Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

安全加固

SSH

配置文件 /etc/ssh/sshd_config

  • ssh.socket(systemd socket unit)
    • 负责“监听端口/地址”。当有连接到来时,systemd 才按需启动 ssh.service。
    • 属于按需(on-demand)激活的机制:空闲时不占用一个常驻的守护进程。
$ systemctl status ssh.socket
● ssh.socket - OpenBSD Secure Shell server socket
     Loaded: loaded (]8;;file://serverx/usr/lib/systemd/system/ssh.socket/usr/lib/systemd/system/ssh.socket]8;;; enabled; preset: enabled)
    Drop-In: /run/systemd/generator/ssh.socket.d
             └─]8;;file://serverx/run/systemd/generator/ssh.socket.d/addresses.confaddresses.conf]8;;
     Active: active (running) since Wed 2025-08-20 07:29:48 CST; 5min ago
   Triggers: ● ssh.service
     Listen: [::]:2222 (Stream)
      Tasks: 0 (limit: 1857)
     Memory: 8.0K (peak: 256.0K)
        CPU: 865us
     CGroup: /system.slice/ssh.socket

Aug 20 07:29:48 serverx systemd[1]: Listening on ssh.socket - OpenBSD Secure Shell server socket.
  • ssh.service(systemd service unit)
    • 负责运行 sshd 进程(OpenSSH 守护进程),处理实际的 SSH 会话与认证。
    • 在未使用 socket 激活时,它会常驻监听端口;使用 socket 激活时,它由 ssh.socket 触发启动。
$ systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (]8;;file://serverx/usr/lib/systemd/system/ssh.service/usr/lib/systemd/system/ssh.service]8;;; disabled; preset: enabled)
     Active: active (running) since Wed 2025-08-20 07:29:48 CST; 8min ago
TriggeredBy: ● ssh.socket
       Docs: ]8;;man:sshd(8)man:sshd(8)]8;;
             ]8;;man:sshd_config(5)man:sshd_config(5)]8;;
    Process: 96667 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 96669 (sshd)
      Tasks: 1 (limit: 1857)
     Memory: 1.2M (peak: 1.5M)
        CPU: 39ms
     CGroup: /system.slice/ssh.service
             └─96669 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Aug 20 07:29:48 serverx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Aug 20 07:29:48 serverx sshd[96669]: Server listening on :: port 2222.
Aug 20 07:29:48 serverx systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
  • 修改默认端口

默认端口为 22,比如修改为2222

# When systemd socket activation is used (the default), the socket
# configuration must be re-generated after changing Port, AddressFamily, or
# ListenAddress.
#
# For changes to take effect, run:
#
#   systemctl daemon-reload
#   systemctl restart ssh.socket
#
Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

配置生效,需要加载配置并重启服务

sudo systemctl daemon-reload
sudo systemctl restart ssh.socket
  • 禁用 root 用户登录

禁止通过 SSH 直接以 root 登录,以降低未授权访问的风险。相反,创建具有 sudo 权限的标准用户账户来执行管理任务。这种做法可缓解针对 root 账户的暴力破解攻击。

sudo adduser <username>
sudo usermod -aG sudo <username>

PermitRootLogin no

sudo systemctl reload sshd
  • 限制身份验证最大尝试次数

Fail2ban

Fail2ban 是一个基于日志的入侵防护工具,常用于阻止暴力破解(如 SSH、FTP、HTTP 基本认证等)。

工作原理:监控服务日志 → 匹配失败模式(filter)→ 触发封禁动作(action),通常通过 iptables/nftables 临时封 IP。

# 安装
sudo apt update
sudo apt install fail2ban

# 启动并开机自启
sudo systemctl enable --now fail2ban

# 查看状态与日志
systemctl status fail2ban
sudo journalctl -u fail2ban -f

sudo fail2ban-client status

sudo fail2ban-client get sshd bantime
sudo fail2ban-client get sshd findtime
sudo fail2ban-client get sshd maxretry