安全增强措施用Openssh构建安全网络

发表于:2007-07-04来源:作者:点击数: 标签:
实施步骤: 在每台服务器上 1. 安装软件包: openssh-3.4pl-sol7-sparc-local openssl-0.96d-sol7-sparc-local zlib-1.1.4-sol7-sparc-local prngd-0.0.25-sol7-sparc-local egd-0.8-sol7-sparc-local 2. 安装prngd和sshd的启动脚本 :::::::::::::: S98prngd

  实施步骤:
  在每台服务器上
  1. 安装软件包:
  openssh-3.4pl-sol7-sparc-local
  openssl-0.96d-sol7-sparc-local
  zlib-1.1.4-sol7-sparc-local
  prngd-0.0.25-sol7-sparc-local
  egd-0.8-sol7-sparc-local
  
  2. 安装prngd和sshd的启动脚本
  ::::::::::::::
  S98prngd
  ::::::::::::::
  #!/bin/sh
  
  pid=`/usr/bin/ps -e | /usr/bin/grep prngd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
  case $1 in
  'start')
  /usr/local/sbin/prngd /var/spool/prngd/pool
  ;;
  'stop')
  if [ "${pid}" != "" ]
  then
  /usr/bin/kill ${pid}
  fi
  ;;
  *)
  echo "usage: /etc/init.d/prngd {start|stop}"
  ;;
  esac
  
  ::::::::::::::
  S98sshd
  ::::::::::::::
  #!/bin/sh
  
  pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
  case $1 in
  'start')
  /usr/local/sbin/sshd
  ;;
  'stop')
  if [ "${pid}" != "" ]
  then
  /usr/bin/kill ${pid}
  fi
  ;;
  *)
  echo "usage: /etc/init.d/sshd {start|stop}"
  ;;
  esac
  
  3. 用prngd生成伪随机初始种子数
  cat /var/log/syslog /var/adm/messages > /usr/local/etc/prngd/prngd-seed
  mkdir /var/spool/prngd
  /etc/rc2.d/S98prngd start
  检查prngd工作是否正常: /usr/local/bin/egc.pl /var/spool/prngd/pool get
  显示如: 9151 bits of entropy in pool
  
  4. 增加sshd用户
  mkdir /var/empty
  chown root /var/empty
  chgrp sys /var/empty
  chmod 755 /var/empty
  groupadd sshd
  useradd –g sshd –c ‘sshd privsep’ –d /var/empty –s /bin/false sshd
  
  5. 修改tcpd的控制文件/etc/hosts.allow和/etc/hosts.deny
  ALL:n.n.n.n #登录主机IP
  
  6. 在server端创建主机密钥对
  ssh-keygen –t rsa1 –f /usr/local/etc/ssh_host_key –N “”
  ssh-keygen –t dsa –f /usr/local/etc/ssh_host_dsa_key –N “”
  ssh-keygen –t rsa –f /usr/local/etc/ssh_host_rsa_key –N “”
  
  启动sshd:
  /etc/rc2.d/S98sshd start
  
  7. 关闭原te.net和ftp服务
  修改/etc/inetd.conf 文件,kill –HUP <inetd pid>关闭telnet和ftp服务
  8. 在客户端做以下测试
  UNIX客户端:
  Ssh [-l username] [-p port] <hostname> //如果用-v参数,进入调试状态,这是一个很好的帮助工具(取代telnet)
  Sftp [-l username] [-p port] <hostname>(取代ftp)
  
  WINDOWS:客户端
  Securecrt 3.4.5 //在session的配置中,authentication使用password方式
  Securefx2.0.3
  
  以上为默认安装情况,即SSH的密码验证。
  为了保证唯一的一台登录服务器的安全,又不至于在修改sshd配置后重启进程带来无法登录管理的问题,继续使用telnet和ftp服务,结合采用SSHD的密钥验证方式,并且在/etc/hosts.allow文件中做以下设置:
  ################# internal network ######################
  ALL:n.n.n.n #operator1
  ALL:n.n.n.n #operator2
  ################## out network ###########################
  sshd: ALL #RSA auth
  这样,管理员在公司的固定IP地址仍旧可以很方便地登录到主机上操作,而如果在家中或外出出差,由于IP地址是非固定的,可以通过sshd的密钥验证来进行登录。
  
