# 查看SSH配置
$ sudo cat /etc/ssh/sshd_config
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# 安全配置
$ sudo tee /etc/ssh/sshd_config << 'EOF' Port 22 AddressFamily inet ListenAddress 0.0.0.0 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key PermitRootLogin no StrictModes yes MaxAuthTries 3 MaxSessions 5 PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes X11Forwarding no PrintMotd yes AcceptEnv LANG LC_* Subsystem sftp /usr/libexec/openssh/sftp-server AllowUsers user1 user2 AllowGroups ssh-users Banner /etc/issue.net ClientAliveInterval 300 ClientAliveCountMax 2 LoginGraceTime 60 EOF # 重启SSH服务 $ sudo systemctl restart sshd $ sudo systemctl enable sshd # 验证配置 $ sudo sshd -t $ sudo systemctl status sshd

# 生成RSA密钥对
$ ssh-keygen -t rsa -b 4096 -C “user1@fgedu.net.cn”
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:abcd1234abcd1234abcd1234abcd1234abcd1234 user1@fgedu.net.cn
The key’s randomart image is:
+—[RSA 4096]—-+
| |
| |
| |
| |
| |
| |
| |
| |
| |
+—-[SHA256]—–+

# 生成ED25519密钥对
$ ssh-keygen -t ed25519 -C “user1@fgedu.net.cn”

# 复制公钥到服务器
$ ssh-copy-id user1@server.fgedu.net.cn
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/home/user1/.ssh/id_rsa.pub”
user1@server.fgedu.net.cn’s password:

Number of key(s) added: 1

Now try logging into the machine, with: “ssh ‘user1@server.fgedu.net.cn'”
and check to make sure that only the key(s) you wanted were added.

# 手动复制公钥
$ cat ~/.ssh/id_rsa.pub | ssh user1@server ‘cat >> ~/.ssh/authorized_keys’

# 设置权限
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys

# 配置SSH客户端
$ tee ~/.ssh/config << 'EOF' Host server HostName server.fgedu.net.cn User user1 Port 22 IdentityFile ~/.ssh/id_rsa ServerAliveInterval 60 ServerAliveCountMax 3 Compression yes EOF $ chmod 600 ~/.ssh/config # 使用密钥登录 $ ssh server Enter passphrase for key '/home/user1/.ssh/id_rsa':

# 禁用弱加密算法
$ sudo tee -a /etc/ssh/sshd_config << 'EOF' Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 EOF # 配置端口敲门 $ sudo dnf install -y knock-server $ sudo tee /etc/knockd.conf << 'EOF' [options] Usefrom PG视频:www.itpux.comSyslog Interface = eth0 [openSSH] sequence = 7000,8000,9000 seq_timeout = 5 command = /usr/bin/firewall-cmd --add-rich-rule='rule family="ipv4" source address="%IP%" service name="ssh" accept' tcpflags = syn [closeSSH] sequence = 9000,8000,7000 seq_timeout = 5 command = /usr/bin/firewall-cmd --remove-rich-rule='rule family="ipv4" source address="%IP%" service name="ssh" accept' tcpflags = syn EOF $ sudo systemctl start knockd $ sudo systemctl enable knockd # 配置双因素认证 $ sudo dnf install -y google-authenticator $ google-authenticator Do you want authentication tokens to be time-based? (y/n) y Your new secret key is: ABCD1234EFGH5678 Your verification code is 123456 Your emergency scratch codes are: 12345678 23456789 34567890 45678901 56789012 Do you want me to update your "/home/user1/.google_authenticator" file? (y/n) y $ sudo sed -i 's/^#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config $ sudo sed -i 's/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config $ sudo sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config $ sudo sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config $ sudo tee /etc/pam.d/sshd << 'EOF' auth required pam_google_authenticator.so auth required pam_permit.so @include common-account session required pam_exec.so /usr/bin/ssh-login-notify EOF $ sudo systemctl restart sshd # 配置SSH跳板机 $ tee ~/.ssh/config << 'EOF' Host target HostName 192.更多视频教程www.fgedu.net.cn168.2.10 User user1 ProxyJump jumpserver Host jumpserver HostName jump.fgedu.net.cn User jumpuser EOF

# 查看SSH日志
$ sudo journalctl -u sshd -f
Apr 04 02:40:00 server sshd[12345]: Accepted publickey for user1 from 192.168.1.10 port 54321 ssh2
Apr 04 02:40:00 server sshd[12345]: pam_unix(sshd:session): session opened for user user1 by (uid=0)

# 查看失败登录
$ sudo grep “Failed password” /var/log/secure
Apr 4 02:35:00 server sshd[12340]: Failed password for user1 from 192.168.1.10 port 54320 ssh2
Apr 4 02:35:05 server sshd[12340]: Failed password for user1 from 192.168.1.10 port 54320 ssh2

# 配置SSH日志级别
$ sudo sed -i ‘s/#LogLevel.*/LogLevel VERBOSE/’ /etc/ssh/sshd_config
$ sudo systemctl restart sshd

# 监控SSH活动脚本
$ cat > /usr/local/bin/ssh-monitor.sh << 'EOF' #!/bin/bash LOG_FILE="/var/log/ssh-monitor.log" ALERT_EMAIL="admin@fgedu.net.cn" while true; do FAILED=$(grep "Failed password" /var/log/secure | tail -10) if [ -n "$FAILED" ]; then echo "$(date): Failed login attempts detected" >> $LOG_FILE
echo “$FAILED” >> $LOG_FILE
echo “$FAILED” | mail -s “SSH Failed Login Alert” $ALERT_EMAIL
fi
sleep 60
done
EOF

chmod +x /usr/local/bin/ssh-monitor.sh

# 创建systemd服务
$ cat > /etc/systemd/system/ssh-monitor.service << 'EOF' [Unit] Description=SSH Monitor Service After=network.target [Service] Type=simple ExecStart=/usr/local/bin/ssh-monitor.sh Restart=always [Install] WantedBy=multi-user.target EOF $ sudo systemctl daemon-reload $ sudo systemctl start ssh-monitor $ sudo systemctl enable ssh-monitor