转载请注明出处
SSH优化
部分配置说明
#默认端口
Port 22
#登录时不输入密码时超时时间
LoginGraceTime 2m
#禁止将IP逆向解析为主机名,然后比对正向解析的结果,防止客户端欺骗
UseDNS no
#密码错误的次数6/2=3(MAN帮助中写明要除2)次后断开连接
MaxAuthTries 6
#最大的会话连接数(连接未登录的会话最大值,默认拒绝旧的连接未登录的会话)
MaxSessions 5
# GSSAPI认证,禁用后加快登录速度
GSSAPIAuthentication no
#密钥文件路径
AuthorizedKeysFile ssh/authorized_keys
#使用密钥登陆
PubkeyAuthentication yes
# 禁用密码登陆
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
# 禁用ROOT用户登陆
PermitRootLogin no修改SSH端口
修改端口虽然不能很好的提高SSH的安全性,但是聊胜于无,如果使用证书登陆的话,可以忽略
# 修改配置文件中的Port为你想要的端口
# 如2021
nano /etc/ssh/sshd_config修改端口号后记得在防火墙开启该端口
# 开启防火墙服务
systemctl enable firewalld
# 开启防火墙
systemctl start firewalld
# 放行2021端
firewall-cmd --zone=public --add-port=2021/tcp --permanent
# 重载防火墙
firewall-cmd --reload
# 查看放行端口
firewall-cmd --list-portsSELinux(补充)
检查系统是否开启SELinux
# 如果SELinux status参数为enabled即为开启状态
/usr/sbin/sestatus -v如果系统开启了SELinux,我们还需要在SELinux加入新的SSH 端口
# 添加2021端口到 SELinux
semanage port -a -t ssh_port_t -p tcp 2021
# 检查添加结果结果
semanage port -l | grep ssh如果提示找不到semanage命令
# 检查semanage所需要的包
yum provides /usr/sbin/semanage
# 一般为缺少了policycoreutils-python-utils,安装即可
yum install policycoreutils-python-utils
# 检查semanage是否可用
semanage --help重启SSH
# 重启
systemctl restart sshd.service
# 检查SSH端口
ss -tnlp | grep ssh修改 Sysctl.conf 来提高安全性
备份原文件是一个好的习惯
mv /etc/sysctl.conf /etc/sysctl.conf.bak
nano /etc/sysctl.confsysctl部分参数参考
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
# 开启并记录欺骗,源路由和重定向包
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# 处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# 不充当路由器
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 开启execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# IPv6设置
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
# 优化LB使用的端口
# 增加系统文件描述符限制
fs.file-max = 65535
# 允许更多的PIDs (减少滚动翻转问题); may break some programs 32768
kernel.pid_max = 65536
# 增加系统IP端口限制
net.ipv4.ip_local_port_range = 2000 65000
# 增加TCP最大缓冲区大小
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# 增加Linux自动调整TCP缓冲区限制
# 最小,默认和最大可使用的字节数
# 最大值不低于4MB,如果你使用非常高的BDP路径可以设置得更高
# Tcp窗口等
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1更新 sysctl 文件后需要使之生效
sysctl -p
文章评论