  服务器配置如下:
  /usr/local/etc/sshd_config:
  # $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $
  
  # This is the sshd server system-wide configuration file. See
  # sshd_config(5) for more information.
  
  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
  
  # The strategy used for options in the default sshd_config shipped with
  # OpenSSH is to specify options with their default value where
  # possible, but leave them commented. Uncommented options change a
  # default value.
  
  #Port 22
  #Protocol 2,1
  #ListenAddress 0.0.0.0
  #ListenAddress ::
  
  # HostKey for protocol version 1
  HostKey /usr/local/etc/ssh_host_key
  # HostKeys for protocol version 2
  HostKey /usr/local/etc/ssh_host_rsa_key
  HostKey /usr/local/etc/ssh_host_dsa_key
  
  # Lifetime and size of ephemeral version 1 server key
  KeyRegenerationInterval 3600
  ServerKeyBits 768
  
  # Logging
  #obsoletes QuietMode and FascistLogging
  SyslogFacility AUTH
  LogLevel INFO
  
  # Authentication:
  
  #LoginGraceTime 600
  #PermitRootLogin yes
  #StrictModes yes
  
  RSAAuthentication yes
  PubkeyAuthentication yes
  AuthorizedKeysFile .ssh/authorized_keys
  
  # rhosts authentication should not be used
  #RhostsAuthentication no
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
  #RhostsRSAAuthentication no
  # similar for protocol version 2
  #HostbasedAuthentication no
  # Change to yes if you don't trust ~/.ssh/known_hosts for
  # RhostsRSAAuthentication and HostbasedAuthentication
  #IgnoreUserKnownHosts no
  
  # To disable tunneled clear text passwords, change to no here!
  PasswordAuthentication yes
  PermitEmptyPasswords no
  
  # Change to no to disable s/key passwords
  #ChallengeResponseAuthentication yes
  
  # Kerberos options
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  
  #AFSTokenPassing no
  
  # Kerberos TGT Passing only works with the AFS kaserver
  #KerberosTgtPassing no
  
  # Set this to 'yes' to enable PAM keyboard-interactive authentication
  # Warning: enabling this may bypass the setting of 'PasswordAuthentication'
  #PAMAuthenticationViaKbdInt yes
  
  #X11Forwarding no
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PrintMotd yes
  #PrintLastLog yes
  #KeepAlive yes
  #UseLogin no
  UsePrivilegeSeparation yes
  Compression yes
  
  #MaxStartups 10
  # no default banner path
  #Banner /some/path
  #VerifyReverseMapping no
  
  # override default of no subsystems
  Subsystem sftp /usr/local/libexec/sftp-server
  
  这里关闭了SSH的密码验证方式,采用RSA的密钥验证方法,用户需要首先在服务器上用ssh-keygen –t rsa在自己的主目录下.ssh目录里自动生成密钥对,id_rsa(私钥)和id_rsa.pub(公钥),然后手工将id_rsa.pub拷贝成autohrized_keys文件.并将id_rsa和id_rsa..pub文件传至客户端保存好,同时删除服务器端的id_rsa和id_rsa.pub文件。
  
  客户端测试:如果是UNIX客户端,将id_rsa和id_rsa.pub放在用户主目录的.ssh子目录下, 用ssh和sftp可以进行测试;如果是WINDOWS系统的客户端,可以通过SECURECRT指定authencation为publickey方式,并且在properties中的session settings中选用use identity file,指定具体的id_rsa的文件位置,即可登录。这样,只有拥有密钥对的用户才可以登录。当然,得保护好自己的钥匙不可泄露,为安全起见,服务器需要定时改变每个用户的密钥。
  
  通过以上对intranet内部服务器的安全配置,实现了安全性和方便性的整合。

原文转自:http://www.ltesting.net