当前位置:操作系统 > Unix/Linux >>

安全增强措施用Openssh构建安全网络

实施步骤:

  在每台服务器上

  1. 安装软件包:

  openssh-3.4pl-sol7-sparc-local

  openssl-0.96d-sol7-sparc-local

  zlib-1.1.4-sol7-sparc-local

  prngd-0.0.25-sol7-sparc-local

  egd-0.8-sol7-sparc-local

  2. 安装prngd和sshd的启动脚本

  ::::::::::::::

  S98prngd

  ::::::::::::::

  #!/bin/sh

  pid=`/usr/bin/ps -e | /usr/bin/grep prngd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`

  case $1 in

  'start')

  /usr/local/sbin/prngd /var/spool/prngd/pool

  ;;

  'stop')

  if [ "${pid}" != "" ]

  then

  /usr/bin/kill ${pid}

  fi

  ;;

  *)

  echo "usage: /etc/init.d/prngd {start|stop}"

  ;;

  esac

  ::::::::::::::

  S98sshd

  ::::::::::::::

  #!/bin/sh

  pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`

  case $1 in

  'start')

  /usr/local/sbin/sshd

  ;;

  'stop')

  if [ "${pid}" != "" ]

  then

  /usr/bin/kill ${pid}

  fi

  ;;

  *)

  echo "usage: /etc/init.d/sshd {start|stop}"

  ;;

  esac

  3. 用prngd生成伪随机初始种子数

  cat /var/log/syslog /var/adm/messages > /usr/local/etc/prngd/prngd-seed

  mkdir /var/spool/prngd

  /etc/rc2.d/S98prngd start

  检查prngd工作是否正常: /usr/local/bin/egc.pl /var/spool/prngd/pool get

  显示如: 9151 bits of entropy in pool

  4. 增加sshd用户

  mkdir /var/empty

  chown root /var/empty

  chgrp sys /var/empty

  chmod 755 /var/empty

  groupadd sshd

  useradd ?g sshd ?c ‘sshd privsep’ ?d /var/empty ?s /bin/false sshd

  5. 修改tcpd的控制文件/etc/hosts.allow和/etc/hosts.deny

  ALL:n.n.n.n #登录主机IP

  6. 在server端创建主机密钥对

  ssh-keygen ?t rsa1 ?f /usr/local/etc/ssh_host_key ?N “”

  ssh-keygen ?t dsa ?f /usr/local/etc/ssh_host_dsa_key ?N “”

  ssh-keygen ?t rsa ?f /usr/local/etc/ssh_host_rsa_key ?N “”

  启动sshd:

  /etc/rc2.d/S98sshd start

  7. 关闭原telnet和ftp服务

  修改/etc/inetd.conf 文件,kill ?HUP <inetd pid>关闭telnet和ftp服务

  8. 在客户端做以下测试

  UNIX客户端:

  Ssh [-l username] [-p port] <hostname> //如果用-v参数,进入调试状态,这是一个很好的帮助工具(取代telnet)

  Sftp [-l username] [-p port] <hostname>(取代ftp)

  WINDOWS:客户端

  Securecrt 3.4.5 //在session的配置中,authentication使用password方式

  Securefx2.0.3

  以上为默认安装情况,即SSH的密码验证。

  为了保证唯一的一台登录服务器的安全,又不至于在修改sshd配置后重启进程带来无法登录管理的问题,继续使用telnet和ftp服务,结合采用SSHD的密钥验证方式,并且在/etc/hosts.allow文件中做以下设置:

  ################# internal network ######################

  ALL:n.n.n.n #operator1

  ALL:n.n.n.n #operator2

  ################## out network ###########################

  sshd: ALL #RSA auth

  这样,管理员在公司的固定IP地址仍旧可以很方便地登录到主机上操作,而如果在家中或外出出差,由于IP地址是非固定的,可以通过sshd的密钥验证来进行登录。

  服务器配置如下:

  /usr/local/etc/sshd_config:

  # $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $

  # This is the sshd server system-wide configuration file. See

  # sshd_config(5) for more information.

  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

  # The strategy used for options in the default sshd_config shipped with

  # OpenSSH is to specify options with their default value where

  # possible, but leave them commented. Uncommented options change a

  # default value.

  #Port 22

  #Protocol 2,1

  #ListenAddress 0.0.0.0

  #ListenAddress ::

  # HostKey for protocol version 1

  HostKey /usr/local/etc/ssh_host_key

  # HostKeys for protocol version 2

  HostKey /usr/local/etc/ssh_host_rsa_key

  HostKey /usr/local/etc/ssh_host_dsa_key

  # Lifetime and size of ephemeral version 1 server key

  KeyRegenerationInterval 3600

  ServerKeyBits 768

  # Logging

  #obsoletes QuietMode and FascistLogging

  SyslogFacility AUTH

  LogLevel INFO

  # Authentication:

  #LoginGraceTime 600

  #PermitRootLogin yes

  #StrictModes yes

  RSAAuthentication yes

  PubkeyAuthentication yes

  AuthorizedKeysFile .ssh/authorized_keys

  # rhosts authentication should not be used

  #RhostsAuthentication no

  # Don't read the user's ~/.rhosts and ~/.shosts files

  #IgnoreRhosts yes

  # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts

  #RhostsRSAAuthentication no

  # similar for protocol version 2

  #HostbasedAuthentication no

  # Change to yes if you don't trust ~/.ssh/known_hosts for

  # RhostsRSAAuthentication and HostbasedAuthentication

  #IgnoreUserKnownHosts no

  # To disable tunneled clear text passwords, change to no here!

  PasswordAuthentication yes

  PermitEmptyPasswords no

  # Change to no to disable s/key passwords

  #ChallengeResponseAuthentication yes

  # Kerberos options

  #KerberosAuthentication no

  #KerberosOrLocalPasswd yes

  #KerberosTicketCleanup yes

  #AFSTokenPassing no

  # Kerberos TGT Passing only works with the AFS kaserver

  #KerberosTgtPassing no

  # Set this to 'yes' to enable PAM keyboard-interactive authentication

  # Warning: enabling this may bypass the setting of 'PasswordAuthentication'

  #PAMAuthenticationViaKbdInt yes

  #X11Forwarding no

  #X11DisplayOffset 10

  #X11UseLocalhost yes

  #PrintMotd yes

  #PrintLastLog yes

  #KeepAlive yes

  #UseLogin no

  UsePrivilegeSeparation yes

  Compression yes

  #MaxStartups 10

  # no default banner path

  #Banner /some/path

  #VerifyReverseMapping no

  # override default of no subsystems

  Subsystem sftp /usr/local/libexec/sftp-server

  这里关闭了SSH的密码验证方式,采用RSA的密钥验证方法,用户需要首先在服务器上用ssh-keygen ?t rsa在自己的主目录下.ssh目录里自动生成密钥对,id_rsa(私钥)和id_rsa.pub(公钥),然后手工将id_rsa.pub拷贝成autohrized_keys文件.并将id_rsa和id_rsa..pub文件传至客户端保存好,同时删除服务器端的id_rsa和id_rsa.pub文件。

  客户端测试:如果是UNIX客户端,将id_rsa和id_rsa.pub放在用户主目录的.ssh子目录下, 用ssh和sftp可以进行测试;如果是WINDOWS系统的客户端,可以通过SECURECRT指定authencation为publickey方式,并且在properties中的session settings中选用use identity file,指定具体的id_rsa的文件位置,即可登录。这样,只有拥有密钥对的用户才
CopyRight © 2022 站长资源库 编程知识问答 zzzyk.com All Rights Reserved
部分文章来自网络,