安全增强措施用Openssh构建安全网络
点击次数:26 次 发布日期:2008-11-29 13:38:38 作者:源代码网
|
实施步骤: 在每台服务器上 1. 安装软件包: openssh-3.4pl-sol7-sparc-local openssl-0.96d-sol7-sparc-local zlib-1.1.4-sol7-sparc-local prngd-0.0.25-sol7-sparc-local egd-0.8-sol7-sparc-local 2. 安装prngd和sshd的启动脚本 :::::::::::::: S98prngd :::::::::::::: #!/bin/sh pid=`/usr/bin/ps -e | /usr/bin/grep prngd | /usr/bin/sed -e "s/^ *//" -e "s/ .*//"` case $1 in "start") /usr/local/sbin/prngd /var/spool/prngd/pool ;; "stop") if [ "${pid}" != "" ] then /usr/bin/kill ${pid} fi ;; *) echo "usage: /etc/init.d/prngd {start|stop}" ;; esac :::::::::::::: S98sshd :::::::::::::: #!/bin/sh pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e "s/^ *//" -e "s/ .*//"` case $1 in "start") /usr/local/sbin/sshd ;; "stop") if [ "${pid}" != "" ] then /usr/bin/kill ${pid} fi ;; *) echo "usage: /etc/init.d/sshd {start|stop}" ;; esac 3. 用prngd生成伪随机初始种子数 cat /var/log/syslog /var/adm/messages > /usr/local/etc/prngd/prngd-seed mkdir /var/spool/prngd /etc/rc2.d/S98prngd start 检查prngd工作是否正常: /usr/local/bin/egc.pl /var/spool/prngd/pool get 显示如: 9151 bits of entropy in pool 4. 增加sshd用户 mkdir /var/empty chown root /var/empty chgrp sys /var/empty chmod 755 /var/empty groupadd sshd useradd ?g sshd ?c ‘sshd privsep’ ?d /var/empty ?s /bin/false sshd 5. 修改tcpd的控制文件/etc/hosts.allow和/etc/hosts.deny ALL:n.n.n.n #登录主机IP 6. 在server端创建主机密钥对 ssh-keygen ?t rsa1 ?f /usr/local/etc/ssh_host_key ?N “” ssh-keygen ?t dsa ?f /usr/local/etc/ssh_host_dsa_key ?N “” ssh-keygen ?t rsa ?f /usr/local/etc/ssh_host_rsa_key ?N “” 启动sshd: /etc/rc2.d/S98sshd start 7. 关闭原telnet和ftp服务 修改/etc/inetd.conf 文件,kill ?HUP <inetd pid>关闭telnet和ftp服务 8. 在客户端做以下测试 UNIX客户端: Ssh [-l username] [-p port] <hostname> //如果用-v参数,进入调试状态,这是一个很好的帮助工具(取代telnet) Sftp [-l username] [-p port] <hostname>(取代ftp) WINDOWS:客户端 Securecrt 3.4.5 //在session的配置中,authentication使用password方式 Securefx2.0.3 以上为默认安装情况,即SSH的密码验证。 为了保证唯一的一台登录服务器的安全,又不至于在修改sshd配置后重启进程带来无法登录管理的问题,继续使用telnet和ftp服务,结合采用SSHD的密钥验证方式,并且在/etc/hosts.allow文件中做以下设置: ################# internal network ###################### ALL:n.n.n.n #operator1 ALL:n.n.n.n #operator2 ################## out network ########################### sshd: ALL #RSA auth 这样,管理员在公司的固定IP地址仍旧可以很方便地登录到主机上操作,而如果在家中或外出出差,由于IP地址是非固定的,可以通过sshd的密钥验证来进行登录。 服务器配置如下: /usr/local/etc/sshd_config: # $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 HostKey /usr/local/etc/ssh_host_key # HostKeys for protocol version 2 HostKey /usr/local/etc/ssh_host_rsa_key HostKey /usr/local/etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO # Authentication: #LoginGraceTime 600 #PermitRootLogin yes #StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don"t read the user"s ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don"t trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to "yes" to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of "PasswordAuthentication" #PAMAuthenticationViaKbdInt yes #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no UsePrivilegeSeparation yes Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/local/libexec/sftp-server 这里关闭了SSH的密码验证方式,采用RSA的密钥验证方法,用户需要首先在服务器上用ssh-keygen ?t rsa在自己的主目录下.ssh目录里自动生成密钥对,id_rsa(私钥)和id_rsa.pub(公钥),然后手工将id_rsa.pub拷贝成autohrized_keys文件.并将id_rsa和id_rsa..pub文件传至客户端保存好,同时删除服务器端的id_rsa和id_rsa.pub文件。 客户端测试:如果是UNIX客户端,将id_rsa和id_rsa.pub放在用户主目录的.ssh子目录下, 用ssh和sftp可以进行测试;如果是WINDOWS系统的客户端,可以通过SECURECRT指定authencation为publickey方式,并且在properties中的session settings中选用use identity file,指定具体的id_rsa的文件位置,即可登录。这样,只有拥有密钥对的用户才可以登录。当然,得保护好自己的钥匙不可泄露,为安全起见,服务器需要定时改变每个用户的密钥。 通过以上对intranet内部服务器的安全配置,实现了安全性和方便性的整合。 源代码网供稿. |
