如果你對(duì)安全問(wèn)題還有猶豫���,抱有“我這個(gè)小站沒(méi)人理”的想法�,那么打開(kāi) /var/log/secure 看看有多少 IP 多少次企圖登錄你的服務(wù)器�?
剛開(kāi)通的一個(gè) VPS 還來(lái)不及用,過(guò)幾天打開(kāi) /var/log/secure 一看,發(fā)現(xiàn) n 個(gè) IP 訪問(wèn)了 n 次。一個(gè) IP 地址為 213.115.115.113 的機(jī)器1天內(nèi)2600多次猜測(cè)用戶名/密碼企圖登錄。
這是 log 文件片段:
Jun 28 13:49:23 blog sshd[3462]: Received disconnect from 213.115.115.113: 11: Bye Bye
Jun 28 13:49:24 blog sshd[3695]: Invalid user radu from 213.115.115.113
Jun 28 13:49:24 blog sshd[3703]: input_userauth_request: invalid user radu
Jun 28 13:49:24 blog sshd[3695]: pam_unix(sshd:auth): check pass; user unknown
Jun 28 13:49:24 blog sshd[3695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-213-115-115-113.sme.bredbandsbolaget.se
Jun 28 13:49:26 blog sshd[3695]: Failed password for invalid user radu from 213.115.115.113 port 51310 ssh2
Jun 28 13:49:26 blog sshd[3703]: Received disconnect from 213.115.115.113: 11: Bye Bye
Jun 28 13:49:27 blog sshd[3910]: Invalid user raducu from 213.115.115.113
Jun 28 13:49:27 blog sshd[3921]: input_userauth_request: invalid user raducu
Jun 28 13:49:27 blog sshd[3910]: pam_unix(sshd:auth): check pass; user unknown
Jun 28 13:49:27 blog sshd[3910]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-213-115-115-113.sme.bredbandsbolaget.se
Jun 28 13:49:30 blog sshd[3910]: Failed password for invalid user raducu from 213.115.115.113 port 52740 ssh2
Jun 28 13:49:30 blog sshd[3921]: Received disconnect from 213.115.115.113: 11: Bye Bye
Jun 28 13:49:31 blog sshd[5280]: Invalid user raul from 213.115.115.113
Jun 28 13:49:31 blog sshd[5293]: input_userauth_request: invalid user raul
Jun 28 13:49:31 blog sshd[5280]: pam_unix(sshd:auth): check pass; user unknown
Jun 28 13:49:31 blog sshd[5280]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-213-115-115-113.sme.bredbandsbolaget.se
Jun 28 13:49:33 blog sshd[5280]: Failed password for invalid user raul from 213.115.115.113 port 54742 ssh2
Jun 28 13:49:34 blog sshd[5293]: Received disconnect from 213.115.115.113: 11: Bye Bye
Jun 28 13:49:35 blog sshd[5540]: Invalid user robert from 213.115.115.113
Jun 28 13:49:35 blog sshd[5570]: input_userauth_request: invalid user robert
Jun 28 13:49:35 blog sshd[5540]: pam_unix(sshd:auth): check pass; user unknown
Jun 28 13:49:35 blog sshd[5540]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-213-115-115-113.sme.bredbandsbolaget.se
Jun 28 13:49:37 blog sshd[5540]: Failed password for invalid user robert from 213.115.115.113 port 56483 ssh2
所以安全問(wèn)題不可小覷��。有2種方式可以增加 root 登錄 VPS 時(shí)的安全性,這2種方式綁在一起用最好,如果怕麻煩的話至少要用其中的1種���。
禁止 root 直接登錄 sshd
登錄VPS時(shí)必須用一個(gè)普通帳號(hào)登錄,然后 su 成 root���。可以修改 /etc/ssh/sshd_config 來(lái)禁止 root 直接登錄:
PermitRootLogin no
啟用 SSH Keys 登錄
這種方法雖然不允許 root 用輸入密碼的方式直接登錄 ssh,但是可以通過(guò)使用一對(duì) ssh public/private key 來(lái)登錄。配置步驟如下:
1�����、在客戶端運(yùn)行下面的命令����,創(chuàng)建一對(duì) public/private key:
ssh-keygen -t dsa
按照提示��,上面的命令會(huì)創(chuàng)建2個(gè)文件:id_dsa 和 id_dsa.pub��,前一個(gè)是 private key��,后一個(gè)是 public key�����。創(chuàng)建key的時(shí)候會(huì)提示輸入 passphrase����,相當(dāng)于密碼一樣的東西��,用來(lái)保護(hù) private key不被濫用����。
2����、保護(hù)好生成的 private key��,不要讓外界訪問(wèn)到�。
3���、在你要訪問(wèn)的服務(wù)器上創(chuàng)建一個(gè) /root/.ssh/authorized_keys 文件����,把生成的 publice key(id_dsa.pub)的內(nèi)容 copy+paste 到 authorized_keys 里���,注意小心完整的 copy�,不要有空格/空行。
4、禁止 root 用輸入密碼的方式直接登錄 sshd���,修改 /etc/ssh/sshd_config,加上/修改這一行:
PermitRootLogin without-password
重啟 sshd
/etc/init.d/sshd restart
