首页 > 代码库 > sshd安全性能优化

sshd安全性能优化

2024-08-13 06:24:57   223人阅读

  • sshd服务是远程登录服务,默认端口为22,对于其优化一是为了增加服务器的安全,避免暴力破解;二是为了加快速度连接,减少不必要的带宽的浪费。
     
  • sshd服务的配置文件为/etc/ssh/sshd_config,内容默认如下:
  1. # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
  3. # This is the sshd server system-wide configuration file.  See
  4. # sshd_config(5) for more information.
  6. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
  8. # The strategy used for options in the default sshd_config shipped with
  9. # OpenSSH is to specify options with their default value where
  10. # possible, but leave them commented.  Uncommented options change a
  11. # default value.
  13. #Port 22    修改一下默认端口,增强安全性。比如6688等。
  14. #AddressFamily any
  15. #ListenAddress 0.0.0.0    修改一下监听端口,默认是监听所有的IP,这样安全性不是很高,我们可以让它监听内网的Ip,这样即使有人知道系统用户的密码也无法连接进来。
  16. #ListenAddress ::
  18. # Disable legacy (protocol version 1) support in the server for new
  19. # installations. In future the default will change to require explicit
  20. # activation of protocol 1
  21. Protocol 2
  23. # HostKey for protocol version 1
  24. #HostKey /etc/ssh/ssh_host_key
  25. # HostKeys for protocol version 2
  26. #HostKey /etc/ssh/ssh_host_rsa_key
  27. #HostKey /etc/ssh/ssh_host_dsa_key
  29. # Lifetime and size of ephemeral version 1 server key
  30. #KeyRegenerationInterval 1h
  31. #ServerKeyBits 1024
  33. # Logging
  34. # obsoletes QuietMode and FascistLogging
  35. #SyslogFacility AUTH
  36. SyslogFacility AUTHPRIV
  37. #LogLevel INFO
  39. # Authentication:
  41. #LoginGraceTime 2m
  42. #PermitRootLogin yes    将其改为no,不让root用户远程登录。
  43. #StrictModes yes
  44. #MaxAuthTries 6
  45. #MaxSessions 10
  47. #RSAAuthentication yes
  48. #PubkeyAuthentication yes
  49. #AuthorizedKeysFile     .ssh/authorized_keys
  50. #AuthorizedKeysCommand none
  51. #AuthorizedKeysCommandRunAs nobody
  53. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  54. #RhostsRSAAuthentication no
  55. # similar for protocol version 2
  56. #HostbasedAuthentication no
  57. # Change to yes if you don‘t trust ~/.ssh/known_hosts for
  58. # RhostsRSAAuthentication and HostbasedAuthentication
  59. #IgnoreUserKnownHosts no
  60. # Don‘t read the user‘s ~/.rhosts and ~/.shosts files
  61. #IgnoreRhosts yes
  63. # To disable tunneled clear text passwords, change to no here!
  64. #PasswordAuthentication yes
  65. #PermitEmptyPasswords no
  66. PasswordAuthentication yes
  68. # Change to no to disable s/key passwords
  69. #ChallengeResponseAuthentication yes
  70. ChallengeResponseAuthentication no
  72. # Kerberos options
  73. #KerberosAuthentication no
  74. #KerberosOrLocalPasswd yes
  75. #KerberosTicketCleanup yes
  76. #KerberosGetAFSToken no
  77. #KerberosUseKuserok yes
  79. # GSSAPI options
  80. #GSSAPIAuthentication no
  81. GSSAPIAuthentication yes   将这个值改为no ,加快连接速度。
  82. #GSSAPICleanupCredentials yes
  83. GSSAPICleanupCredentials yes
  84. #GSSAPIStrictAcceptorCheck yes
  85. #GSSAPIKeyExchange no
  87. # Set this to ‘yes‘ to enable PAM authentication, account processing,
  88. # and session processing. If this is enabled, PAM authentication will
  89. # be allowed through the ChallengeResponseAuthentication and
  90. # PasswordAuthentication.  Depending on your PAM configuration,
  91. # PAM authentication via ChallengeResponseAuthentication may bypass
  92. # the setting of "PermitRootLogin without-password".
  93. # If you just want the PAM account and session checks to run without
  94. # PAM authentication, then enable this but set PasswordAuthentication
  95. # and ChallengeResponseAuthentication to ‘no‘.
  96. #UsePAM no
  97. UsePAM yes
  99. # Accept locale-related environment variables
  100. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
  101. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
  102. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
  103. AcceptEnv XMODIFIERS
  105. #AllowAgentForwarding yes
  106. #AllowTcpForwarding yes
  107. #GatewayPorts no
  108. #X11Forwarding no
  109. X11Forwarding yes
  110. #X11DisplayOffset 10
  111. #X11UseLocalhost yes
  112. #PrintMotd yes
  113. #PrintLastLog yes
  114. #TCPKeepAlive yes
  115. #UseLogin no
  116. #UsePrivilegeSeparation yes
  117. #PermitUserEnvironment no
  118. #Compression delayed
  119. #ClientAliveInterval 0
  120. #ClientAliveCountMax 3
  121. #ShowPatchLevel no  
  122. #UseDNS yes                 将yes改为no,不适用dns,我们本来就是用ip访问的。
  123. #PidFile /var/run/sshd.pid
  124. #MaxStartups 10:30:100
  125. #PermitTunnel no
  126. #ChrootDirectory none
  128. # no default banner path
  129. #Banner none
  131. # override default of no subsystems
  132. Subsystem       sftp    /usr/libexec/openssh/sftp-server
  134. # Example of overriding settings on a per-user basis
  135. #Match User anoncvs
  136. #       X11Forwarding no
  137. #       AllowTcpForwarding no
  138. #       ForceCommand cvs server
 
总结:修改5个地方
1,默认端口           Port 52113
2,不使用dns解析  UseDNS no
3,不让root用户直接登录  PermitRootlogin no 
4,GSSAPI验证改为no GSSAPIAuthentication no
5, 监听端口ip 改为内网的Ip。

sshd安全性能优化


联系
我们