如果你的服务器直接对外就能使用SSH登录的话,在登录的时候,经常看到上一次有多少多少的尝试登录,没错,网上有很多扫描程序一直在扫描并尝试登录,一旦被猜出密码,那么很可能你的服务器被当成肉鸡,或者被植入恶意程序、挖矿、勒索等等,非常的危险。
所以有必要为服务器提供必要的安全保证,本次介绍如何在Linux上(CentOS7以上)为SSH增加2FA安全验证。
首先关闭系统的selinux(如果开着的话)
vim /etc/selinux/config
找到SELINUX=enforcing,如果是SELINUX=disabled的话,就不用修改了,如果是enforcing,修改成SELINUX=disabled,
确保服务器时间准确
因为两步验证码是基于时间的,所以请确保服务器上的时间是正确的,可以使用ntp来同步时间,详见:https://blog.terrynow.com/2021/10/17/centos7-sync-time-automatically-with-ntp/
和 https://blog.terrynow.com/2021/10/18/centos8-sync-time-automatically-with-chrony/
安装依赖和google-authenticator
#安装epel-release yum install epel-release -y #安装依赖 yum install autoconf automake libtool pam-devel -y #安装 Qrencode,谷歌身份验证器需要调用该程序生成二维码并显示。一般会生成一个硕大的二维码 yum install -y qrencode #安装google-authenticator yum install google-authenticator -y
准备手机APP
到应用商店找下,例如Google Authenticator,或者微软的Microsoft Authenticator,总之找大厂的,最好能带备份的(微软的可以备份),以防手机丢失或者换手机。
配置
Linux上运行:google-authenticator
google-authenticator Do you want authentication tokens to be time-based (y/n) y (这个时候,终端屏幕上出现一个二维码,用手机Authenticator扫一下,就会将新建一个账号到手机了,或者下面还有一个链接,贴到能上google的浏览器里,也能显示出二维码,⚠️说会将secret发送给google,但是我觉得这个没什么必要担心) Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@beian%3Fsecret%3DQALO4JUNGLJYRCPUO6XA3FHZNY Your new secret key is: QALO4JUNGLJYRCPUO6XA3FHZNY Your verification code is 437578 Your emergency scratch codes are: 97694552 72072718 59854501 64703616 34266412 (会出现以上几个紧急号码,可以在手机不能用的时候,紧急使用,但是用一个少一个,你也可以把以上信息拍下来,以后换手机还是扫这个就可以了,或者直接记下输入secret key: QALO4JUNGLJYRCPUO6XA3FHZNY,后续也可以到/root/.google_authenticator里查看这些配置,如果重新运行google-authenticator,那可以覆盖掉原来的配置) Do you want me to update your "/root/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y
修改vim /etc/pam.d/sshd,增加一行auth required pam_google_authenticator.so,如下位置:
#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin ######## 以下这行是增加的 ######## auth required pam_google_authenticator.so # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
修改vim /etc/ssh/sshd_config
找到ChallengeResponseAuthentication no 修改成ChallengeResponseAuthentication yes
找到UsePAM yes 检查下,是否是yes,如果不是,修改成yes,如果没有这行,那添加一行,内容是UsePAM yes
现在重启下sshd
systemctl restart sshd
现在登录SSH,就需要输入密码和验证码了
terry@TerryMac# ssh [email protected] Password: Verification code:
文章评论