歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Unix知識 >> 關於Unix

安全增強措施用Openssh構建安全網絡

實施步驟: 在每台服務器上 1. 安裝軟件包: openssh-3.4pl-sol7-sparc-local openssl-0.96d-sol7-sparc-local zlib-1.1.4-sol7-sparc-local prngd-0.0.25-sol7-sparc-local egd-0.8-sol7-sparc-local 2. 安裝prngd和sshd的啟動腳本 :::::::::::::: S98prngd
  實施步驟:
  在每台服務器上
  1. 安裝軟件包:
  openssh-3.4pl-sol7-sparc-local
  openssl-0.96d-sol7-sparc-local
  zlib-1.1.4-sol7-sparc-local
  prngd-0.0.25-sol7-sparc-local
  egd-0.8-sol7-sparc-local
  
  2. 安裝prngd和sshd的啟動腳本
  ::::::::::::::
  S98prngd
  ::::::::::::::
  #!/bin/sh
  
  pid=`/usr/bin/ps -e | /usr/bin/grep prngd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
  case $1 in
  'start')
  /usr/local/sbin/prngd /var/spool/prngd/pool
  ;;
  'stop')
  if [ "${pid}" != "" ]
  then
  /usr/bin/kill ${pid}
  fi
  ;;
  *)
  echo "usage: /etc/init.d/prngd {start|stop}"
  ;;
  esac
  
  ::::::::::::::
  S98sshd
  ::::::::::::::
  #!/bin/sh
  
  pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
  case $1 in
  'start')
  /usr/local/sbin/sshd
  ;;
  'stop')
  if [ "${pid}" != "" ]
  then
  /usr/bin/kill ${pid}
  fi
  ;;
  *)
  echo "usage: /etc/init.d/sshd {start|stop}"
  ;;
  esac
  
  3. 用prngd生成偽隨機初始種子數
  cat /var/log/syslog /var/adm/messages > /usr/local/etc/prngd/prngd-seed
  mkdir /var/spool/prngd
  /etc/rc2.d/S98prngd start
  檢查prngd工作是否正常: /usr/local/bin/egc.pl /var/spool/prngd/pool get
  顯示如: 9151 bits of entropy in pool
  
  4. 增加sshd用戶
  mkdir /var/empty
  chown root /var/empty
  chgrp sys /var/empty
  chmod 755 /var/empty
  groupadd sshd
  useradd –g sshd –c ‘sshd privsep’ –d /var/empty –s /bin/false sshd
  
  5. 修改tcpd的控制文件/etc/hosts.allow和/etc/hosts.deny
  ALL:n.n.n.n #登錄主機IP
  
  6. 在server端創建主機密鑰對
  ssh-keygen –t rsa1 –f /usr/local/etc/ssh_host_key –N “”
  ssh-keygen –t dsa –f /usr/local/etc/ssh_host_dsa_key –N “”
  ssh-keygen –t rsa –f /usr/local/etc/ssh_host_rsa_key –N “”
  
  啟動sshd:
  /etc/rc2.d/S98sshd start
  
  7. 關閉原te.net和ftp服務
  修改/etc/inetd.conf 文件,kill –HUP <inetd pid>關閉telnet和ftp服務
  8. 在客戶端做以下測試
  UNIX客戶端:
  Ssh [-l username] [-p port] <hostname> //如果用-v參數,進入調試狀態,這是一個很好的幫助工具(取代telnet)
  Sftp [-l username] [-p port] <hostname>(取代ftp)
  
  WINDOWS:客戶端
  Securecrt 3.4.5 //在session的配置中,authentication使用password方式
  Securefx2.0.3
  
  以上為默認安裝情況,即SSH的密碼驗證。
  為了保證唯一的一台登錄服務器的安全,又不至於在修改sshd配置後重啟進程帶來無法登錄管理的問題,繼續使用telnet和ftp服務,結合采用SSHD的密鑰驗證方式,並且在/etc/hosts.allow文件中做以下設置:
  ################# internal network ######################
  ALL:n.n.n.n #operator1
  ALL:n.n.n.n #operator2
  ################## out network ###########################
  sshd: ALL #RSA auth
  這樣,管理員在公司的固定IP地址仍舊可以很方便地登錄到主機上操作,而如果在家中或外出出差,由於IP地址是非固定的,可以通過sshd的密鑰驗證來進行登錄。
  
