# 安装OpenSSH服务器
$ sudo dnf install -y openssh-server
Last metadata expiration check: 0:45:23 ago on Thu 03 Apr 2026 20:00:15 AM CST.
Packag更多学习教程公众号风哥教程itpux_come openssh-server-8.7p1-34.el9.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

# 启动SSH服务
$ sudo systemctl start sshd

# 设置开机自启动
$ sudo systemctl enable sshd
Created symlink /etc/systemd/system/multi-user.target.wants/sshd.service → /usr/lib/systemd/system/sshd.service.

# 查看SSH服务状态
$ sudo systemctl status sshd
● sshd.service – OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
Active: active (running) since Thu 2026-04-03 20:00:00 CST; 10s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 12345 (sshd)
Tasks: 1 (limit: 49152)
Memory: 1.5M
CPU: 20ms
CGroup: /system.slice/sshd.service
└─12345 “sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups”

Apr 03 20:00:00 rhel10 systemd[1]: Starting OpenSSH server daemon…
Apr 03 20:00:00 rhel10 sshd[12345]: Server listening on 0.0.0.0 port 22.
Apr 03 20:00:00 rhel10 sshd[12345]: Server listening on :: port 22.
Apr 03 20:00:00 rhel10 systemd[1]: Started OpenSSH server daemon.

# 查看SSH监听端口
$ sudo ss -tlnp | grep sshd
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:((“sshd”,pid=12345,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:((“sshd”,pid=12345,fd=4))

# 备份原配置文件
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# 查看当前配置
$ sudo grep -v “^#” /etc/ssh/sshd_config | grep -v “^$”
Include /etc/ssh/sshd_config.d/*.conf
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server

# 修改SSH配置
$ sudo tee /etc/ssh/sshd_config.d/99-hardening.conf << EOF # SSH安全加固配置 # 修改默认端口 Port 2222 # 禁止root用户直接登录 PermitRootLogin no # 启用密钥认证 PubkeyAuthentication yes # 禁用密码认证 PasswordAuthentication no # 禁用空密码 PermitEmptyPasswords no # 限制登录用户 AllowUsers user1 user2 # 限制登录组 AllowGroups sshusers # 设置最大认证尝试次数 MaxAuthTries 3 # 设置登录超时时间 LoginGraceTime 60 # 禁用X11转发 X11Forwarding no # 禁用端口转发 AllowTcpForwarding no # 设置空闲超时断开 ClientAliveInterval 300 ClientAliveCountMax 2 # 限制SSH协议版本 Protocol 2 # 使用强加密算法 Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 EOF # 验证配置语法 $ sudo sshd -t # 重启SSH服务 $ sudo systemctl restart sshd # 查看新端口 $ sudo ss -tlnp | grep sshd LISTEN 0 128 0.0.0.0:2222 0.0.0.0:* users:(("sshd",pid=12346,fd=3)) LISTEN 0 128 [::]:2222 [::]:* users:(("sshd",pid=12346,fd=4))

# 生成RSA密钥对（默认）
$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:abc123def456ghi789jkl012mno345pqr678stu901vwx234yz user@rhel10
The key’s randomart image is:
+—[RSA 4096]—-+
| .o. |
| ..o . |
| . o= . |
| . . =o . |
| . S.o . |
| . o = |
| . . . B o |
| . .o+ * = . |
| ..=EB+o o |
+—-[SHA256]—–+

# 生成ED25519密钥对（推荐）
$ ssh-keygen -t ed25519 -C “user@fgedu.net.cn”
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_ed25519.
Your public key has been saved in /home/user/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:xyz789abc123def456ghi789jkl012mno345pqr678stu901vwx234yza user@rhel10
The key’s randomart image is:
+–[ED25519 256]–+
| . . |
| . o |
| . = . |
| . * o . |
| o B S . |
| . * B o |
| + = B |
| . * = o |
| E.=o+. |
+—-[SHA256]—–+

