{"id":285,"date":"2021-08-11T00:39:00","date_gmt":"2021-08-11T00:39:00","guid":{"rendered":"https:\/\/262235.xyz\/?p=285"},"modified":"2021-08-11T00:39:00","modified_gmt":"2021-08-11T00:39:00","slug":"285","status":"publish","type":"post","link":"https:\/\/lyvba.com\/index.php\/2021\/08\/11\/285\/","title":{"rendered":"SSH \u9632\u6b62\u522b\u4eba\u7206\u7834 N\u4e2a\u65b9\u6cd5"},"content":{"rendered":"<h2>SSH \u9632\u6b62\u522b\u4eba\u7206\u7834\u65b9\u6cd5<\/h2>\n<h3>\u65b9\u6cd51. \u4f7f\u7528\u8bc1\u4e66\u5bc6\u94a5\u767b\u9646\uff0c\u6211\u5c31\u662f\u8fd9\u6837\u505a\uff0c\u4e3b\u8981\u662f\u6700\u7b80\u5355\u800c\u4e14\u6709\u6548\uff0c\u800c\u4e14\u4f7f\u7528\u7b80\u5355<\/h3>\n<ul>\n<li>\u8bc1\u4e66\u767b\u9646\u7684\u811a\u672c.sh<\/li>\n<\/ul>\n<pre><code>#!\/bin\/bash\nmkdir -p ~\/.ssh  &amp;&amp; cd ~\/.ssh\n\n# id_rsa.pub  authorized_keys   SSH \u8df3\u677f\u673a\u516c\u94a5\nauthorized_keys(){\n\ncat &lt;&lt;EOF &gt;&gt;  authorized_keys\nssh-rsa \u628a\u4f60\u7684\u516c\u94a5\u653e\u8fd9\u884c root  ##################################\n\nEOF\n}\n\nno_use_passwd(){\n    # \u7981\u7528\u5bc6\u7801\u767b\u9646\n    sed -i \"s\/PasswordAuthentication.*\/PasswordAuthentication no\/g\"    \/etc\/ssh\/sshd_config\n    sed -i \"s\/#PasswordAuthentication.*\/PasswordAuthentication no\/g\"   \/etc\/ssh\/sshd_config\n\n    # \u53ea\u80fdSSH2\u8bbf\u95ee,\u8fd9\u4e2a\u5b89\u5168\u6027\u9ad8.\n    sed -i '\/Protocol\/d' \/etc\/ssh\/sshd_config\n    echo \"Protocol 2\" &gt;&gt; \/etc\/ssh\/sshd_config\n\n    # \u91cd\u542fssh\u670d\u52a1\n    systemctl restart ssh\n}\n\n##  \u542f\u7528\u529f\u80fd\nauthorized_keys\nno_use_passwd<\/code><\/pre>\n<h3>\u65b9\u6cd52. \u6539\u7aef\u53e3 \u5bc6\u94a5\u767b\u9646 \u5173\u95ed\u5bc6\u7801\u767b\u9646\uff0c \u64cd\u4f5c\u8d77\u6765\u9ebb\u70e6\u4e00\u4e9b\uff0c\u81ea\u5df1\u4f7f\u7528\u4e5f\u7a0d\u5fae\u4e0d\u65b9\u4fbf\u70b9<\/h3>\n<ul>\n<li>\u65b9\u6cd51\u811a\u672c\uff0c\u542f\u7528\u5bc6\u94a5\uff0c\u518d\u4fee\u6539\u7aef\u53e3<\/li>\n<\/ul>\n<h3>\u65b9\u6cd53. \u6539\u7aef\u53e3+\u7528key\u767b\u9646\uff0c\u5e38\u5e74root\u7528\u6237\u767b\u5f55\uff0c\u5916\u52a0iptable\u4f3a\u5019<\/h3>\n<pre><code>\niptables -I INPUT -p tcp --dport \u7aef\u53e3 -m state --state NEW -m recent --name ssh --rcheck --seconds 600 --hitcount 3 -j DROP\niptables -I INPUT -p tcp --dport \u7aef\u53e3 -m state --state NEW -m recent --name ssh --set -j ACCEPT\n\n# 600\u79d2\u53d1\u8d77\u8d85\u8fc73\u6b21\u65b0\u8fde\u63a5\u7684\u76f4\u63a5\u4e22\u5305<\/code><\/pre>\n<h3>\u65b9\u6cd54. ssh\u7206\u783410\u6b21\u5931\u8d25\u5c31\u62c9\u9ed1<\/h3>\n<pre><code>\n#! \/bin\/bash\ncat \/var\/log\/secure|awk '\/Failed\/{print $(NF-3)}'|sort|uniq -c|awk '{print $2\"=\"$1;}' &gt; \/usr\/local\/bin\/black.txt\nfor i in \"cat  \/usr\/local\/bin\/black.txt\"\ndo\n        