \u4ef6\uff0c\u4ece\u800c\u8fbe\u5230\u81ea\u52a8\u5c4f\u853dIP\u7684\u529f\u80fd\u3002<\/li>\n<li>\u89e3\u91ca\u5982\u4f55\u5728 RHEL\u3001Fedora \u548c CentOS \u7cfb\u7edf\u4e0b\u5b89\u88c5\u00a0<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-linux-block-ssh-dictionary-brute-force-attacks\/\" rel=\"nofollow\">DenyHosts<\/a><\/li>\n<li><a href=\"http:\/\/www.oschina.net\/p\/fail2ban\" target=\"_blank\" rel=\"nofollow\">Fail2ban<\/a>\u00a0\u662f\u4e00\u4e2a IP \u81ea\u52a8\u5c4f\u853d\u5de5\u5177<\/li>\n<li><a href=\"http:\/\/sshguard.sourceforge.net\/\" target=\"_blank\" rel=\"nofollow\">security\/sshguard-pf<\/a>\u00a0\u5728 pf \u4e2d\u9632\u6b62\u66b4\u529b\u7834\u89e3<\/li>\n<li><a href=\"http:\/\/sshguard.sourceforge.net\/\" target=\"_blank\" rel=\"nofollow\">security\/sshguard-ipfw<\/a>\u00a0\u5728 ipfw \u4e2d\u9632\u6b62\u66b4\u529b\u7834\u89e3<\/li>\n<li><a href=\"http:\/\/sshguard.sourceforge.net\/\" target=\"_blank\" rel=\"nofollow\">security\/sshguard-ipfilter<\/a>\u00a0\u5728 ipfilter \u4e2d\u9632\u6b62\u66b4\u529b\u7834\u89e3<\/li>\n<li><a href=\"http:\/\/www.bsdconsulting.no\/tools\/\" target=\"_blank\" rel=\"nofollow\">security\/sshblock<\/a>\u00a0block abusive SSH login attempts.<\/li>\n<li><a href=\"http:\/\/anp.ath.cx\/sshit\/\" target=\"_blank\" rel=\"nofollow\">security\/sshit<\/a>\u00a0checks for SSH\/FTP bruteforce and blocks given IPs.<\/li>\n<li><a href=\"http:\/\/www.aczoom.com\/cms\/blockhosts\/\" target=\"_blank\" rel=\"nofollow\">BlockHosts<\/a>\u00a0Automatic blocking of abusive IP hosts.<\/li>\n<li><a href=\"http:\/\/blinkeye.ch\/dokuwiki\/doku.php\/projects\/blacklist\" target=\"_blank\" rel=\"nofollow\">Blacklist<\/a>\u00a0Get rid of those bruteforce attempts.<\/li>\n<li><a href=\"http:\/\/www.rfxn.com\/projects\/brute-force-detection\/\" target=\"_blank\" rel=\"nofollow\">Brute Force Detection<\/a>\u00a0A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.<\/li>\n<li><a href=\"https:\/\/savannah.nongnu.org\/projects\/ipqbdb\/\" target=\"_blank\" rel=\"nofollow\">IPQ BDB filter<\/a>\u00a0May be considered as a fail2ban lite.<\/li>\n<\/ul>\n<h2>#17: \u9650\u5236 22 \u7aef\u53e3\u8fde\u63a5\u7684\u901f\u7387<\/h2>\n<p>netfilter \u548c pf \u90fd\u63d0\u4f9b\u4e86\u8fde\u63a5\u901f\u7387\u9650\u5236\u9009\u9879<\/p>\n<h3>Iptables \u793a\u4f8b<\/h3>\n<p>\u4e0b\u9762\u914d\u7f6e\u7981\u6b62\u5728\u4e00\u5206\u949f\u5185 22 \u7aef\u53e3\u8d85\u8fc7 5 \u4e2a\u8fde\u63a5\uff1a<\/p>\n<div>\n<div id=\"highlighter_314768\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<div>3<\/div>\n<div>4<\/div>\n<div>5<\/div>\n<\/td>\n<td>\n<div>\n<div><code>#!\/bin\/bash<\/code><\/div>\n<div><code>inet_if=eth1<\/code><\/div>\n<div><code>ssh_port=22<\/code><\/div>\n<div><code>$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent\u00a0 --<\/code><code>set<\/code><\/div>\n<div><code>$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent\u00a0 --update --seconds 60 --hitcount 5 -j DROP<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u53e6\u5916\u7684\u914d\u7f6e\u9009\u9879\uff1a<\/p>\n<div>\n<div id=\"highlighter_579377\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<div>3<\/div>\n<div>4<\/div>\n<div>5<\/div>\n<\/td>\n<td>\n<div>\n<div><code>$IPT -A INPUT\u00a0 -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3<\/code><code>\/min<\/code> <code>--limit-burst 3 -j ACCEPT<\/code><\/div>\n<div><code>$IPT -A INPUT\u00a0 -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT<\/code><\/div>\n<div><code>$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT<\/code><\/div>\n<div><code># another one line example<\/code><\/div>\n<div><code># $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5\/minute --limit-burst 5-j ACCEPT<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u66f4\u591a\u7684\u914d\u7f6e\u8be6\u60c5\u8bf7\u770b iptables \u7684 man \u9875\u3002<\/p>\n<h3>*BSD PF \u793a\u4f8b<\/h3>\n<p>\u4ee5\u4e0b\u5c06\u9650\u5236\u7684\u6700\u5927\u8fde\u63a5\u6570\u523020,\u6bcf\u4e2a\u6e90\u901f\u7387\u9650\u5236\u8fde\u63a5\u6570,\u5728\u4e00\u4e2a5\u79d2\u7684\u8de8\u5ea615\u3002\u5982\u679c\u6709\u4eba\u6253\u7834\u6211\u4eec\u7684\u89c4\u5219\u5c06\u5b83\u4eec\u6dfb\u52a0\u5230\u6211\u4eec\u7684\u963b\u6b62\u7684ip\u8868\u548c\u963b\u6b62\u4ed6\u4eec\u505a\u4efb\u4f55\u8fdb\u4e00\u6b65\u7684\u8fde\u63a5\u3002<\/p>\n<div>\n<div id=\"highlighter_29446\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<div>3<\/div>\n<div>4<\/div>\n<\/td>\n<td>\n<div>\n<div><code>sshd_server_ip=<\/code><code>\"202.54.1.5\"<\/code><\/div>\n<div><code>table &lt;abusive_ips&gt; persist<\/code><\/div>\n<div><code>block <\/code><code>in<\/code> <code>quick from &lt;abusive_ips&gt;<\/code><\/div>\n<div><code>pass <\/code><code>in<\/code> <code>on $ext_if proto tcp to $sshd_server_ip port <\/code><code>ssh<\/code> <code>flags S<\/code><code>\/SA<\/code> <code>keep state (max-src-conn 20, max-src-conn-rate 15<\/code><code>\/5<\/code><code>, overload &lt;abusive_ips&gt; flush)<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2>#18: \u4f7f\u7528\u7aef\u53e3\u78b0\u649e\u6280\u672f(Port Knocking)<\/h2>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/Port_knocking\" target=\"_blank\" rel=\"nofollow\">\u7aef\u53e3\u78b0\u649e\u6280\u672f<\/a>\u00a0\u662f\u4e00\u4e2a\u65b9\u6cd5\u7684\u5916\u90e8\u5f00\u653e\u7aef\u53e3\u9632\u706b\u5899\u901a\u8fc7\u751f\u6210\u4e00\u4e2a\u8fde\u63a5\u8bf7\u6c42\u5728\u4e00\u7ec4\u9884\u5148\u6307\u5b9a\u5173\u95ed\u7aef\u53e3\u3002\u4e00\u65e6\u4e00\u4e2a\u6b63\u786e\u7684\u987a\u5e8f\u8fde\u63a5\u5c1d\u8bd5\u63a5\u6536,\u9632\u706b\u5899\u89c4\u5219\u662f\u52a8\u6001\u4fee\u6539\u4e3a\u5141\u8bb8\u4e3b\u673a\u5c06\u8fde\u63a5\u5c1d\u8bd5\u8fde\u63a5\u5728\u7279\u5b9a\u7aef\u53e3(s)\u3002<\/p>\n<p>\u4f7f\u7528 iptables \u914d\u7f6e\u7aef\u53e3\u78b0\u649e\u7684\u793a\u4f8b\uff1a<\/p>\n<div>\n<div id=\"highlighter_12757\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<div>3<\/div>\n<div>4<\/div>\n<div>5<\/div>\n<div>6<\/div>\n<div>7<\/div>\n<div>8<\/div>\n<div>9<\/div>\n<div>10<\/div>\n<div>11<\/div>\n<div>12<\/div>\n<div>13<\/div>\n<div>14<\/div>\n<div>15<\/div>\n<div>16<\/div>\n<\/td>\n<td>\n<div>\n<div><code>$IPT -N stage1<\/code><\/div>\n<div><code>$IPT -A stage1 -m recent --remove --name knock<\/code><\/div>\n<div><code>$IPT -A stage1 -p tcp --dport 3456 -m