歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux綜合 >> Linux資訊 >> 更多Linux

安全增強措施用Openssh構建安全網絡

  實施步驟:   在每台服務器上   1. 安裝軟件包:   openssh-3.4pl-sol7-sparc-local   openssl-0.96d-sol7-sparc-local   zlib-1.1.4-sol7-sparc-local   prngd-0.0.25-sol7-sparc-local   egd-0.8-sol7-sparc-local     2. 安裝prngd和sshd的啟動腳本   ::::::::::::::   S98prngd   ::::::::::::::   #!/bin/sh     pid=`/usr/bin/ps -e /usr/bin/grep prngd /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`   case $1 in   'start')   /usr/local/sbin/prngd /var/spool/prngd/pool   ;;   'stop')   if [ "${pid}" != "" ]   then   /usr/bin/kill ${pid}   fi   ;;   *)   echo "usage: /etc/init.d/prngd {startstop}"   ;;   esac     ::::::::::::::   S98sshd   ::::::::::::::   #!/bin/sh     pid=`/usr/bin/ps -e /usr/bin/grep sshd /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`   case $1 in   'start')   /usr/local/sbin/sshd   ;;   'stop')   if [ "${pid}" != "" ]   then   /usr/bin/kill ${pid}   fi   ;;   *)   echo "usage: /etc/init.d/sshd {startstop}"   ;;   esac     3. 用prngd生成偽隨機初始種子數   cat /var/log/syslog /var/adm/messages > /usr/local/etc/prngd/prngd-seed   mkdir /var/spool/prngd   /etc/rc2.d/S98prngd start   檢查prngd工作是否正常: /usr/local/bin/egc.pl /var/spool/prngd/pool get   顯示如: 9151 bits of entropy in pool     4. 增加sshd用戶   mkdir /var/empty   chown root /var/empty   chgrp sys /var/empty   chmod 755 /var/empty   groupadd sshd   useradd –g sshd –c ‘sshd privsep’ –d /var/empty –s /bin/false sshd     5. 修改tcpd的控制文件/etc/hosts.allow和/etc/hosts.deny   ALL:n.n.n.n #登錄主機IP     6. 在server端創建主機密鑰對   ssh-keygen –t rsa1 –f /usr/local/etc/ssh_host_key –N “”   ssh-keygen –t dsa –f /usr/local/etc/ssh_host_dsa_key –N “”   ssh-keygen –t rsa –f /usr/local/etc/ssh_host_rsa_key –N “”     啟動sshd:   /etc/rc2.d/S98sshd start     7. 關閉原telnet和FTP服務   修改/etc/inetd.conf 文件,kill –HUP <inetd pid>關閉telnet和ftp服務   8. 在客戶端做以下測試   UNIX客戶端:   Ssh [-l username] [-p port] <hostname> //如果用-v參數,進入調試狀態,這是一個很好的幫助工具(取代telnet)   Sftp [-l username] [-p port] <hostname>(取代ftp)     WINDOWS:客戶端   Securecrt 3.4.5 //在session的配置中,authentication使用passWord方式   Securefx2.0.3     以上為默認安裝情況,即SSH的密碼驗證。   為了保證唯一的一台登錄服務器的安全,又不至於在修改sshd配置後重啟進程帶來無法登錄管理的問題,繼續使用telnet和ftp服務,結合采用SSHD的密鑰驗證方式,並且在/etc/hosts.allow文件中做以下設置:   ################# internal network ######################   ALL:n.n.n.n #operator1   ALL:n.n.n.n #operator2   ################## out network ###########################   sshd: ALL #RSA auth   這樣,管理員在公司的固定IP地址仍舊可以很方便地登錄到主機上操作,而如果在家中或外出出差,由於IP地址是非固定的,可以通過sshd的密鑰驗證來進行登錄。     服務器配置如下:   /usr/local/etc/sshd_config:   # $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus EXP $     # This is the sshd server system-wide configuration file. See   # sshd_config(5) for more information.     # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin     # The strategy used for options in the default sshd_config shipped with   # OpenSSH is to specify options with their default value where   # possible, but leave them commented. Uncommented options change a   # default value.     #Port 22   #Protocol 2,1   #ListenAddress 0.0.0.0   #ListenAddress ::     # HostKey for protocol version 1   HostKey /usr/local/etc/ssh_host_key   # HostKeys for protocol version 2   HostKey /usr/local/etc/ssh_host_rsa_key   HostKey /usr/local/etc/ssh_host_dsa_key     # Lifetime and size of ephemeral version 1 server key   KeyRegenerationInterval 3600   ServerKeyBits 768     # Logging   #obsoletes QuietMode and FascistLogging   SyslogFacility AUTH   LogLevel INFO     # Authentication:     #LoginGraceTime 600   #PermitRootLogin yes   #StrictModes yes     RSAAuthentication yes   PubkeyAuthentication yes   AuthorizedKeysFile .ssh/authorized_keys     # rhosts authentication should not be used   #RhostsAuthentication no   # Don't read the user's ~/.rhosts and ~/.shosts files   #IgnoreRhosts yes   # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts   #RhostsRSAAuthentication no   # similar for protocol version 2   #HostbasedAuthentication no   # Change to yes if you don't trust ~/.ssh/known_hosts for   # RhostsRSAAuthentication and HostbasedAuthentication   #IgnoreUserKnownHosts no     # To disable tunneled clear text passwords, change to no here!   PasswordAuthentication yes   PermitEmptyPasswords no     # Change to no to disable s/key passwords   #ChallengeResponseAuthentication yes     # Kerberos options   #KerberosAuthentication no   #KerberosOrLocalPasswd yes   #KerberosTicketCleanup yes     #AFSTokenPassing no     # Kerberos TGT Passing only works with the AFS kaserver   #KerberosTgtPassing no     # Set this to 'yes' to enable PAM keyboard-interactive authentication   # Warning: enabling this may bypass the setting of 'PasswordAuthentication'   #PAMAuthenticationViaKbdInt yes     #X11Forwarding no   #X11DisplayOffset 10   #X11UseLocalhost yes   #PrintMotd yes   #PrintLastLog yes   #KeepAlive yes   #UseLogin no   UsePrivilegeSeparation yes   Compression yes     #MaxStartups 10   # no default banner path   #Banner /some/path   #VerifyReverseMapping no     # override default of no subsystems   Subsystem sftp /usr/local/libexec/sftp-server     這裡關閉了SSH的密碼驗證方式,采用RSA的密鑰驗證方法,用戶需要首先在服務器上用ssh-keygen –t rsa在自己的主目錄下.ssh目錄裡自動生成密鑰對,id_rsa(私鑰)和id_rsa.pub(公鑰),然後手工將id_rsa.pub拷貝成autohrized_keys文件.並將id_rsa和id_rsa..pub文件傳至客戶端保存好,同時刪除服務器端的id_rsa和id_rsa.pub文件。     客戶端測試:如果是UNIX客戶端,將id_rsa和id_rsa.pub放在用戶主目錄的.ssh子目錄下, 用ssh和sftp可以進行測試;如果是WINDOWS系統的客戶端,可以通過SECURECRT指定authencation為publickey方式,並且在properties中的session settings中選用use identity file,指定具體的id_rsa的文件位置,即可登錄。這樣,只有擁有密鑰對的用戶才可以登錄。當然,得保護好自己的鑰匙不可洩露,為安全起見,服務器需要定時改變每個用戶的密鑰。     通過以上對intranet內部服務器的安全配置,實現了安全性和方便性的整合。




Copyright © Linux教程網 All Rights Reserved