(服务阶段)
1.修改端口号,设置登录输入密码等待过期时间,拒绝远程登录root,密码为空,密码登录,
[root@zzp124 ~]# vim /etc/ssh/sshd_config
[root@zzp124 ~]# systemctl restart sshd.service
[root@zzp124 ~]# lsof -i :22
[root@zzp124 ~]# lsof -i :66
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 3476 root 3u IPv4 39248 0t0 TCP *:sql*net (LISTEN)
sshd 3476 root 4u IPv6 39250 0t0 TCP *:sql*net (LISTEN)
2.设置开机自启
systemctl enable sshd 设置开机自启
3.计算机私人密钥文件
[root@zzp124 ~]# head -3 /etc/ssh/ssh_host_rsa_key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAo3lCTvgoQXzO55VtFM5KhL6ylvfF8LIAldml144G7pnDm7oX
Myt55ScUbvZLKv6nYVkBnD+JqXhUyvZB/zUzKUA8hUMdq/48brRjXY0wwRgerfyM
4.登录日志存放文件
[root@zzp124 ~]# head -3 /var/log/secure
Nov 9 00:00:21 localhost polkitd[700]: Loading rules from directory /etc/polkit-1/rules.d
Nov 9 00:00:21 localhost polkitd[700]: Loading rules from directory /usr/share/polkit-1/rules.d
Nov 9 00:00:22 localhost polkitd[700]: Finished loading, compiling and executing 8 rules
5.设置登录提示
6.控制外界服务器IP是否可以访问本机
[root@zzp124 ~]# vim /etc/hosts.allow #设置允许访问的IP,优先级高于deny
[root@zzp124 ~]# vim /etc/hosts.deny #设置拒绝访问的IP
7.ssh服务防止暴力破解
一定时间内某个IP访问次数
破解思路: ip+端口号+用户名+密码------>访问
防止思路:
1)设置复杂密码
公司密码+部门密码+个人秘密
2)更改端口号不再为 22
3)更改root用户没有登录权限,设置其它用户行使root权限
4)设置密钥登录
1.生成密钥
[root@zzp124 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:gDbZ6yf6716NYr4bwd/UcauiBzHDR0JYQWY8rnX2rIE root@zzp124.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| *B. |
| + .o+ . |
| = o o + . .|
| . . + B + . o.|
| . S O + .. |
| . . E * o. |
| o = =.=. |
| . = +.o. |
| ...+B+. |
+----[SHA256]-----+
[root@zzp124 ~]#
2.密钥文件
[root@zzp124 ~]# ls /root/.ssh/
id_rsa id_rsa.pub known_hosts #私钥,公钥
[root@zzp124 ~]#
3.公钥发送给服务端
[root@zzp124 ~]# ssh-copy-id 192.168.1.122
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.122 (192.168.1.122)' can't be established.
ECDSA key fingerprint is SHA256:tnotguaisxbbvdHKiRU+VGV4+4abyPqUToiVbYWu/G8.
ECDSA key fingerprint is MD5:35:11:93:2f:bb:fd:b4:9d:db:4c:6d:13:f2:48:a1:1f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.122's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.1.122'"
and check to make sure that only the key(s) you wanted were added.
[root@zzp124 ~]# ssh 192.168.1.122 #登录无需密码了
Last login: Thu Nov 17 22:07:20 2022
[root@zzp122 ~]#
5)使用工具fail2ban
fail2ban会监控系统日志 /var/log/secure,匹配日志的信息,登录失败次数过多,调用防火墙屏蔽掉,或发送邮件
一,centos7安装fail2ban
1.安装epel源
[root@zzp124 ~]# yum install epel-release -y
[root@zzp124 ~]# ls /etc/yum.repos.d/
CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Vault.repo epel-testing.repo
CentOS-CR.repo CentOS-fasttrack.repo CentOS-Sources.repo epel.repo rehat.repo
[root@zzp124 ~]#
2.安装fail2ban工具
[root@zzp124 ~]# yum install -y fail2ban3.配置fail2ban
[root@zzp124 ~]# vim /etc/fail2ban/jail.conf# see `filter.d/traefik-auth.conf` for details and service example.
