Linux SSH端口安全设置(服务器架设篇)

我在自己一台老旧的DELL电脑上安装了cent os7作为平常的开发服务器,在家庭局域网里面,我们还是要注意安全的,和线上服务器一样,对常用的端口进行修改的话,可以大幅度的降低恶意暴力破解的危险,毕竟端口不再是常见的端口后,通用的暴力破解请求会直接被服务器拒收无视。

SSH 端口更改

环境 版本
RHEL/CentOS 7.x

我这里以端口123代指要设置的目标端口,大家按自己想要的端口修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#先防火墙开放SSH的目标端口
[root@thinkcent network-scripts]# firewall-cmd --zone=public --add-port=123/tcp --permanent
success
#重启防火墙
[root@thinkcent network-scripts]# firewall-cmd --reload
success
#修改ssh配置文件
[root@thinkcent network-scripts]# vi /etc/ssh/sshd_config

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
# 这里改端口
Port 123
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#LoginGraceTime 2m
# 建议这里也改,禁止root ssh登陆,只允许普通用户登陆
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10



#重启SSH 但是失败
[root@thinkcent network-scripts]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
# 查看原因,是Selinux安全限制问题,我不建议关闭Selinux,那么我们修改Selinux即可
[root@thinkcent network-scripts]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Sat 2018-07-14 14:45:29 CST; 18s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 19159 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255)
Main PID: 19159 (code=exited, status=255)

Jul 14 14:45:29 thinkcent systemd[1]: Failed to start OpenSSH server daemon.
Jul 14 14:45:29 thinkcent systemd[1]: Unit sshd.service entered failed state.
Jul 14 14:45:29 thinkcent systemd[1]: sshd.service failed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 安装semanage
[root@thinkcent network-scripts]# yum install policycoreutils-python
# Selinx允许123端口
[root@thinkcent network-scripts]# semanage port -a -t ssh_port_t -p tcp 123
#查看状态
[root@thinkcent network-scripts]# semanage port -l | grep ssh
ssh_port_t tcp 123, 22
# 再次重启SSH成功
[root@thinkcent network-scripts]# systemctl restart sshd.service
# 123端口已经被监听
[root@thinkcent thinktik]# netstat -lnp|grep 123
tcp 0 0 0.0.0.0:123 0.0.0.0:* LISTEN 19302/sshd
tcp6 0 0 :::123 :::* LISTEN 19302/sshd
unix 2 [ ACC ] STREAM LISTENING 22728 1686/master private/verify