婆罗门
精华
|
战斗力 鹅
|
回帖 0
注册时间 2006-12-5
|
好,既然你这么杠,你告诉我2.1、3.1、3.2哪里写了要开放防火墙端口和处理selinux?洋洋洒洒写一大堆有用?
2.1Configuration
The client can be configured to store common options and hosts. All options can be declared globally or restricted to specific hosts. For example:
~/.ssh/config
# global options
User user
# host-specific options
Host myserver
Hostname server-address
Port port
With such a configuration, the following commands are equivalent
$ ssh -p port user@server-address
$ ssh myserver
See ssh_config(5) for more information.
Some options do not have command line switch equivalents, but you can specify configuration options on the command line with -o. For example -oKexAlgorithms=+diffie-hellman-group1-sha1.
3.1Configuration
To allow access only for some users, add this line:
AllowUsers user1 user2
To allow access only for some groups:
AllowGroups group1 group2
To add a nice welcome message (e.g. from the /etc/issue file), configure the Banner option:
Banner /etc/issue
Public and private host keys are automatically generated in /etc/ssh by the sshdgenkeys service and regenerated if missing even if HostKeyAlgorithms option in sshd_config allows only some. Four key pairs are provided based on the algorithms dsa, rsa, ecdsa and ed25519. To have sshd use a particular key, specify the following option:
HostKey /etc/ssh/ssh_host_rsa_key
If the server is to be exposed to the WAN, it is recommended to change the default port from 22 to a random higher one like this:
Port 39901
Tip:
To help select an alternative port that is not already assigned to a common service, review the list of TCP and UDP port numbers. You can also find port information locally in /etc/services. A port change from default port 22 will reduce the number of log entries caused by automated authentication attempts but will not eliminate them. See Port knocking for related information.
It is recommended to disable password logins entirely. This will greatly increase security, see #Force public key authentication for more information. See #Protection for more recommend security methods.
OpenSSH can listen to multiple ports simply by having multiple Port port_number lines in the configuration file.
New (or missing) host key pairs can be generated by removing the pair(s) that you want to replace from /etc/ssh and running ssh-keygen -A as root.
3.2Daemon management
Start/enable sshd.service. It will keep the SSH daemon permanently active and fork for each incoming connection.[1]
Note: openssh 8.0p1-3 removed sshd.socket that used systemd's socket activation due to it being susceptible to denial of service. See FS#62248 for details. If sshd.socket is enabled when updating to openssh 8.0p1-3, the sshd.socket and sshd@.service units will be copied to /etc/systemd/system/ and reenabled. This is only done to not break existing setups; users are still advised to migrate to sshd.service.
Warning: If you continue using sshd.socket, be aware of its issues:
sshd.socket unit may fail (e.g. due to out-of-memory situation) and Restart=always cannot be specified on socket units. See systemd issue 11553.
Using socket activation can result in denial of service, as too many connections can cause refusal to further activate the service. See FS#62248.
Note: Using sshd.socket negates the ListenAddress setting, so it will allow connections over any address. To achieve the effect of setting ListenAddress, you must specify the port and IP for ListenStream (e.g. ListenStream=192.168.1.100:22) by editing sshd.socket. You must also add FreeBind=true under [Socket] or else setting the IP address will have the same drawback as setting ListenAddress: the socket will fail to start if the network is not up in time.
Tip: When using socket activation, a transient instance of sshd@.service will be started for each connection (with different instance names). Therefore, neither sshd.socket nor the daemon's regular sshd.service allow to monitor connection attempts in the log. The logs of socket-activated instances of SSH can be seen by running journalctl -u "sshd@*" as root or by running journalctl /usr/bin/sshd as root. |
|
沪公网安备 31010702007642号 )
发表于 2022-10-17 22:05
用linux 就像玩魂游戏要抱着虐我千百遍待她如初恋,每一次报错误就像游戏卡关一样,查看攻略,解决问题
太爽啦,就是遇到要你在半天内就把问题解决那就超级吃瘪
,就像老头环上来就让你去把马莲娜干了。
