侧边栏壁纸
博主头像
liveJQ博主等级

沒有乐趣,何来开始

  • 累计撰写 171 篇文章
  • 累计创建 67 个标签
  • 累计收到 2 条评论

安装 Linux 系统后的基本安全配置

liveJQ
2024-10-16 / 0 评论 / 0 点赞 / 44 阅读 / 1,846 字

测试环境:Ubuntu 20.04

修改默认 SSH 端口

cat <<EOF>> /etc/ssh/sshd_config
Port 45678
EOF

有防火墙的话先放行该端口

ufw allow 45678/tcp

重启服务生效

systemctl restart sshd

安装配置 fail2ban

apt install rsyslog fail2ban -y
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

编辑/etc/fail2ban/jail.local,只需在如下位置中加入配置即可。

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enable  = true
filter   = sshd
maxretry = 5
findtime = 10m
bantime  = 24h

重启服务生效配置并设置开机自启

systemctl start fail2ban && systemctl status fail2ban && systemctl enable fail2ban

查看已拦截 SSH 登录的IP信息

fail2ban-client status sshd

设置 tcp_wrappers

cat /etc/hosts.allow

# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
sshd:10.
sshd:192.168.1.0/255.255.255.0
sshd:111.111.111.0/24
sshd:[3ffe:505:2:1::]/64
sshd:.livejq.top
sshd:/opt/ip_allow.txt

cat /etc/hosts.deny

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
sshd:all

注意:请确保您当前主机已经包含在hosts.allow允许访问的列表中再写入上述配置,否则可能会直接断开连接。

0

评论区