在前一章節中,使用了ssh-keygen來演示如何使用金鑰交換的方式進行驗證,在本章節中,將會講解該如何設定SSH相關的設定。
SSH server之相關設定都放在/etc/ssh/sshd_config中,裡面設定有很多,其中有幾個比較重要的是:設定是否可以以密碼驗證、是否允許使用root使用者進行SSH遠端登入等,透過上述的這些設定,可以讓SSH之遠端連線更加的穩定與安全,這邊舉出一個例子來增強SSH server遠端連線的安全性,相關的範例如下:
PermitRootLogin no,這個時候則不允許使用root使用者進行遠端登入。PubkeyAuthentication yes與PasswordAuthentication no。Port 2222。其中,2222是要設定給SSH server連線的時候以哪個port number進行連線。AuthorizedKeysFile .ssh/authorized_keys。其中,.ssh/authorized_keys檔案為相對路徑的檔案,會依照指定的遠端使用者,在其家目錄建立.ssh/authorized_keys這個檔案。reload-or-restart之動作,相關的指令執行結果輸出如下:[rockylinux@workstation ~]$ sudo systemctl reload-or-restart sshd
[rockylinux@workstation ~]$
Fail2ban是一種網路入侵系統檢測的套件,可以保護SSH server避免暴力密碼驗證破解之攻擊,相關的安裝方式如下:
首先先確認,firewalld服務是不是已經正在運行了,這個服務與防火牆有關,有關防火牆部分在後面的章節中有更進一步的介紹,這邊只需要確認服務是不是已經是正在運行的狀態了,相關執行指令的輸出訊息如下:
[rockylinux@workstation ~]$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-10-02 22:39:40 CST; 1h 43min ago
Docs: man:firewalld(1)
Main PID: 919 (firewalld)
Tasks: 2 (limit: 11262)
Memory: 30.8M
CGroup: /system.slice/firewalld.service
└─919 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Oct 02 22:39:38 workstation systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 02 22:39:40 workstation systemd[1]: Started firewalld - dynamic firewall daemon.
Oct 02 22:39:41 workstation firewalld[919]: WARNING: AllowZoneDrifting is enabled. This is considered an in>
[rockylinux@workstation ~]$
確認firewalld服務已經在背景執行之後,使用「sudo firewall-cmd --list-all」指令來確認是否已經完成
[rockylinux@workstation ~]$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[rockylinux@workstation ~]$
接著,使用「sudo yum install -y epel-release」將此套件安裝起來,因為Fail2ban不在官方預先收錄的套件裡面,因此需要使用此指令將此套件給安裝起來,相關指令執行後輸出的訊息如下:
[rockylinux@workstation ~]$ sudo yum install -y epel-release
Last metadata expiration check: 1:24:29 ago on Sat 02 Oct 2021 11:18:33 PM CST.
Dependencies resolved.
============================================================================================================
Package Architecture Version Repository Size
============================================================================================================
Installing:
epel-release noarch 8-13.el8 extras 23 k
Transaction Summary
============================================================================================================
Install 1 Package
Total download size: 23 k
Installed size: 35 k
Downloading Packages:
epel-release-8-13.el8.noarch.rpm 516 kB/s | 23 kB 00:00
------------------------------------------------------------------------------------------------------------
Total 33 kB/s | 23 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-8-13.el8.noarch 1/1
Running scriptlet: epel-release-8-13.el8.noarch 1/1
Verifying : epel-release-8-13.el8.noarch 1/1
Installed products updated.
Installed:
epel-release-8-13.el8.noarch
Complete!
[rockylinux@workstation ~]$
此套件安裝完之後,接著使用「sudo yum install -y fail2ban fail2ban-firewalld」指令進行安裝,將Fail2ban與設定防火牆相關的套件都安裝好,相關執行指令所輸出的訊息如下:
[rockylinux@workstation ~]$ sudo yum install -y fail2ban fail2ban-firewalld
Last metadata expiration check: 1:25:30 ago on Sat 02 Oct 2021 11:18:43 PM CST.
Dependencies resolved.
