Linux服务器安全登录设置记录

在日常运维工作中，对加固服务器的安全设置是一个机器重要的环境。比较推荐的做法是： 1）严格限制ssh登陆（参考：Linux系统下的ssh使用(依据个人经验总结)）：      修改ssh默认监听端口      禁用root登陆，单独设置用于ssh登陆的账号或组；      禁用密码登陆，采用证书登陆；      ListenAddress绑定本机内网ip，即只能ssh连接本机的内网ip进行登陆； 2）对登陆的ip做白名单限制（iptables、/etc/hosts.allow、/etc/hosts.deny） 3）可以专门找两台机器作为堡垒机，其他机器做白名单后只能通过堡垒机登陆，将机房服务器的登陆进去的口子收紧；      另外，将上面限制ssh的做法用在堡垒机上，并且最好设置登陆后的二次验证环境（Google-Authenticator身份验证） 4）严格的sudo权限控制（参考：linux系统下的权限知识梳理） 5）使用chattr命令锁定服务器上重要信息文件，如/etc/passwd、/etc/group、/etc/shadow、/etc/sudoers、/etc/sysconfig/iptables、/var/spool/cron/root等 6）禁ping（echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all）

今天这里主要说下服务器安全登陆的白名单设置，通过下面两种方法： 1）iptables对ssh端口做限制； 2）/etc/hosts.allow和/etc/hosts.deny限制；这两个文件是控制远程访问设置的，通过他可以允许或者拒绝某个ip或者ip段的客户访问linux的某项服务。 如果当iptables、hosts.allow和hosts.deny三者都设置时或设置出现冲突时，遵循的优先级是hosts.allow > hosts.deny >iptables

下面来看一下几个限制本地服务器登陆的设置： 1）iptables和hosts.allow设置一致，hosts.deny不设置。如果出现冲突，以hosts.allow设置为主。 [root@localhost ~]# cat /etc/sysconfig/iptables ..... -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers #                                                                                                      //切记:这里的192.168.1.*网段设置不能改为192.168.1.0/24;多个ip之间用逗号隔开 sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow     //最后的allow可以省略

[root@localhost ~]# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers #

如上的设置，133.110.186.139虽然没有出现在iptables的白名单设置里，但是出现在hosts.allow设置里，那么它是允许登陆本地服务器的； 也就是说hosts.allow里设置的ip都可以登陆本地服务器，hosts.allow里没有设置而iptables里设置的ip不能登陆本地服务器； 所以，只要hosts.allow里设置了，iptables其实就没有必要再对ssh进行限制了；

2）hosts.allow不设置，iptables和hosts.deny设置（二者出现冲突，以hosts.deny为主） [root@localhost ~]# cat /etc/sysconfig/iptables ..... -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers #

[root@localhost ~]# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd:133.110.186.130:deny                                               //最后的deny可以省略

以上虽然133.110.186.130在iptables里设置了，但是在hosts.deny里也设置了，这时要遵循hosts.deny的设置，即133.110.186.130这个ip不能登陆本地服务器； 也就是说上面只有192.168.1.0网段和114.165.77.144能登陆本地服务器；

3）当iptables、hosts.allow、hosts.deny三者都设置时，遵循的hosts.allow！ [root@localhost ~]# cat /etc/sysconfig/iptables ..... -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.133 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.137 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow                 //最后的allow可以省略

[root@localhost ~]# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers sshd:all:deny                                  //最后的deny可以省略

上面设置之后，只有hosts.allow里面设置的192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139这些ip能登陆本地服务器

4）还有一种设置，hosts.deny不动，在hosts.allow里面设置deny [root@localhost ~]# cat /etc/sysconfig/iptables ..... -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow             //最后的allow可以省略 sshd:all:deny    //这个本来是在hosts.deny里的设置，也可以放在这，表示出了上面的ip之外都被限制登陆了。

[root@localhost ~]# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers #

5）iptables关闭，则hosts.allow和hosts.deny文件同时设置才有效。