歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux綜合 >> 學習Linux

服務器安全規范,服務器規范

服務器安全規范,服務器規范


服務器安全規范,服務器規范


ssh 登錄驗證:使用公鑰和谷歌認證

server 端 配置文件

Port 3208
Protocol 2
ListenAddress 0.0.0.0
SyslogFacility AUTHPRIV
RSAAuthentication yes
PubkeyAuthentication yes
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
#是否在用戶退出登錄後自動銷毀用戶憑證緩存
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding no
UseDNS no
ClientAliveInterval 60
Subsystem       sftp    /usr/libexec/openssh/sftp-server

  

client端配置文件

Port 3208
Protocol 2
ListenAddress ip
SyslogFacility AUTHPRIV
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding no
UseDNS no
ClientAliveInterval 60
Subsystem       sftp    /usr/libexec/openssh/sftp-server

  

1.生成公鑰與私鑰

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/client/.ssh/id_rsa): #此處直接按回車即可
Created directory '/home/client/.ssh'.
Enter passphrase (empty for no passphrase): #此處直接按回車即可
Enter same passphrase again: #此處直接按回車即可
Your identification has been saved in /home/client/.ssh/id_rsa.
Your public key has been saved in /home/client/.ssh/id_rsa.pub.

  

2. 將公鑰文件追加到server端用戶目錄的./ssh/authorized_keys中 ,.ssh目錄權限必須是0700
cat id_rsa.pub >> authorized_keys
chmod 600 authorized_keys

  

3.server 端 和client 端 無密碼登錄

scp ./id_rsa.pub [email protected]:/home/sweet/.ssh/authorized_keys
#注意一下目標機的authorized_keys的權限是-rw-r--r--,如果不是需要執行chmod 644 authorized_keys修改文件的權限

  

谷歌驗證器

安裝GOOGLE-AUTHENTICATOR驗證器
1.安裝epel源
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
2.安裝git級二維碼工具
yum install -y git qrencode
3.安裝開發包工具
yum groupinstall -y "Development Tools" pam-devel
4.安裝google-authenticator
git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
sh bootstrap.sh
./configure && make && make install
cp -v /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
5.生成基於計數的認證token(可以忽略時間錯誤)
google-authenticator(n,y,y,y)
6.更改ssh級pam設置
## 修改PAM
vi /etc/pam.d/sshd
auth required pam_google_authenticator.so
## 修改SSH配置
ChallengeResponseAuthentication yes
UsePAM yes
service sshd restart
修改ssh的鑒權方式,改為鍵盤交互。
注意: 這裡要把應急驗證碼記錄下,防止驗證壞掉以後無法登陸,也可以把ssh的公鑰下載下來做備用登陸方式

  

http://xxxxxx/Linuxjc/1146681.html TechArticle

Copyright © Linux教程網 All Rights Reserved