CentOS ssh root远程连接安全加固

1,为增强安全,先增加一个用于远程登录普通权限的用户:

#useradd usera
#passwd usera

//设置密码

2、编辑防火墙配置:vi /etc/sysconfig/iptables
防火墙增加新端口45444
-A INPUT -m state –state NEW -m tcp -p tcp –dport 45444 -j ACCEPT
自双横线止于双横线为 iptables 规则,不包含双横线
======================================================================
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Keep state.
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Loop device.
-A INPUT -i lo -j ACCEPT

# Allow PING from remote hosts.
-A INPUT -p icmp -j ACCEPT
-A INPUT -p icmp –icmp-type echo-request -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited

# http, https
-A INPUT -p tcp –dport 80 -j ACCEPT
-A INPUT -p tcp –dport 443 -j ACCEPT

# ssh
-A INPUT -p tcp –dport 22 -j ACCEPT
-A INPUT -p tcp –dport 45444 -j ACCEPT

# smtp, submission
-A INPUT -p tcp –dport 25 -j ACCEPT
-A INPUT -p tcp –dport 587 -j ACCEPT

# pop3, pop3s
-A INPUT -p tcp –dport 110 -j ACCEPT
-A INPUT -p tcp –dport 995 -j ACCEPT

# imap, imaps
-A INPUT -p tcp –dport 143 -j ACCEPT
-A INPUT -p tcp –dport 993 -j ACCEPT

# ejabberd
#-A INPUT -p tcp –dport 5222 -j ACCEPT
#-A INPUT -p tcp –dport 5223 -j ACCEPT
#-A INPUT -p tcp –dport 5280 -j ACCEPT

# ldap/ldaps
#-A INPUT -p tcp –dport 389 -j ACCEPT
#-A INPUT -p tcp –dport 636 -j ACCEPT

# ftp.
#-A INPUT -p tcp –dport 20 -j ACCEPT
#-A INPUT -p tcp –dport 21 -j ACCEPT

COMMIT

重启防火墙,使配置生效:
/etc/init.d/iptables restart
service iptables restart
=====================================================================

Linux修改ssh端口22

vi /etc/ssh/ssh_config
vi /etc/ssh/sshd_config
修改 Port 22 或者增加
Port 45444

在 /etc/ssh/sshd_config 中修改

将以下三个选项设置为如下值
PermitRootLogin no
PermitEmptyPasswords no #禁止空密码登录
UseDNS no #关闭DNS查询

4、限制用户的SSH访问
假设我们只要root,user1和user2用户能通过SSH使用系统,向sshd_config配置文件中添加
vi /etc/ssh/sshd_config
AllowUsers rootuser1 user2

=======================================================================
5、配置空闲超时退出时间间隔
用户可以通过ssh登录到服务器,你可以设置一个空闲超时时间间隔。
打开sshd_config配置文件,设置为如下。
vi /etc/ssh/sshd_config
ClientAliveInterval 600
ClientAliveCountMax 0
上面的例子设置的空闲超时时间间隔是600秒,即10分钟,
过了这个时间后,空闲用户将被自动踢出出去(可以理解为退出登录/注销)。

重启sshd服务
#service sshd restart

以后远程登录时,使用新的端口及新增加的用户 usera 登录,然后 su root 跳到 root 用户

相关内容推荐Linux设置SSH的证书登陆

修复Linode VPS iptables重启出现的security raw nat mangle filter [FAILED]错误

service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: security raw nat mangle filter [FAILED]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]

参考Linonde官方论坛的帖子,修复过程如下:

cd /etc/init.d 
mv iptables ~/iptables.bak 
wget http://epoxie.net/12023.txt && cat 12023.txt | tr -d '\r' > iptables 
chmod +x iptables 
rm -rf 12023.txt

Now, “iptables” should now start successfully:

再次执行

service iptables restart 

成功提示入下:
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: security raw nat mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]

EDIT: I don’t have this error with the latest paravirt kernel 3