本文共 1788 字，大约阅读时间需要 5 分钟。

SSH?????????

????SSH?????????????????????????

1. ??denyhosts????hosts??

?????denyhosts?????????SSH???

yum install denyhosts --enablerepo=epel chkconfig denyhosts on /etc/init.d/denyhosts start

2. SSH???????????????root??

???????????????????root???

# ??SSH????
vim /etc/ssh/sshd_config
# ??????
PasswordAuthentication no
# ??root??
PermitRootLogin no

3. ????????SSH??

??iptables??????IP????SSH???????????

# ??SSH????
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh --rsource
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent !--rcheck --seconds 60 --hitcount 2 --name ssh --rsource -j ACCEPT
# ??????
iptables -L

4. ??IP??????????????

??geoiplookup?iptables?????????SSH???

#!/bin/bash
# ??????????????
ALLOW_COUNTRIES="CN"
# ????IP?????
COUNTRY=$(geoiplookup $1 | awk -F ":" '{ print $2 }' | awk -F "," '{ print $1 }' | head -n 1)
# ????????????
if [[ $COUNTRY = "IP Address not found" || $ALLOW_COUNTRIES == "~$COUNTRY" ]]; then
    RESPONSE="DENY"
    logger "$RESPONSE ssh connection from $1 ($COUNTRY)"
    exit 1
fi
# ??????
RESPONSE="ALLOW"

5. TCP?????????SSH??

????hosts.allow?????SSH??????

echo "sshd: ALL" > /etc/hosts.deny
echo "sshd: 10.0.0.0/8" > /etc/hosts.allow
echo "sshd: ALL: alexec /usr/bin/sshfilter.sh %a" > /etc/hosts.allow

6. IP??????????

??????????????????IP???

# ???????IP?????
iptables -A INPUT -p tcp --dport 22 --syn -m recent --rcheck --seconds 15 --name sshopen --rsource -j ACCEPT

7. SSH??????

?????????????????????????

# ??????
echo "export TMOUT=1800" > /etc/profile.d/timeout.sh
source /etc/profile.d/timeout.sh

8. SSH???????????????

??SSH???????????????????

# ??SSH????
vim /etc/ssh/sshd_config
# ??????
ClientAliveInterval 60
ClientAliveCountMax 30

?????????SSH????????????????????????????

转载地址：http://rcpfk.baihongyu.com/