Fedora下SSH安装及推荐配置

确定你的服务器上已经安装了openssh

一个SSH　SERVER被安装，如果没有安装，请执行以 下命令

yum install openssh-servier

/etc/init.d/sshd start

完全过程

以下大多数配置的文件是/etc/ssh/ssh_config； 对于配置地址访问的文件是/etc/hosts.allow和/etc/hosts.deny.　

实现步骤

以下步骤会完全的放到SSH　SERVER里，这些对于阻止那些恶意的攻击 是一个很明智的步骤.

1.       改变默认端口;

2.       禁止不安全的协议一，只充 许协议二;

3.       禁止ROOT登陆;

4.       减少无效登陆次数

5.       减少同时登陆的USER

6.       减少重新登陆的时间

7.       安装DenyHosts;

8.       充许一部份用户或组来来登 录;

9.       充许一部份IP连接;

10.   仅仅充许拥用KEY去登录;

11.   bind SSH SERVER到一个网络接口
 
详细说明
 

1:大量的攻击是通过靠着僵尸机器对22端口的侦听。通过改变默认端口可以改减少攻击。通过编辑/etc/ssh/sshd_config改 变Port 22成 为Port 22222.

#Port 22Port 2222
2:SSH会话有两个协议，协议一不安全，协议二比较安全，因此编辑/etc/ssh/sshd_config,只 充许协议二.

#Protocol 2,1Protocol 2
3:没人任何原因要用ROOT来登录，因此禁止它，作为一个普通用户登录后，再使用su来进入root这个权限下,编辑sshd_conifg

#PermitRootLogin yesPermitRootLogin no
如果你要远程BACKUP，必须ROOT远程登录，可以仅使用ssh key。不必输入password ，就可以登录。照下面这 样做

PermitRootLogin forced-commands-only
 

4:无效的登录从默认的6次减少到2次，编辑sshd_config

AllowGroups sshusers
9: Allow only users from certain IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. edit /etc/hosts.deny and add the following line:

sshd: ALL
Next add to /etc/hosts.allow the networks you will to allow. For example, to allow all 253 hosts on the class C network "192.168.1.*", all 16million hosts from the class A network "10.0.0.0", and the lonely IP 24.42.69.101, you would add the following to /etc/hosts.allow:

sshd: 192.168.1.0/255.255.255.0sshd: 10.0.0.0/255.0.0.0sshd: 24.42.69.101
You may also allow/deny connections via a firewall, but to maintain sanity it's best to stick to one method or the other.

10: To remove the possibility of anybody ever guessing a users password, disable password authentication completely, and require that public/private key pairs be used instead. While much more secure than passwords, a users private key can still be compromised, especially if not protected by a passphrase. To disable password logins, add the following to sshd_config:

PasswordAuthentication no
11: By default, the ssh server listens for connections on ALL interfaces (0.0.0.0). If a ssh server is to only be accessible internally, bind it to a LAN IP. For example: edit sshd_config:

ListenAddress 192.168.1.10
Troubleshooting
How to test
1: If your changes don't seem to be working, remember to restart the sshd server, but DO NOT CLOSE THE ACTIVE SSH CONNECTION in case something goes wrong; attempt to make a new connection first, and undo any changes if necessary, or you may find that you've remotely locked yourself out of the system.

/etc/init.d/sshd restart