port = http,https
logpath = /var/log/traefik/access.log
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH,port=ssh,protocol=tcp]
sendmail-whois[name=SSH,dest=root,sender=fail2ban@example.com]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 3600
参数解释:
[DEFAULT] #全局设置
ignoreip = 127.0.0.1/8 #忽略的IP列表,不受设置限制
bantime = 600 #屏蔽时间,单位:秒
findtime = 500 #这个时间段内超过规定次数会被ban掉
maxretry = 3 #最大尝试次数
backend = auto [ssh-iptables]
#单个服务检查设置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置。
enabled = false #是否激活此项(true/false)修改成 true
filter = sshd #过滤规则filter的名字,对应filter.d目录下的sshd.conf
action = iptables[name=SSH, port=ssh, protocol=tcp] #动作的相关参数,对应action.d/iptables.conf文件
sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] #触发报警的收件人
logpath = /var/log/secure #检测的系统的登陆日志文件。这里要写sshd服务日志文件。 默认为logpath = /var/log/sshd.log
#5分钟内3次密码验证失败,禁止用户IP访问主机1小时。 配置如下
bantime = 3600 #禁止用户IP访问主机1小时
findtime = 300 #在5分钟内内出现规定次数就开始工作
#在5分钟内内出现规定次数就开始工作
maxretry = 3 #3次密码验证失败
4.重启fail2ban,设置开机自启
[root@zzp124 ~]# systemctl restart fail2ban.service
[root@zzp124 ~]# systemctl enable fail2ban.service
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service.
5.测试成功
[root@zzp124 yum.repos.d]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
[root@zzp124 yum.repos.d]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- Filter
| |- Currently failed: 1
| |- Total failed: 4
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.1.122
[root@zzp124 yum.repos.d]#
二,centos6安装fail2ban
1.进官网下载包
官网地址:www.fail2ban.org/
2.上传包,解压
[root@zzp ~]# tar -xvf fail2ban-0.9.4.tar.gz
[root@zzp ~]# ls
Centos_repo.back fail2ban-0.9.4 fail2ban-0.9.4.tar.gz
3.安装fail2ban
[root@zzp fail2ban-0.9.4]# ls
bin DEVELOP fail2ban-testcases-all-python3 MANIFEST setup.cfg
ChangeLog doc files MANIFEST.in setup.py
config fail2ban FILTERS README.md THANKS
CONTRIBUTING.md fail2ban-2to3 kill-server README.Solaris TODO
COPYING fail2ban-testcases-all man RELEASE Vagrantfile
[root@zzp fail2ban-0.9.4]# python setup.py install #安装
running install
running build
running build_py
主要配置文件
[root@zzp fail2ban-0.9.4]# ll /etc/fail2ban/
总用量 68
drwxr-xr-x. 2 root root 4096 11月 18 10:11 action.d #动作 调用防火墙 发文件 需要用
-rw-rw-r--. 1 root root 2328 3月 8 2016 fail2ban.conf #主配置文件定义了一些日志的文件位置
drwxr-xr-x. 2 root root 4096 11月 18 10:11 fail2ban.d #目录
drwxr-xr-x. 3 root root 4096 11月 18 10:11 filter.d
-rw-rw-r--. 1 root root 20839 3月 8 2016 jail.conf #监狱文件,主配置文件 定义阈值超过阈值就屏蔽掉
drwxr-xr-x. 2 root root 4096 11月 18 10:11 jail.d
-rw-rw-r--. 1 root root 2361 3月 8 2016 paths-common.conf
-rw-rw-r--. 1 root root 642 3月 8 2016 paths-debian.conf
-rw-rw-r--. 1 root root 1059 3月 8 2016 paths-fedora.conf
-rw-rw-r--. 1 root root 1174 3月 8 2016 paths-freebsd.conf
-rw-rw-r--. 1 root root 659 3月 8 2016 paths-opensuse.conf
-rw-rw-r--. 1 root root 290 3月 8 2016 paths-osx.conf
4.修改监狱文件
[root@zzp fail2ban]# vim /etc/fail2ban/jail.conf
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH,port=ssh,protocol=tcp]
sendmail-whois[name=SSH,dest=root,sender=fail2ban@example.com]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 3600
5.加入启动脚本
[root@zzp ~]# cd /root/fail2ban-0.9.4 进入解压后的文件里
[root@zzp fail2ban-0.9.4]# ls
bin COPYING fail2ban-testcases-all man RELEASE Vagrantfile
build DEVELOP fail2ban-testcases-all-python3 MANIFEST setup.cfg
ChangeLog doc files MANIFEST.in setup.py
config fail2ban FILTERS README.md THANKS
CONTRIBUTING.md fail2ban-2to3 kill-server README.Solaris TODO
[root@zzp fail2ban-0.9.4]# cp files/redhat-initd /etc/init.d/fail2ban #添加启动脚本
6.重启防火墙,重启fail2ban
[root@zzp ~]# service iptables restart
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则: [确定]
iptables:正在卸载模块: [确定]
iptables:应用防火墙规则: [确定]
[root@zzp ~]# service fail2ban restart
关闭fail2ban: [确定]
启动fail2ban: [确定]
7.测试查验拦截
[root@zzp ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
[root@zzp ~]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- Filter
| |- Currently failed: 0
| |- Total failed: 7
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 192.168.1.124 192.168.224.7
