sshd安全性能优化

• sshd服务是远程登录服务，默认端口为22，对于其优化一是为了增加服务器的安全，避免暴力破解；二是为了加快速度连接，减少不必要的带宽的浪费。
   
• sshd服务的配置文件为/etc/ssh/sshd_config，内容默认如下：

1. # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
3. # This is the sshd server system-wide configuration file.  See
4. # sshd_config(5) for more information.
6. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented.  Uncommented options change a
11. # default value.
13. #Port 22    修改一下默认端口，增强安全性。比如6688等。
14. #AddressFamily any
15. #ListenAddress 0.0.0.0    修改一下监听端口，默认是监听所有的IP,这样安全性不是很高，我们可以让它监听内网的Ip,这样即使有人知道系统用户的密码也无法连接进来。
16. #ListenAddress ::
18. # Disable legacy (protocol version 1) support in the server for new
19. # installations. In future the default will change to require explicit
20. # activation of protocol 1
21. Protocol 2
23. # HostKey for protocol version 1
24. #HostKey /etc/ssh/ssh_host_key
25. # HostKeys for protocol version 2
26. #HostKey /etc/ssh/ssh_host_rsa_key
27. #HostKey /etc/ssh/ssh_host_dsa_key
29. # Lifetime and size of ephemeral version 1 server key
30. #KeyRegenerationInterval 1h
31. #ServerKeyBits 1024
33. # Logging
34. # obsoletes QuietMode and FascistLogging
35. #SyslogFacility AUTH
36. SyslogFacility AUTHPRIV
37. #LogLevel INFO
39. # Authentication:
41. #LoginGraceTime 2m
42. #PermitRootLogin yes    将其改为no，不让root用户远程登录。
43. #StrictModes yes
44. #MaxAuthTries 6
45. #MaxSessions 10
47. #RSAAuthentication yes
48. #PubkeyAuthentication yes
49. #AuthorizedKeysFile     .ssh/authorized_keys
50. #AuthorizedKeysCommand none
51. #AuthorizedKeysCommandRunAs nobody
53. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
54. #RhostsRSAAuthentication no
55. # similar for protocol version 2
56. #HostbasedAuthentication no
57. # Change to yes if you don't trust ~/.ssh/known_hosts for
58. # RhostsRSAAuthentication and HostbasedAuthentication
59. #IgnoreUserKnownHosts no
60. # Don't read the user's ~/.rhosts and ~/.shosts files
61. #IgnoreRhosts yes
63. # To disable tunneled clear text passwords, change to no here!
64. #PasswordAuthentication yes
65. #PermitEmptyPasswords no
66. PasswordAuthentication yes
68. # Change to no to disable s/key passwords
69. #ChallengeResponseAuthentication yes
70. ChallengeResponseAuthentication no
72. # Kerberos options
73. #KerberosAuthentication no
74. #KerberosOrLocalPasswd yes
75. #KerberosTicketCleanup yes
76. #KerberosGetAFSToken no
77. #KerberosUseKuserok yes
79. # GSSAPI options
80. #GSSAPIAuthentication no
81. GSSAPIAuthentication yes   将这个值改为no ，加快连接速度。
82. #GSSAPICleanupCredentials yes
83. GSSAPICleanupCredentials yes
84. #GSSAPIStrictAcceptorCheck yes
85. #GSSAPIKeyExchange no
87. # Set this to 'yes' to enable PAM authentication, account processing,
88. # and session processing. If this is enabled, PAM authentication will
89. # be allowed through the ChallengeResponseAuthentication and
90. # PasswordAuthentication.  Depending on your PAM configuration,
91. # PAM authentication via ChallengeResponseAuthentication may bypass
92. # the setting of "PermitRootLogin without-password".
93. # If you just want the PAM account and session checks to run without
94. # PAM authentication, then enable this but set PasswordAuthentication
95. # and ChallengeResponseAuthentication to 'no'.
96. #UsePAM no
97. UsePAM yes
99. # Accept locale-related environment variables
100. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
101. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
102. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
103. AcceptEnv XMODIFIERS
105. #AllowAgentForwarding yes
106. #AllowTcpForwarding yes
107. #GatewayPorts no
108. #X11Forwarding no
109. X11Forwarding yes
110. #X11DisplayOffset 10
111. #X11UseLocalhost yes
112. #PrintMotd yes
113. #PrintLastLog yes
114. #TCPKeepAlive yes
115. #UseLogin no
116. #UsePrivilegeSeparation yes
117. #PermitUserEnvironment no
118. #Compression delayed
119. #ClientAliveInterval 0
120. #ClientAliveCountMax 3
121. #ShowPatchLevel no  
122. #UseDNS yes                 将yes改为no，不适用dns，我们本来就是用ip访问的。
123. #PidFile /var/run/sshd.pid
124. #MaxStartups 10:30:100
125. #PermitTunnel no
126. #ChrootDirectory none
128. # no default banner path
129. #Banner none
131. # override default of no subsystems
132. Subsystem       sftp    /usr/libexec/openssh/sftp-server
134. # Example of overriding settings on a per-user basis
135. #Match User anoncvs
136. #       X11Forwarding no
137. #       AllowTcpForwarding no
138. #       ForceCommand cvs server

 

总结：修改5个地方

1，默认端口           Port 52113

2，不使用dns解析  UseDNS no

3，不让root用户直接登录  PermitRootlogin no 

4，GSSAPI验证改为no GSSAPIAuthentication no

5, 监听端口ip 改为内网的Ip。