Linux服务器安全登录设置
在日常运维工作中,对加固服务器的安全设置是一个机器重要的环境。比较推荐的做法是:
1)严格限制ssh登陆(参考:Linux系统下的ssh使用(依据个人经验总结)):
修改ssh默认监听端口
禁用root登陆,单独设置用于ssh登陆的账号或组;
禁用密码登陆,采用证书登陆;
ListenAddress绑定本机内网ip,即只能ssh连接本机的内网ip进行登陆;
2)对登陆的ip做白名单限制(iptables、/etc/hosts.allow、/etc/hosts.deny)
3)可以专门找两台机器作为堡垒机,其他机器做白名单后只能通过堡垒机登陆,将机房服务器的登陆进去的口子收紧;
另外,将上面限制ssh的做法用在堡垒机上,并且最好设置登陆后的二次验证环境(Google-Authenticator身份验证)
4)严格的sudo权限控制(参考:linux系统下的权限知识梳理)
5)使用chattr命令锁定服务器上重要信息文件,如/etc/passwd、/etc/group、/etc/shadow、/etc/sudoers、/etc/sysconfig/iptables、/var/spool/cron/root等
6)禁ping(echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all)
今天这里主要说下服务器安全登陆的白名单设置,通过下面两种方法:
1)iptables对ssh端口做限制;
2)/etc/hosts.allow和/etc/hosts.deny限制;这两个文件是控制远程访问设置的,通过他可以允许或者拒绝某个ip或者ip段的客户访问linux的某项服务。
如果当iptables、hosts.allow和hosts.deny三者都设置时或设置出现冲突时,遵循的优先级是hosts.allow > hosts.deny >iptables
下面来看一下几个限制本地服务器登陆的设置:
1)iptables和hosts.allow设置一致,hosts.deny不设置。如果出现冲突,以hosts.allow设置为主。
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
# //切记:这里的192.168.1.*网段设置不能改为192.168.1.0/24;多个ip之间用逗号隔开
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow //最后的allow可以省略
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
如上的设置,133.110.186.139虽然没有出现在iptables的白名单设置里,但是出现在hosts.allow设置里,那么它是允许登陆本地服务器的;
也就是说hosts.allow里设置的ip都可以登陆本地服务器,hosts.allow里没有设置而iptables里设置的ip不能登陆本地服务器;
所以,只要hosts.allow里设置了,iptables其实就没有必要再对ssh进行限制了;
2)hosts.allow不设置,iptables和hosts.deny设置(二者出现冲突,以hosts.deny为主)
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:133.110.186.130:deny //最后的deny可以省略
以上虽然133.110.186.130在iptables里设置了,但是在hosts.deny里也设置了,这时要遵循hosts.deny的设置,即133.110.186.130这个ip不能登陆本地服务器;
也就是说上面只有192.168.1.0网段和114.165.77.144能登陆本地服务器;
3)当iptables、hosts.allow、hosts.deny三者都设置时,遵循的hosts.allow!
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.133 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.137 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow //最后的allow可以省略
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
sshd:all:deny //最后的deny可以省略
上面设置之后,只有hosts.allow里面设置的192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139这些ip能登陆本地服务器
4)还有一种设置,hosts.deny不动,在hosts.allow里面设置deny
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow //最后的allow可以省略
sshd:all:deny //这个本来是在hosts.deny里的设置,也可以放在这,表示出了上面的ip之外都被限制登陆了。
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
最新文章
- Linux远程服务器上安装SVN
- ubuntu selinux
- Sublime Text 解决中文乱码
- 结对编程--基于android平台的黄金点游戏(2.0版本)
- 一、Android学习第一天——环境搭建(转)
- asp.net 实现在线打印功能,jQuery打印插件PrintArea实现自动分页
- Java 动态代理机制详解(JDK 和CGLIB,Javassist,ASM)
- 转:c语言EOF是什么?(及getchar()和putchar用法)
- [LeetCode] Positions of Large Groups 大群组的位置
- 使用Maven插件构建Spring Boot应用程序镜像
- scrollIntoView() 调用元素就可以出现在视窗中
- SQL SELECT INTO
- Lodop打印二维码内容长度不同如何大小相同
- WC 2019 记
- ajax,jsonp跨域访问数据
- xampp默认mysql数据库root密码的修改
- Python 零基础 快速入门 趣味教程 (咪博士 海龟绘图 turtle) 0. 准备工作
- 【LOJ】#2320. 「清华集训 2017」生成树计数
- nodejs搭建web服务器初级
- HTML头部声明文件类型
热门文章
- 汕头市队赛 SRM1X T1
- WireShark:TCP三次握手 抓包
- Informix 启动 Fatal error in shared memory initialization解决方法
- 牛客小白月赛3 I 排名【结构体排序/较复杂/细节】
- Codeforces 581F Zublicanes and Mumocrates(树型DP)
- LCA【bzoj3364】 [Usaco2004 Feb]Distance Queries 距离咨询
- 洛谷——P2067 Cytus-Holyknight
- Binary Tree Vertical Order Traversal -- LeetCode
- OpenJ_Bailian - 1037 A decorative fence
- POJ 2155 Matrix(树状数组+容斥原理)