============================================================================================================
Package Architecture Version Repository Size
============================================================================================================
Installing:
fail2ban noarch 0.11.2-1.el8 epel 19 k
fail2ban-firewalld noarch 0.11.2-1.el8 epel 19 k
Installing dependencies:
esmtp x86_64 1.2-15.el8 epel 57 k
fail2ban-sendmail noarch 0.11.2-1.el8 epel 22 k
fail2ban-server noarch 0.11.2-1.el8 epel 459 k
libesmtp x86_64 1.0.6-18.el8 epel 70 k
liblockfile x86_64 1.14-1.el8 appstream 31 k
Transaction Summary
============================================================================================================
Install 7 Packages
Total download size: 676 k
Installed size: 1.7 M
Downloading Packages:
(1/7): liblockfile-1.14-1.el8.x86_64.rpm 375 kB/s | 31 kB 00:00
(2/7): fail2ban-0.11.2-1.el8.noarch.rpm 37 kB/s | 19 kB 00:00
(3/7): fail2ban-firewalld-0.11.2-1.el8.noarch.rpm 41 kB/s | 19 kB 00:00
(4/7): fail2ban-sendmail-0.11.2-1.el8.noarch.rpm 166 kB/s | 22 kB 00:00
(5/7): esmtp-1.2-15.el8.x86_64.rpm 82 kB/s | 57 kB 00:00
(6/7): libesmtp-1.0.6-18.el8.x86_64.rpm 500 kB/s | 70 kB 00:00
(7/7): fail2ban-server-0.11.2-1.el8.noarch.rpm 1.3 MB/s | 459 kB 00:00
------------------------------------------------------------------------------------------------------------
Total 225 kB/s | 676 kB 00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : fail2ban-server-0.11.2-1.el8.noarch 1/7
Running scriptlet: fail2ban-server-0.11.2-1.el8.noarch 1/7
Installing : fail2ban-firewalld-0.11.2-1.el8.noarch 2/7
Installing : libesmtp-1.0.6-18.el8.x86_64 3/7
Installing : liblockfile-1.14-1.el8.x86_64 4/7
Running scriptlet: liblockfile-1.14-1.el8.x86_64 4/7
Installing : esmtp-1.2-15.el8.x86_64 5/7
Running scriptlet: esmtp-1.2-15.el8.x86_64 5/7
Installing : fail2ban-sendmail-0.11.2-1.el8.noarch 6/7
Installing : fail2ban-0.11.2-1.el8.noarch 7/7
Running scriptlet: fail2ban-0.11.2-1.el8.noarch 7/7
Verifying : liblockfile-1.14-1.el8.x86_64 1/7
Verifying : esmtp-1.2-15.el8.x86_64 2/7
Verifying : fail2ban-0.11.2-1.el8.noarch 3/7
Verifying : fail2ban-firewalld-0.11.2-1.el8.noarch 4/7
Verifying : fail2ban-sendmail-0.11.2-1.el8.noarch 5/7
Verifying : fail2ban-server-0.11.2-1.el8.noarch 6/7
Verifying : libesmtp-1.0.6-18.el8.x86_64 7/7
Installed products updated.
Installed:
esmtp-1.2-15.el8.x86_64 fail2ban-0.11.2-1.el8.noarch
fail2ban-firewalld-0.11.2-1.el8.noarch fail2ban-sendmail-0.11.2-1.el8.noarch
fail2ban-server-0.11.2-1.el8.noarch libesmtp-1.0.6-18.el8.x86_64
liblockfile-1.14-1.el8.x86_64
Complete!
[rockylinux@workstation ~]$
接著將這兩個套件安裝完成之後,可以使用「systemctl」之指令查看fail2ban的服務狀態,相關執行指令的輸出訊息如下:
[rockylinux@workstation ~]$ sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:fail2ban(1)
當套件當套件安裝好之後,預設fail2ban不會是啟動的狀態,因此可以使用「start」之動作將此服務進行啟動,並使用「enable」將fail2ban服務進行啟用,讓其在開機的時候會自動啟動,相關執行指令的方式如下:
[rockylinux@workstation ~]$ sudo systemctl start fail2ban
[rockylinux@workstation ~]$ sudo systemctl enable fail2ban
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /usr/lib/systemd/system/fail2ban.service.
[rockylinux@workstation ~]$ sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2021-10-03 00:49:47 CST; 7s ago
Docs: man:fail2ban(1)
Main PID: 4476 (fail2ban-server)
Tasks: 3 (limit: 11262)
Memory: 12.9M
CGroup: /system.slice/fail2ban.service
└─4476 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start
Oct 03 00:49:47 workstation systemd[1]: Starting Fail2Ban Service...
Oct 03 00:49:47 workstation systemd[1]: Started Fail2Ban Service.