# 查看生成的密钥
$ ls -l ~/.ssh/
total 16
-rw——-. 1 user user 411 Apr 3 20:05:00 id_ed25519
-rw-r–r–. 1 user user 100 Apr 3 20:05:00 id_ed25519.pub
-rw——-. 1 user user 3.3K Apr 3 20:04:00 id_rsa
-rw-r–r–. 1 user user 742 Apr 3 20:04:00 id_rsa.pub

# 将公钥复制到远程服务器
$ ssh-copy-id -i ~/.ssh/id_ed25519.pub user@192.168.1.100
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/home/user/.ssh/id_ed25519.pub”
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
user@192.168.1.更多视频教程www.fgedu.net.cn100’s password:from PG视频:www.itpux.com

Number of key(s) added: 1

Now try logging into the machine, with: “ssh ‘user@192.168.1.100′”
and check to make sure that only the key(s) you wanted were added.

# 手动复制公钥
$ cat ~/.ssh/id_ed25519.pub | ssh user@192.168.1.100 “mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys”

# 创建SSH客户端配置文件
$ tee ~/.ssh/config << EOF # 全局配置 Host * ServerAliveInterval 60 ServerAliveCountMax 3 TCPKeepAlive yes Compression yes # 服务器1配置 Host server1 HostName 192.168.1.100 Port 2222 User user1 IdentityFile ~/.ssh/id_ed25519 ForwardAgent yes ForwardX11 no # 服务器2配置 Host server2 HostName 192.168.1.101 Port 2222 User user2 IdentityFile ~/.ssh/id_rsa # 跳板机配置 Host jump学习交流加群风哥微信: itpux-comhost HostName 192.168.1.1 User jumpuser IdentityFile ~/.ssh/id_ed25519 # 通过跳板机连接 Host server3 HostName 10.0.0.100 User user3 ProxyJump jumphost IdentityFile ~/.ssh/id_ed25519 EOF # 设置权限 $ chmod 600 ~/.ssh/config # 使用配置连接 $ ssh server1 Last login: Thu Apr 3 20:10:00 2026 from 192.168.1.10 [user1@server1 ~]$ # 使用SSH代理管理密钥 $ eval $(ssh-agent) Agent pid 12347 $ ssh-add ~/.ssh/id_ed25519 Enter passphrase for /home/user/.ssh/id_ed25519: Identity added: /home/user/.ssh/id_ed25519 (user@fgedu.net.cn) $ ssh-add -l 256 SHA256:xyz789abc123def456ghi789jkl012mno345pqr678stu901vwx234yza user@fgedu.net.cn (ED25519) # 使用SSH隧道 $ ssh -L 8080:localhost:80 user@192.168.1.100 # 使用SSH动态端口转发 $ ssh -D 1080 user@192.168.1.100

# 1. 配置防火墙规则
$ sudo firewall-cmd –permanent –add-port=2222/tcp
success
$ sudo firewall-cmd –reload
success

# 2. 安装fail2ban防止暴力破解
$ sudo dnf install -y fail2ban
$ sudo systemctl enable –now fail2ban

# 配置fail2ban
$ sudo tee /etc/fail2ban/jail.local << EOF [sshd] enabled = true port = 2222 filter = sshd logpath = /var/log/secure maxretry = 3 findtime = 600 bantime = 3600 ignoreip = 127.0.0.1/8 192.168.1.0/24 EOF $ sudo systemctl restart fail2ban # 3. 查看fail2ban状态 $ sudo fail2ban-client status sshd Status for the jail: sshhd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/secure `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: # 4. 配置SELinux $ sudo semanage port -a -t ssh_port_t -p tcp 2222 $ sudo restorecon -Rv /etc/ssh # 5. 定期检查SSH日志 $ sudo tail -f /var/log/secure Apr 3 20:15:00 rhel10 sshd[12348]: Accepted publickey for user from 192.168.1.10 port 54321 ssh2 Apr 3 20:15:00 rhel10 sshd[12348]: pam_unix(sshd:session): session opened for user user(uid=1000) by (uid=0) # 6. 使用SSH证书认证 $ sudo ssh-keygen -s /etc/ssh/ca_key -I user_cert -n user -V +52w ~/.ssh/id_ed25519.pub