如果你對安全問題還有猶豫,抱有“我這個小站沒人理”的想法,那麼打開 /var/log/secure 看看有多少 IP 多少次企圖登錄你的服務器?
剛開通的一個 VPS 還來不及用,過幾天打開 /var/log/secure 一看,發現 n 個 IP 訪問了 n 次。一個 IP 地址為 213.115.115.113 的機器1天內2600多次猜測用戶名/密碼企圖登錄。
這是 log 文件片段:
復制代碼代碼如下:
Jun 28 13:49:23 blog sshd[3462]: Received disconnect from 213.115.115.113: 11: Bye Bye
Jun 28 13:49:24 blog sshd[3695]: Invalid user radu from 213.115.115.113
Jun 28 13:49:24 blog sshd[3703]: input_userauth_request: invalid user radu
Jun 28 13:49:24 blog sshd[3695]: pam_unix(sshd:auth): check pass; user unknown
Jun 28 13:49:24 blog sshd[3695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-213-115-115-113.sme.bredbandsbolaget.se
Jun 28 13:49:26 blog sshd[3695]: Failed password for invalid user radu from 213.115.115.113 port 51310 ssh2
Jun 28 13:49:26 blog sshd[3703]: Received disconnect from 213.115.115.113: 11: Bye Bye
Jun 28 13:49:27 blog sshd[3910]: Invalid user raducu from 213.115.115.113
Jun 28 13:49:27 blog sshd[3921]: input_userauth_request: invalid user raducu
Jun 28 13:49:27 blog sshd[3910]: pam_unix(sshd:auth): check pass; user unknown
Jun 28 13:49:27 blog sshd[3910]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-213-115-115-113.sme.bredbandsbolaget.se
Jun 28 13:49:30 blog sshd[3910]: Failed password for invalid user raducu from 213.115.115.113 port 52740 ssh2
Jun 28 13:49:30 blog sshd[3921]: Received disconnect from 213.115.115.113: 11: Bye Bye
Jun 28 13:49:31 blog sshd[5280]: Invalid user raul from 213.115.115.113
Jun 28 13:49:31 blog sshd[5293]: input_userauth_request: invalid user raul
Jun 28 13:49:31 blog sshd[5280]: pam_unix(sshd:auth): check pass; user unknown
Jun 28 13:49:31 blog sshd[5280]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-213-115-115-113.sme.bredbandsbolaget.se
Jun 28 13:49:33 blog sshd[5280]: Failed password for invalid user raul from 213.115.115.113 port 54742 ssh2
Jun 28 13:49:34 blog sshd[5293]: Received disconnect from 213.115.115.113: 11: Bye Bye
Jun 28 13:49:35 blog sshd[5540]: Invalid user robert from 213.115.115.113
Jun 28 13:49:35 blog sshd[5570]: input_userauth_request: invalid user robert
Jun 28 13:49:35 blog sshd[5540]: pam_unix(sshd:auth): check pass; user unknown
Jun 28 13:49:35 blog sshd[5540]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-213-115-115-113.sme.bredbandsbolaget.se
Jun 28 13:49:37 blog sshd[5540]: Failed password for invalid user robert from 213.115.115.113 port 56483 ssh2
所以安全問題不可小觑。有2種方式可以增加 root 登錄 VPS 時的安全性,這2種方式綁在一起用最好,如果怕麻煩的話至少要用其中的1種。
禁止 root 直接登錄 sshd
登錄VPS時必須用一個普通帳號登錄,然後 su 成 root。可以修改 /etc/ssh/sshd_config 來禁止 root 直接登錄:
PermitRootLogin no
啟用 SSH Keys 登錄
這種方法雖然不允許 root 用輸入密碼的方式直接登錄 ssh,但是可以通過使用一對 ssh public/private key 來登錄。配置步驟如下:
1、在客戶端運行下面的命令,創建一對 public/private key:
ssh-keygen -t dsa
按照提示,上面的命令會創建2個文件:id_dsa 和 id_dsa.pub,前一個是 private key,後一個是 public key。創建key的時候會提示輸入 passphrase,相當於密碼一樣的東西,用來保護 private key不被濫用。
2、保護好生成的 private key,不要讓外界訪問到。
3、在你要訪問的服務器上創建一個 /root/.ssh/authorized_keys 文件,把生成的 publice key(id_dsa.pub)的內容 copy+paste 到 authorized_keys 裡,注意小心完整的 copy,不要有空格/空行。
4、禁止 root 用輸入密碼的方式直接登錄 sshd,修改 /etc/ssh/sshd_config,加上/修改這一行:
PermitRootLogin without-password
重啟 sshd
/etc/init.d/sshd restart