Oct 03 00:49:47 workstation fail2ban-server[4476]: Server ready
[rockylinux@workstation ~]$
接著,就可以開始設定fail2ban之服務了,可以先將fail2ban預設的設定檔案複製一份,相關的指令執行後輸出的結果如下:
[rockylinux@workstation ~]$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
[rockylinux@workstation ~]$
cp這個指令是可以用來複製檔案的,相關的介紹在更後面的章節會有更進一步的說明,接著使用「vim」指令進行/etc/fail2ban/jail.local之檔案編輯,相關指令執行所輸出的訊息如下:
[rockylinux@workstation ~]$ sudo vim /etc/fail2ban/jail.local
[rockylinux@workstation ~]$
可以看到第41行開始,是有關於預設的設定,即:[DEFAULT],確定裡面的幾個設定值按照下列的方式設定:
bantime = 1h
findtime = 1h
maxretry = 5
上述分別所代表的設定意思是:
Fail2ban預設是使用iptables進行網路防火牆的設定,為了要讓Fail2ban能夠使用Firewalld,因此需要執行下列的指令:
[rockylinux@workstation ~]$ sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
執行完上述的指令之後,接著可以重啟Fail2ban服務來完成相關的設定了,相關的執行指令所輸出的訊息如下:
[rockylinux@workstation ~]$ sudo systemctl restart fail2ban
[rockylinux@workstation ~]$
接下來,設定Fail2ban來保護SSHD服務,可以使用「vim」指令來做到,相關執行指令的方式如下:
sudo vim /etc/fail2ban/jail.d/sshd.local
並將下列的設定內容儲存到上述的檔案中:
[sshd]
enabled = true
# Override the default global configuration
# for specific jail sshd
bantime = 1d
maxretry = 3
接著,再使用sudo systemctl restart fail2ban來重新啟動Fail2ban服務,重新啟動完成之後,接著可以使用 fail2ban-client指令並搭配status動作來查看目前運行Fail2ban之狀態,相關執行指令輸出的訊息如下:
[rockylinux@workstation ~]$ sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
[rockylinux@workstation ~]$
從上述的執行指令所輸出的訊息可以得知,Fail2ban目前已經將SSHD服務進行保護了,接著可以使用fail2ban-client指令來確認對SSHD所設定的方式與裡面相關的設定值,相關執行指令的方式如下:
[rockylinux@workstation ~]$ sudo fail2ban-client get sshd maxretry
3
[rockylinux@workstation ~]$
接著,可以測試一下SSH連線保護有沒有成功的設定,測試相關所使用的指令以及其輸出的訊息如下:
PS C:\Users\peter> ssh rockylinux@192.168.0.21
rockylinux@192.168.0.21's password:
Permission denied, please try again.
rockylinux@192.168.0.21's password:
Permission denied, please try again.
rockylinux@192.168.0.21's password:
rockylinux@192.168.0.21: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
PS C:\Users\peter> ssh rockylinux@192.168.0.21
ssh: connect to host 192.168.0.21 port 22: Connection timed out
PS C:\Users\peter>
從上述的指令來看,嘗試三次之後,便被鎖住了,這時候再一次使用sudo fail2ban-client status sshd指令,則可以看到下列的輸出訊息:
[rockylinux@workstation ~]$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 4
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.0.9
[rockylinux@workstation ~]$
從上述的輸出訊息可以得知,登入失敗有幾次,以及總共已經失敗登入了幾次,還有目前動作是將超過失敗次數的IP位址給Ban掉,意思就是禁止使用此IP位址進行遠端的連線,若要把此IP位址重新恢復允許遠端SSH連線的話,則可以使用``,相關執行指令的輸出訊息如下:
[rockylinux@workstation ~]$ sudo fail2ban-client unban 192.168.0.9
1
[rockylinux@workstation ~]$
[rockylinux@workstation ~]$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 4
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:
[rockylinux@workstation ~]$
這時候,就將此IP位址解除禁止訪問的限制了,可以看到下列輸出的指令訊息便可以驗證此禁止訪問的限制已經解除:
PS C:\Users\peter> ssh rockylinux@192.168.0.21
ssh: connect to host 192.168.0.21 port 22: Connection timed out
PS C:\Users\peter> ssh rockylinux@192.168.0.21
rockylinux@192.168.0.21's password:
iThome鐵人賽
看影片追技術