- 论坛徽章:
- 0
|
关于sshd_config的Configure files。我系统是redhat as4 位置: /etc/ssh/sshd_config,我把自己的配置文件贴上来,没用的话大家就不要顶了哈……
# This is ssh server systemwide configuration file.
Port 22
ListenAddress 192.168.1.1
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 1024
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
PrintMotd yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
AllowUsers admin
根据自己服务器可能的配置,对应修改以下参数:
Port 22
这个是ssh的守护端口,默认一般都是22。.
ListenAddress 192.168.1.1
服务器监听的地址,一般设置为被连接的ssh服务器的地址。比如我服务器地址是:220.221.1.25,我就设置成这个就行了。
HostKey /etc/ssh/ssh_host_key
The option HostKey specifies the location containing the private host key.
ServerKeyBits 1024
The option ServerKeyBits specifies how many bits to use in the server key. These bits are used when the daemon starts to generate its RSA key.
LoginGraceTime 600
The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in.
KeyRegenerationInterval 3600
The option KeyRegenerationInterval specifies how long in seconds the server should wait before automatically regenerated its key. This is a security feature to prevent decrypting captured sessions.
PermitRootLogin no
The option PermitRootLogin specifies whether root can log in using ssh. Never say yes to this option. 这项比较重要,是否允许root从远程登陆,根据各人需要自己决定吧,一般都不打开这个,ssh远程登陆还是比较可怕的。
IgnoreRhosts yes
The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication.
IgnoreUserKnownHosts yes
The option IgnoreUserKnownHosts specifies whether the ssh daemon should ignore the user's $HOME/.ssh/known_hosts during RhostsRSAAuthentication.
StrictModes yes
The option StrictModes specifies whether ssh should check user's permissions in their home directory and rhosts files before accepting login. This option must always be set to yes because sometimes users may accidentally leave their directory or files world-writable.
X11Forwarding no
The option X11Forwarding specifies whether X11 forwarding should be enabled or not on this server. Since we setup a server without GUI installed on it, we can safely turn this option off.
PrintMotd yes
The option PrintMotd specifies whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively. The /etc/motd file is also known as the message of the day.
SyslogFacility AUTH
The option SyslogFacility specifies the facility code used when logging messages from sshd. The facility specifies the subsystem that produced the message--in our case, AUTH.
LogLevel INFO
The option LogLevel specifies the level that is used when logging messages from sshd. INFO is a good choice. See the man page for sshd for more information on other possibilities.
RhostsAuthentication no
The option RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. Because rhosts authentication is insecure you shouldn't use this option.
RhostsRSAAuthentication no
The option RhostsRSAAuthentication specifies whether to try rhosts authentication in concert with RSA host authentication.
RSAAuthentication yes
The option RSAAuthentication specifies whether to try RSA authentication. This option must be set to yes for better security in your sessions. RSA use public and private key pairs created with the ssh-keygen1utility for authentication purposes.
PasswordAuthentication yes
The option PasswordAuthentication specifies whether we should use password-based authentication. For strong security, this option must always be set to yes.
PermitEmptyPasswords no
The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. If you intend to use the scp utility to make automatic backups over the network, you must set this option to yes.
AllowUsers admin
这项就是限制root登陆的,对我来说比较有用,因为我指定只有一个地址可以登陆,所以这项我在后面跟了root@192.168.0.42。我没有telnet和ftp,以前装了个webmin后来感觉不安全干脆也给停了。我登陆的时候用一个奇怪的用户名登陆,然后sudo到root上,其它用户就不准使用su,所以服务器应该是安全的,密码俺放在保险柜里,用的时候才打开然后拿出来,你要问我密码多少,我也记不起来。离开开地的时候我会把目标地址先搞定然后指定,再去出差,一般没这种情况哈,服务器一般一、二年都不重启一下,也不需要在外地维护。我做的比较绝,不知道还有没有其它办法比这更绝的,PC上又没ssh服务,反正别人也进不来,就一个root用户,我管理的时候才开机。
The option AllowUsers specifies and controls which users can access ssh services. Multiple users can be specified, separated by spaces. (AllowUsers指定用户从哪里登陆,需要指定的话就指定就行了。)改完了之后# /etc/rc.d/sshd reload就可以了。 |
|