站长手册(一)服务器安全之ssh登陆
青果君 Lv1

最近入手了雨云的一只小鸡,配置2核4G,价格优惠21.5元,比阿里云的海外ECS是便宜多了。不过小公司的技术肯定比不上大厂,安全性方面差了一些。所以非常有必要自己强化一下,免得被黑客入侵,沦为肉鸡。所以这篇文章就介绍一下我在linux服务器的一些登陆安全配置。 如果您也想亲自在雨云尝试尝试一下,请填入小果子的优惠码MTg5MDE3,可以获得首月5折优惠券一张😋

启用防火墙

默认竟然没有安装防火墙,并且网页上的端口限制似乎也没有生效。没办法,只能自己安装防火墙啦。我们只开放网站必要的80和443端口,其他的端口都禁止访问。

啊,那没有22怎么ssh登陆呢?不用担心,防火墙除了端口配置,还有服务配置。输入firewall-cmd --list-services,可以看到ssh服务已被允许。(如果你的防火墙没有配置ssh服务,那理论上会默认打开22,都没有的话,那就自己加上吧~)

安装

1
apt-get install firewalld

配置

1
2
3
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload

相关的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 列出所有端口配置
firewall-cmd --permanent --list-all

# 查询端口
firewall-cmd --permanent --query-port=443/tcp

# 增加端口
firewall-cmd --permanent --add-port=443/tcp

# 移除端口
firewall-cmd --permanent --remove-port=443/tcp

# 列出所有允许的服务
firewall-cmd --list-services

# 重载服务
firewall-cmd --reload

SSH 登陆安全

修改默认端口22

绝大多数机器都默认监听22端口,就很容易被扫描到,被未知的漏洞攻击。因此最好修改默认的22端口为其它随机端口号。

修改ssh端口风险较大,可能会导致管理员无法登陆。如没有绝对自信,请不要直接修改,而是新增一个端口。当确认新端口可以正常登陆后,再去掉默认的22端口。

  1. 修改ssh服务配置vim /etc/ssh/sshd_config,搜索Port, 默认22端口的配置是被注释掉的。打开注释,改为其他端口如Port 12322(或新增一行)。

  2. 修改防火墙ssh服务端口配置 vim /usr/lib/firewalld/services/ssh.xml, 把port="22" 修改为更安全的端口,如 port="12322"(或新增一行)。刷新防火墙firewall-cmd --reload

  3. 重启ssh服务

1
2
systemctl restart sshd
systemctl status sshd

配置尝试次数限制faillock

尝试次数限制,就是当密码错误太多次之后,触发一段账户锁定时间。在此期间,即使输入了正确的密码,依然无法成功登陆。由此来避免登陆密码被暴力破解。

注意此配置是有风险的,可能导致管理员无法登陆。在确认正确之前,不要关闭窗口,或退出登陆。而是使用新窗口测试服务器可以正常登陆,并且密码错误可以导致账号锁定。

注意faillock是新版本linux引入的模块,较老版本的登陆锁定配置依赖pam_tally,修改之前请先确认好自己服务器的情况(如查看命令faillock是否可以使用)。

直接修改以下两个文件,无需重启服务,即时生效。

vim /etc/pam.d/common-account

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
account required pam_faillock.so

vim /etc/pam.d/common-auth

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth required pam_faillock.so preauth audit silent even_deny_root deny=3 unlock_time=900
auth [success=1 default=ignore] pam_unix.so nullok
# here's the fallback if no module succeeds
auth [default=die] pam_faillock.so authfail audit even_deny_root deny=3 unlock_time=900
auth sufficient pam_faillock.so authsucc audit even_deny_root deny=3 unlock_time=900
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
1
2
3
4
5
# 查看登陆锁定情况
faillock

# 重置登陆锁定
faillock --reset

禁止普通账号ssh登陆

  • 方法一:

命令行中执行 passwd -l the_user

  • 方法二:

有的账号我们仅仅用于服务器自身服务部署,不需要远程登陆。禁用这些账号的ssh登陆权限,可以进一步提高安全性。

  1. 修改配置文件 vim /etc/ssh/sshd_config,再最后新加一行 DenyUsers the_user
  2. 然后重启sshd,systemctl restart sshd

参考文献

关于firewalld没有开启22端口但22端口可以被访问的问题

Linux 用户输入错误密码次数超限导致账号被锁如何解锁

ssh - How do I set up pam_faillock?

 评论
评论插件加载失败
正在加载评论插件