IP=\"echo $i |awk -F= '{print $1}'\"\n        NUM=\"echo $i|awk -F= '{print $2}'\"\n        result=$(cat \/etc\/hosts.deny | grep $IP)\n        if [[ $NUM -gt 10 ]];then\n                if [[ $result = \"\" ]];then\n                        echo \"sshd: $IP\" &gt;&gt; \/etc\/hosts.deny\n                fi\n        fi\n<\/code><\/pre>\n<ul>\n<li>\u5b9a\u65f6\u4efb\u52a1\uff1a10\u5206\u949f\u6267\u884c\u4e00\u6b21\uff0c<code>crontab -e<\/code><\/li>\n<\/ul>\n<pre><code>*\/10 * * * * bash \/usr\/local\/bin\/secure_ssh.sh\n<\/code><\/pre>\n<h3>\u65b9\u6cd55. \u5f88\u591a\u4eba\u4f7f\u7528\u7684 fail2ban<\/h3>\n<pre><code>apt -y update\napt install -y fail2ban\ncp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local\nsed -i 's\/^bantime  = 600$\/bantime  = 3600\/g' \/etc\/fail2ban\/jail.local\n\/etc\/init.d\/fail2ban start<\/code><\/pre>\n<h3>\u65b9\u6cd56. \u5173\u95e8\u653e\u72d7 iptables \u6cd5\uff0c\u8fd9\u4e2a\u4e5f\u662f\u4e0d\u9519\u7684\u8f85\u52a9\u65b9\u6cd5\uff0c\u53ef\u4ee5\u628a\u8df3\u677f\u673a\u7684IP\u653e\u91cc\u9762<\/h3>\n<pre><code>iptables -A INPUT -p tcp -s 0.0.0.0\/0 --dport 22 -j DROP\niptables -I INPUT -p tcp -s \u4f60\u7684ip --dport 22 -j ACCEPT<\/code><\/pre>\n<ul>\n<li>\u81ea\u5df1\u5fd8\u4e86 \u76f4\u63a5\u91cd\u542f\u5c0f\u9e21\u5c31\u597d\u4e86<\/li>\n<li>\u5173\u95e8\u91cd\u542f\u5c31\u597d\u4e86\uff0c\u91cd\u542f\u81ea\u52a8\u5931\u6548<\/li>\n<\/ul>\n<h3>\u65b9\u6cd57. \u4f7f\u7528\u4e91\u4e3b\u673a\u7684\u9632\u706b\u5899\u673a\u5236\uff0cSSH\u7aef\u53e3\u53ea\u5bf9\u672c\u5730\u5e02\u7ea7IP\u7f51\u6bb5\u5f00\u653e<\/h3>\n<ul>\n<li>\u65b9\u6cd5\u662f\u76d1\u6d4b\u81ea\u5df1\u4e0a\u7f51\u52a8\u6001IP\uff0c\u7136\u540e\u4f7f\u7528 ipip.net \u67e5\u8be2\u7f51\u6bb5\uff0c\u6dfb\u52a0\u5230\u9632\u706b\u5899\u89c4\u5219<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>SSH \u9632\u6b62\u522b\u4eba\u7206\u7834\u65b9\u6cd5 \u65b9\u6cd51. \u4f7f\u7528\u8bc1\u4e66\u5bc6\u94a5\u767b\u9646\uff0c\u6211\u5c31\u662f\u8fd9\u6837\u505a\uff0c\u4e3b\u8981\u662f\u6700\u7b80\u5355\u800c\u4e14\u6709\u6548\uff0c\u800c\u4e14\u4f7f\u7528\u7b80 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[23],"class_list":["post-285","post","type-post","status-publish","format-standard","hentry","category-linux","tag-linux"],"_links":{"self":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/posts\/285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/comments?post=285"}],"version-history":[{"count":0,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/posts\/285\/revisions"}],"wp:attachment":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/media?parent=285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/categories?post=285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/tags?post=285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}