CentOS7/8上SSH登录增加安全性启用两步验证

2021-10-20 1135点热度 0人点赞 0条评论

如果你的服务器直接对外就能使用SSH登录的话,在登录的时候,经常看到上一次有多少多少的尝试登录,没错,网上有很多扫描程序一直在扫描并尝试登录,一旦被猜出密码,那么很可能你的服务器被当成肉鸡,或者被植入恶意程序、挖矿、勒索等等,非常的危险。

所以有必要为服务器提供必要的安全保证,本次介绍如何在Linux上(CentOS7以上)为SSH增加2FA安全验证。

首先关闭系统的selinux(如果开着的话)

vim /etc/selinux/config

找到SELINUX=enforcing,如果是SELINUX=disabled的话,就不用修改了,如果是enforcing,修改成SELINUX=disabled,

然后reboot重启下机器

确保服务器时间准确

因为两步验证码是基于时间的,所以请确保服务器上的时间是正确的,可以使用ntp来同步时间,详见:https://blog.terrynow.com/2021/10/17/centos7-sync-time-automatically-with-ntp/

https://blog.terrynow.com/2021/10/18/centos8-sync-time-automatically-with-chrony/

安装依赖和google-authenticator

#安装epel-release
yum install epel-release -y
#安装依赖
yum install autoconf automake libtool pam-devel -y
#安装 Qrencode,谷歌身份验证器需要调用该程序生成二维码并显示。一般会生成一个硕大的二维码
yum install -y qrencode
#安装google-authenticator
yum install google-authenticator -y

准备手机APP

到应用商店找下,例如Google Authenticator,或者微软的Microsoft Authenticator,总之找大厂的,最好能带备份的(微软的可以备份),以防手机丢失或者换手机。

配置

Linux上运行:google-authenticator

google-authenticator
Do you want authentication tokens to be time-based (y/n) y
(这个时候,终端屏幕上出现一个二维码,用手机Authenticator扫一下,就会将新建一个账号到手机了,或者下面还有一个链接,贴到能上google的浏览器里,也能显示出二维码,⚠️说会将secret发送给google,但是我觉得这个没什么必要担心)
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@beian%3Fsecret%3DQALO4JUNGLJYRCPUO6XA3FHZNY

Your new secret key is: QALO4JUNGLJYRCPUO6XA3FHZNY
Your verification code is 437578
Your emergency scratch codes are:
  97694552
  72072718
  59854501
  64703616
  34266412
(会出现以上几个紧急号码,可以在手机不能用的时候,紧急使用,但是用一个少一个,你也可以把以上信息拍下来,以后换手机还是扫这个就可以了,或者直接记下输入secret key: QALO4JUNGLJYRCPUO6XA3FHZNY,后续也可以到/root/.google_authenticator里查看这些配置,如果重新运行google-authenticator,那可以覆盖掉原来的配置)
Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

修改vim /etc/pam.d/sshd,增加一行auth required pam_google_authenticator.so,如下位置:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
######## 以下这行是增加的 ########
auth required pam_google_authenticator.so
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

修改vim /etc/ssh/sshd_config

找到ChallengeResponseAuthentication no 修改成ChallengeResponseAuthentication yes

找到UsePAM yes 检查下,是否是yes,如果不是,修改成yes,如果没有这行,那添加一行,内容是UsePAM yes

现在重启下sshd

systemctl restart sshd

现在登录SSH,就需要输入密码和验证码了

terry@TerryMac# ssh [email protected]
Password:
Verification code:

 

 

admin

这个人很懒,什么都没留下

文章评论

您需要 登录 之后才可以评论