  服務器配置如下:
  /usr/local/etc/sshd_config:
  # $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $
  
  # This is the sshd server system-wide configuration file. See
  # sshd_config(5) for more information.
  
  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
  
  # The strategy used for options in the default sshd_config shipped with
  # OpenSSH is to specify options with their default value where
  # possible, but leave them commented. Uncommented options change a
  # default value.
  
  #Port 22
  #Protocol 2,1
  #ListenAddress 0.0.0.0
  #ListenAddress ::
  
  # HostKey for protocol version 1
  HostKey /usr/local/etc/ssh_host_key
  # HostKeys for protocol version 2
  HostKey /usr/local/etc/ssh_host_rsa_key
  HostKey /usr/local/etc/ssh_host_dsa_key
  
  # Lifetime and size of ephemeral version 1 server key
  KeyRegenerationInterval 3600
  ServerKeyBits 768
  
  # Logging
  #obsoletes QuietMode and FascistLogging
  SyslogFacility AUTH
  LogLevel INFO
  
  # Authentication:
  
  #LoginGraceTime 600
  #PermitRootLogin yes
  #StrictModes yes
  
  RSAAuthentication yes
  PubkeyAuthentication yes
  AuthorizedKeysFile .ssh/authorized_keys
  
  # rhosts authentication should not be used
  #RhostsAuthentication no
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
  #RhostsRSAAuthentication no
  # similar for protocol version 2
  #HostbasedAuthentication no
  # Change to yes if you don't trust ~/.ssh/known_hosts for
  # RhostsRSAAuthentication and HostbasedAuthentication
  #IgnoreUserKnownHosts no
  
  # To disable tunneled clear text passwords, change to no here!
  PasswordAuthentication yes
  PermitEmptyPasswords no
  
  # Change to no to disable s/key passwords
  #ChallengeResponseAuthentication yes
  
  # Kerberos options
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  
  #AFSTokenPassing no
  
  # Kerberos TGT Passing only works with the AFS kaserver
  #KerberosTgtPassing no
  
  # Set this to 'yes' to enable PAM keyboard-interactive authentication
  # Warning: enabling this may bypass the setting of 'PasswordAuthentication'
  #PAMAuthenticationViaKbdInt yes
  
  #X11Forwarding no
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PrintMotd yes
  #PrintLastLog yes
  #KeepAlive yes
  #UseLogin no
  UsePrivilegeSeparation yes
  Compression yes
  
  #MaxStartups 10
  # no default banner path
  #Banner /some/path
  #VerifyReverseMapping no
  
  # override default of no subsystems
  Subsystem sftp /usr/local/libexec/sftp-server
  
  這裡關閉了SSH的密碼驗證方式,采用RSA的密鑰驗證方法,用戶需要首先在服務器上用ssh-keygen –t rsa在自己的主目錄下.ssh目錄裡自動生成密鑰對,id_rsa(私鑰)和id_rsa.pub(公鑰),然後手工將id_rsa.pub拷貝成autohrized_keys文件.並將id_rsa和id_rsa..pub文件傳至客戶端保存好,同時刪除服務器端的id_rsa和id_rsa.pub文件。
  
  客戶端測試:如果是UNIX客戶端,將id_rsa和id_rsa.pub放在用戶主目錄的.ssh子目錄下, 用ssh和sftp可以進行測試;如果是WINDOWS系統的客戶端,可以通過SECURECRT指定authencation為publickey方式,並且在properties中的session settings中選用use identity file,指定具體的id_rsa的文件位置,即可登錄。這樣,只有擁有密鑰對的用戶才可以登錄。當然,得保護好自己的鑰匙不可洩露,為安全起見,服務器需要定時改變每個用戶的密鑰。
  
  通過以上對intranet內部服務器的安全配置,實現了安全性和方便性的整合。

Copyright © Linux教程網 All Rights Reserved