recent --<\/code><code>set<\/code> <code>--name knock2<\/code><\/div>\n<div><code>\u00a0<\/code><\/div>\n<div><code>$IPT -N stage2<\/code><\/div>\n<div><code>$IPT -A stage2 -m recent --remove --name knock2<\/code><\/div>\n<div><code>$IPT -A stage2 -p tcp --dport 2345 -m recent --<\/code><code>set<\/code> <code>--name heaven<\/code><\/div>\n<div><code>\u00a0<\/code><\/div>\n<div><code>$IPT -N door<\/code><\/div>\n<div><code>$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2<\/code><\/div>\n<div><code>$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1<\/code><\/div>\n<div><code>$IPT -A door -p tcp --dport 1234 -m recent --<\/code><code>set<\/code> <code>--name knock<\/code><\/div>\n<div><code>\u00a0<\/code><\/div>\n<div><code>$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT<\/code><\/div>\n<div><code>$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT<\/code><\/div>\n<div><code>$IPT -A INPUT -p tcp --syn -j doo<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u4e24\u4e2a\u8f6f\u4ef6\uff1a<\/p>\n<ul>\n<li><a href=\"http:\/\/www.cipherdyne.org\/fwknop\/\" target=\"_blank\" rel=\"nofollow\">fwknop<\/a>\u00a0\u662f\u4e00\u4e2a\u7ed3\u5408\u7aef\u53e3\u78b0\u649e\u548c\u88ab\u52a8\u64cd\u4f5c\u7cfb\u7edf\u8bc6\u522b\u6280\u672f\u7684\u5b9e\u73b0<\/li>\n<li><a href=\"http:\/\/www.debian-administration.org\/articles\/268\" target=\"_blank\" rel=\"nofollow\">Multiple-port knocking<\/a>\u00a0\u4ec5\u9650\u4e8e Netfilter\/IPtables \u7684\u5b9e\u73b0<\/li>\n<\/ul>\n<h2>#19: \u4f7f\u7528\u65e5\u5fd7\u5206\u6790\u5668<\/h2>\n<p>\u53ef\u901a\u8fc7\u00a0<a href=\"http:\/\/nixcraft.com\/linux-software\/477-howto-linux-monitor-logfiles.html\" rel=\"nofollow\">logwatch<\/a>\u00a0or\u00a0<a href=\"http:\/\/logcheck.org\/\" target=\"_blank\" rel=\"nofollow\">logcheck<\/a>\u00a0\u6765\u9605\u8bfb\u65e5\u5fd7\uff0c\u8fd9\u4e9b\u5de5\u5177\u53ef\u4ee5\u8ba9\u4f60\u8f7b\u677e\u7684\u6d4f\u89c8\u65e5\u5fd7\u3002\u901a\u8fc7\u6307\u5b9a\u65f6\u95f4\u6765\u7ed9\u51fa\u65e5\u5fd7\u7684\u62a5\u544a\u3002\u9996\u5148\u8981\u786e\u4fdd\u5728 sshd_config \u4e2d\u5c06\u65e5\u5fd7\u7ea7\u522b LogLevel \u8bbe\u7f6e\u4e3a INFO \u6216\u8005 DEBUG\uff1a<\/p>\n<div>\n<div id=\"highlighter_104964\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code>LogLevel INFO<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2>#20: \u5bf9 OpenSSH \u548c\u64cd\u4f5c\u7cfb\u7edf\u6253\u8865\u4e01<\/h2>\n<p>\u63a8\u8350\u4f60\u4f7f\u7528\u8bf8\u5982\u00a0<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-centos-fedora-linux-yum-command-howto\/\" rel=\"nofollow\">yum<\/a>,\u00a0<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-debian-package-management-cheat-sheet.html\" rel=\"nofollow\">apt-get<\/a>,\u00a0<a href=\"http:\/\/www.cyberciti.biz\/tips\/howto-keep-freebsd-system-upto-date.html\" rel=\"nofollow\">freebsd-update<\/a>\u00a0\u5de5\u5177\u6765\u4fdd\u6301\u7cfb\u7edf\u7684\u5373\u65f6\u83b7\u53d6\u6700\u65b0\u7684\u5b89\u5168\u8865\u4e01\u3002<\/p>\n<h2>\u5176\u4ed6\u9009\u9879<\/h2>\n<p>\u4e3a\u4e86\u9690\u85cf openssh \u7248\u672c\uff0c\u4f60\u53ef\u66f4\u65b0\u6e90\u7801\u7136\u540e\u518d\u6b21\u7f16\u8bd1 openssh \uff0c\u5e76\u786e\u4fdd\u5728 sshd_config \u4e2d\u4f7f\u7528\u5982\u4e0b\u914d\u7f6e\uff1a<\/p>\n<div>\n<div id=\"highlighter_754026\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<div>3<\/div>\n<div>4<\/div>\n<div>5<\/div>\n<div>6<\/div>\n<div>7<\/div>\n<div>8<\/div>\n<div>9<\/div>\n<div>10<\/div>\n<div>11<\/div>\n<\/td>\n<td>\n<div>\n<div><code>#\u00a0 Turn on privilege separation<\/code><\/div>\n<div><code>UsePrivilegeSeparation <\/code><code>yes<\/code><\/div>\n<div><code># Prevent the use of insecure home directory and key file permissions<\/code><\/div>\n<div><code>StrictModes <\/code><code>yes<\/code><\/div>\n<div><code># Turn on\u00a0 reverse name checking<\/code><\/div>\n<div><code>VerifyReverseMapping <\/code><code>yes<\/code><\/div>\n<div><code># Do you need port forwarding?<\/code><\/div>\n<div><code>AllowTcpForwarding no<\/code><\/div>\n<div><code>X11Forwarding no<\/code><\/div>\n<div><code>#\u00a0 Specifies whether password authentication is allowed.\u00a0 The default is yes.<\/code><\/div>\n<div><code>PasswordAuthentication no<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u5728\u91cd\u542f openssh-server \u4e4b\u524d\u5148\u7528\u5982\u4e0b\u547d\u4ee4\u9a8c\u8bc1\u914d\u7f6e\u662f\u5426\u6b63\u786e\uff1a<\/p>\n<div>\n<div id=\"highlighter_109937\">\n<div><a href=\"http:\/\/www.oschina.net\/question\/12_76000#\">?<\/a><\/div>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<\/td>\n<td>\n<div>\n<div><code># \/usr\/sbin\/sshd -t<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>\u4f7f\u7528\u00a0<a href=\"http:\/\/www.linuxjournal.com\/article\/8957\" target=\"_blank\" rel=\"nofollow\">two-factor<\/a>\u00a0\u6216\u8005\u00a0<a href=\"https:\/\/calomel.org\/openssh.html\" target=\"_blank\" rel=\"nofollow\">three-factor (or more)<\/a>\u00a0\u8ba4\u8bc1\u6765\u52a0\u5f3a OpenSSH \u7684\u5b89\u5168\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u539f\u6587\uff1a-R\/32Tg OpenSSH \u662f SSH \u534f\u8bae\u7684\u5f00\u6e90\u5b9e\u73b0\u3002 OpenSS &hellip; <a href=\"https:\/\/ufqi.com\/blog\/%e8%bd%ac%ef%bc%9aopenssh-%e6%9c%8d%e5%8a%a1%e5%99%a8%e7%9a%84-20-%e4%b8%aa%e6%9c%80%e4%bd%b3%e5%ae%9e%e8%b7%b5\/\">\u7ee7\u7eed\u9605\u8bfb <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[7,2],"tags":[44],"_links":{"self":[{"href":"https:\/\/ufqi.com\/blog\/wp-json\/wp\/v2\/posts\/736"}],"collection":[{"href":"https:\/\/ufqi.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ufqi.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ufqi.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ufqi.com\/blog\/wp-json\/wp\/v2\/comments?post=736"}],"version-history":[{"count":4,"href":"https:\/\/ufqi.com\/blog\/wp-json\/wp\/v2\/posts\/736\/revisions"}],"predecessor-version":[{"id":739,"href":"https:\/\/ufqi.com\/blog\/wp-json\/wp\/v2\/posts\/736\/revisions\/739"}],"wp:attachment":[{"href":"https:\/\/ufqi.com\/blog\/wp-json\/wp\/v2\/media?parent=736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ufqi.com\/blog\/wp-json\/wp\/v2\/categories?post=736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ufqi.com\/blog\/wp-json\/wp\/v2\/tags?post=736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}