专栏首页散尽浮华Linux服务器安全登录设置记录

Linux服务器安全登录设置记录

在日常运维工作中,对加固服务器的安全设置是一个机器重要的环境。比较推荐的做法是: 1)严格限制ssh登陆(参考:Linux系统下的ssh使用(依据个人经验总结)):      修改ssh默认监听端口      禁用root登陆,单独设置用于ssh登陆的账号或组;      禁用密码登陆,采用证书登陆;      ListenAddress绑定本机内网ip,即只能ssh连接本机的内网ip进行登陆; 2)对登陆的ip做白名单限制(iptables、/etc/hosts.allow、/etc/hosts.deny) 3)可以专门找两台机器作为堡垒机,其他机器做白名单后只能通过堡垒机登陆,将机房服务器的登陆进去的口子收紧;      另外,将上面限制ssh的做法用在堡垒机上,并且最好设置登陆后的二次验证环境(Google-Authenticator身份验证) 4)严格的sudo权限控制(参考:linux系统下的权限知识梳理) 5)使用chattr命令锁定服务器上重要信息文件,如/etc/passwd、/etc/group、/etc/shadow、/etc/sudoers、/etc/sysconfig/iptables、/var/spool/cron/root等 6)禁ping(echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all)

今天这里主要说下服务器安全登陆的白名单设置,通过下面两种方法: 1)iptables对ssh端口做限制; 2)/etc/hosts.allow和/etc/hosts.deny限制;这两个文件是控制远程访问设置的,通过他可以允许或者拒绝某个ip或者ip段的客户访问linux的某项服务。 如果当iptables、hosts.allow和hosts.deny三者都设置时或设置出现冲突时,遵循的优先级是hosts.allow > hosts.deny >iptables

下面来看一下几个限制本地服务器登陆的设置: 1)iptables和hosts.allow设置一致,hosts.deny不设置。如果出现冲突,以hosts.allow设置为主。 [root@localhost ~]# cat /etc/sysconfig/iptables ..... -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers #                                                                                                      //切记:这里的192.168.1.*网段设置不能改为192.168.1.0/24;多个ip之间用逗号隔开 sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow     //最后的allow可以省略

[root@localhost ~]# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers #

如上的设置,133.110.186.139虽然没有出现在iptables的白名单设置里,但是出现在hosts.allow设置里,那么它是允许登陆本地服务器的; 也就是说hosts.allow里设置的ip都可以登陆本地服务器,hosts.allow里没有设置而iptables里设置的ip不能登陆本地服务器; 所以,只要hosts.allow里设置了,iptables其实就没有必要再对ssh进行限制了;

2)hosts.allow不设置,iptables和hosts.deny设置(二者出现冲突,以hosts.deny为主) [root@localhost ~]# cat /etc/sysconfig/iptables ..... -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers #

[root@localhost ~]# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd:133.110.186.130:deny                                               //最后的deny可以省略

以上虽然133.110.186.130在iptables里设置了,但是在hosts.deny里也设置了,这时要遵循hosts.deny的设置,即133.110.186.130这个ip不能登陆本地服务器; 也就是说上面只有192.168.1.0网段和114.165.77.144能登陆本地服务器;

3)当iptables、hosts.allow、hosts.deny三者都设置时,遵循的hosts.allow! [root@localhost ~]# cat /etc/sysconfig/iptables ..... -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.133 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.137 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow                 //最后的allow可以省略

[root@localhost ~]# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers sshd:all:deny                                  //最后的deny可以省略

上面设置之后,只有hosts.allow里面设置的192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139这些ip能登陆本地服务器

4)还有一种设置,hosts.deny不动,在hosts.allow里面设置deny [root@localhost ~]# cat /etc/sysconfig/iptables ..... -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow             //最后的allow可以省略 sshd:all:deny    //这个本来是在hosts.deny里的设置,也可以放在这,表示出了上面的ip之外都被限制登陆了。

[root@localhost ~]# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers #

5)iptables关闭,则hosts.allow和hosts.deny文件同时设置才有效。

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • 部署Zipkin分布式性能追踪日志系统的操作记录

    Zipkin是Twitter的一个开源项目,是一个致力于收集Twitter所有服务的监控数据的分布式跟踪系统,它提供了收集数据,和查询数据两大接口服务。 部署Z...

    洗尽了浮华
  • 批量实现多台服务器之间ssh无密码登录的相互信任关系

    洗尽了浮华
  • 利用mk-table-checksum监测Mysql主从数据一致性操作记录

    前面已经提到了mysql主从环境下数据一致性检查:mysql主从同步(3)-percona-toolkit工具(数据一致性监测、延迟监控)使用梳理 今天这里再介...

    洗尽了浮华
  • hosts.allow和hosts.deny支持哪些服务

    在linux上多用iptables来限制ssh和telnet,编缉hosts.allow和hosts.deny感觉比较麻烦比较少用。

    拓荒者
  • Linux 操作命令总结

    Linux使用场景:服务器操作系统(比如我正在备案中的阿里云),移动设备(安卓手机,平板),路由器(WIFI),交换机,智能家居,JAVA程序开发。

    AngelNH
  • JavaScript 数组总结 原

    JavaScript没有明确的数组数据类型,但是外面可以通过使用内置Array对象和它的方法对数组进行操作,Array对象有很多操作数组的方法,比如 合并,反转...

    tianyawhl
  • 《态度》摘录 - 8

    问题:对于数学题跳步骤理由(如果每一步都写,会花很多时间,以至于做不完所有的题)的反驳

    用户1335799
  • Queue 相关数据结构的原理与实现 (LinkedList, ArrayDeque, PriorityQueue)

    版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.n...

    剑影啸清寒
  • 编程小白 | 每日一练(29)

    这道理放在编程上也一并受用。在编程方面有着天赋异禀的人毕竟是少数,我们大多数人想要从编程小白进阶到高手,需要经历的是日积月累的学习,那么如何学习呢?当然是每天都...

    闫小林
  • 【看点】到底该用谁的钱创业?

    “当你缺钱时,能拿出5000元的是同事,能拿出20 000元的是亲戚或发小,能拿出50 000元的是兄弟姐妹,能拿出50万元的是父母!但能唯一拿出200万元、5...

    博文视点Broadview

扫码关注云+社区

领取腾讯云代金券