码迷,mamicode.com
首页 > 其他好文 > 详细

sshd安全性能优化

时间:2016-09-13 20:56:10      阅读:256      评论:0      收藏:0      [点我收藏+]

标签:

  • sshd服务是远程登录服务,默认端口为22,对于其优化一是为了增加服务器的安全,避免暴力破解;二是为了加快速度连接,减少不必要的带宽的浪费。
     
  • sshd服务的配置文件为/etc/ssh/sshd_config,内容默认如下:
  1. # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
  3. # This is the sshd server system-wide configuration file.  See
  4. # sshd_config(5) for more information.
  6. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
  8. # The strategy used for options in the default sshd_config shipped with
  9. # OpenSSH is to specify options with their default value where
  10. # possible, but leave them commented.  Uncommented options change a
  11. # default value.
  13. #Port 22    修改一下默认端口,增强安全性。比如6688等。
  14. #AddressFamily any
  15. #ListenAddress 0.0.0.0    修改一下监听端口,默认是监听所有的IP,这样安全性不是很高,我们可以让它监听内网的Ip,这样即使有人知道系统用户的密码也无法连接进来。
  16. #ListenAddress ::
  18. # Disable legacy (protocol version 1) support in the server for new
  19. # installations. In future the default will change to require explicit
  20. # activation of protocol 1
  21. Protocol 2
  23. # HostKey for protocol version 1
  24. #HostKey /etc/ssh/ssh_host_key
  25. # HostKeys for protocol version 2
  26. #HostKey /etc/ssh/ssh_host_rsa_key
  27. #HostKey /etc/ssh/ssh_host_dsa_key
  29. # Lifetime and size of ephemeral version 1 server key
  30. #KeyRegenerationInterval 1h
  31. #ServerKeyBits 1024
  33. # Logging
  34. # obsoletes QuietMode and FascistLogging
  35. #SyslogFacility AUTH
  36. SyslogFacility AUTHPRIV
  37. #LogLevel INFO
  39. # Authentication:
  41. #LoginGraceTime 2m
  42. #PermitRootLogin yes    将其改为no,不让root用户远程登录。
  43. #StrictModes yes
  44. #MaxAuthTries 6
  45. #MaxSessions 10
  47. #RSAAuthentication yes
  48. #PubkeyAuthentication yes
  49. #AuthorizedKeysFile     .ssh/authorized_keys
  50. #AuthorizedKeysCommand none
  51. #AuthorizedKeysCommandRunAs nobody
  53. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  54. #RhostsRSAAuthentication no
  55. # similar for protocol version 2
  56. #HostbasedAuthentication no
  57. # Change to yes if you don‘t trust ~/.ssh/known_hosts for
  58. # RhostsRSAAuthentication and HostbasedAuthentication
  59. #IgnoreUserKnownHosts no
  60. # Don‘t read the user‘s ~/.rhosts and ~/.shosts files
  61. #IgnoreRhosts yes
  63. # To disable tunneled clear text passwords, change to no here!
  64. #PasswordAuthentication yes
  65. #PermitEmptyPasswords no
  66. PasswordAuthentication yes
  68. # Change to no to disable s/key passwords
  69. #ChallengeResponseAuthentication yes
  70. ChallengeResponseAuthentication no
  72. # Kerberos options
  73. #KerberosAuthentication no
  74. #KerberosOrLocalPasswd yes
  75. #KerberosTicketCleanup yes
  76. #KerberosGetAFSToken no
  77. #KerberosUseKuserok yes
  79. # GSSAPI options
  80. #GSSAPIAuthentication no
  81. GSSAPIAuthentication yes   将这个值改为no ,加快连接速度。
  82. #GSSAPICleanupCredentials yes
  83. GSSAPICleanupCredentials yes
  84. #GSSAPIStrictAcceptorCheck yes
  85. #GSSAPIKeyExchange no
  87. # Set this to ‘yes‘ to enable PAM authentication, account processing,
  88. # and session processing. If this is enabled, PAM authentication will
  89. # be allowed through the ChallengeResponseAuthentication and
  90. # PasswordAuthentication.  Depending on your PAM configuration,
  91. # PAM authentication via ChallengeResponseAuthentication may bypass
  92. # the setting of "PermitRootLogin without-password".
  93. # If you just want the PAM account and session checks to run without
  94. # PAM authentication, then enable this but set PasswordAuthentication
  95. # and ChallengeResponseAuthentication to ‘no‘.
  96. #UsePAM no
  97. UsePAM yes
  99. # Accept locale-related environment variables
  100. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
  101. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
  102. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
  103. AcceptEnv XMODIFIERS
  105. #AllowAgentForwarding yes
  106. #AllowTcpForwarding yes
  107. #GatewayPorts no
  108. #X11Forwarding no
  109. X11Forwarding yes
  110. #X11DisplayOffset 10
  111. #X11UseLocalhost yes
  112. #PrintMotd yes
  113. #PrintLastLog yes
  114. #TCPKeepAlive yes
  115. #UseLogin no
  116. #UsePrivilegeSeparation yes
  117. #PermitUserEnvironment no
  118. #Compression delayed
  119. #ClientAliveInterval 0
  120. #ClientAliveCountMax 3
  121. #ShowPatchLevel no  
  122. #UseDNS yes                 将yes改为no,不适用dns,我们本来就是用ip访问的。
  123. #PidFile /var/run/sshd.pid
  124. #MaxStartups 10:30:100
  125. #PermitTunnel no
  126. #ChrootDirectory none
  128. # no default banner path
  129. #Banner none
  131. # override default of no subsystems
  132. Subsystem       sftp    /usr/libexec/openssh/sftp-server
  134. # Example of overriding settings on a per-user basis
  135. #Match User anoncvs
  136. #       X11Forwarding no
  137. #       AllowTcpForwarding no
  138. #       ForceCommand cvs server
 
总结:修改5个地方
1,默认端口           Port 52113
2,不使用dns解析  UseDNS no
3,不让root用户直接登录  PermitRootlogin no 
4,GSSAPI验证改为no GSSAPIAuthentication no
5, 监听端口ip 改为内网的Ip。

sshd安全性能优化

标签:

原文地址:http://www.cnblogs.com/lin1/p/5869659.html
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!