说明:一般我们考虑到VPS
的安全问题的时候,都是更改SSH
端口和密码,然后更安全的也就是禁用密码使用密匙登录。方法很久前就水过了,这里再分享一个方法,可以在VPS
上安装一个Google Authenticator
(谷歌身份验证器),这样我们登录VPS
的时候,不仅需要密码正确,而且还要你输入正确的动态验证码才能登录进去,这样安全性就高了不少,这里就说下CentOS
、Debian
、Ubuntu
的使用。
提示:教程需要配合Google身份验证器一起使用,手机没有安装该APP的需要安装一下,方便获取动态验证码。
安装
1、软件包安装
<span class="hljs-comment">#CentOS 6系统</span>
rpm -Uvh <span class="hljs-symbol">https:</span>/<span class="hljs-regexp">/dl.fedoraproject.org/pub</span><span class="hljs-regexp">/epel/epel</span>-release-latest-<span class="hljs-number">6</span>.noarch.rpm
yum install google-authenticator -y
<span class="hljs-comment">#CentOS 7系统</span>
rpm -Uvh <span class="hljs-symbol">https:</span>/<span class="hljs-regexp">/dl.fedoraproject.org/pub</span><span class="hljs-regexp">/epel/epel</span>-release-latest-<span class="hljs-number">7</span>.noarch.rpm
yum install google-authenticator -y
<span class="hljs-comment">#Debian/Ubuntu系统</span>
apt update
apt install libpam-google-authenticator -y
2、编译安装
安装依赖:
<span class="hljs-meta">#</span><span class="bash">CentOS系统</span>
yum install gcc make pam-devel libpng-devel libtool wget git autoconf automake qrencode -y
<span class="hljs-meta">
#</span><span class="bash">Debian/Ubuntu系统</span>
apt update
apt install -y gcc make autoconf automake libtool libpam0g-dev libqrencode3 git
安装验证器:
<span class="hljs-attribute">git</span> clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam
./bootstrap.sh
./configure
make && make install
配置
1、配置验证器
google-authenticator
输出如下:
<span class="hljs-keyword">Do</span> you want <span class="hljs-keyword">authentication</span> tokens <span class="hljs-keyword">to</span> be <span class="hljs-keyword">time</span>-based (y/n) y
#验证二维码,在浏览器打开使用谷歌验证器APP扫描添加即可。
https://www.google.com/chart?chs=<span class="hljs-number">200</span>x200xxx
Your <span class="hljs-keyword">new</span> secret <span class="hljs-keyword">key</span> <span class="hljs-keyword">is</span>: WKDPJHOKR2P3DOWL
Your verification code <span class="hljs-keyword">is</span> <span class="hljs-number">189192</span>
#临时验证码,手机不在身边可以使用,不过一个码只能用一次
Your emergency scratch codes <span class="hljs-keyword">are</span>:
<span class="hljs-number">77678926</span>
<span class="hljs-number">14729443</span>
<span class="hljs-number">83656478</span>
<span class="hljs-number">55669982</span>
<span class="hljs-number">23960253</span>
#下面可以直接照着填,或者自己使用谷歌翻译,然后自行选择
<span class="hljs-keyword">Do</span> you want me <span class="hljs-keyword">to</span> <span class="hljs-keyword">update</span> your <span class="hljs-string">"/root/.google_authenticator"</span> <span class="hljs-keyword">file</span> (y/n) y
<span class="hljs-keyword">Do</span> you want <span class="hljs-keyword">to</span> <span class="hljs-keyword">disallow</span> multiple uses <span class="hljs-keyword">of</span> the same <span class="hljs-keyword">authentication</span>
token? This restricts you <span class="hljs-keyword">to</span> one login about every <span class="hljs-number">30</span>s, but it increases
your chances <span class="hljs-keyword">to</span> <span class="hljs-keyword">notice</span> <span class="hljs-keyword">or</span> even prevent man-<span class="hljs-keyword">in</span>-the-middle attacks (y/n) y
<span class="hljs-keyword">By</span> <span class="hljs-keyword">default</span>, tokens <span class="hljs-keyword">are</span> good <span class="hljs-keyword">for</span> <span class="hljs-number">30</span> seconds <span class="hljs-keyword">and</span> <span class="hljs-keyword">in</span> <span class="hljs-keyword">order</span> <span class="hljs-keyword">to</span> compensate <span class="hljs-keyword">for</span>
possible <span class="hljs-keyword">time</span>-skew <span class="hljs-keyword">between</span> the <span class="hljs-keyword">client</span> <span class="hljs-keyword">and</span> the <span class="hljs-keyword">server</span>, we <span class="hljs-keyword">allow</span> an extra
token <span class="hljs-keyword">before</span> <span class="hljs-keyword">and</span> <span class="hljs-keyword">after</span> the <span class="hljs-keyword">current</span> time. <span class="hljs-keyword">If</span> you experience problems <span class="hljs-keyword">with</span> poor
<span class="hljs-keyword">time</span> synchronization, you can increase the window <span class="hljs-keyword">from</span> its <span class="hljs-keyword">default</span>
<span class="hljs-keyword">size</span> <span class="hljs-keyword">of</span> <span class="hljs-number">1</span>:<span class="hljs-number">30</span><span class="hljs-keyword">min</span> <span class="hljs-keyword">to</span> about <span class="hljs-number">4</span>min. <span class="hljs-keyword">Do</span> you want <span class="hljs-keyword">to</span> <span class="hljs-keyword">do</span> so (y/n) y
<span class="hljs-keyword">If</span> the computer that you <span class="hljs-keyword">are</span> <span class="hljs-keyword">logging</span> <span class="hljs-keyword">into</span> isn<span class="hljs-string">'t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
</span>
2、配置PAM文件
修改PAM
配置文件:
<span class="hljs-attribute">nano</span> /etc/pam.d/sshd
在相应的位置添加auth required pam_google_authenticator.so
代码,大概如下:
<span class="hljs-meta">#</span><span class="bash">CentOS 6在<span class="hljs-comment">#%PAM-1.0下面一行添加</span></span>
<span class="hljs-meta">#</span><span class="bash">CentOS 7在auth substack password-auth下面一行添加</span>
<span class="hljs-meta">#</span><span class="bash">Debian和Ubuntu在末尾添加</span>
然后使用Ctrl+x
、y
保存退出。
或者直接使用命令添加:
<span class="hljs-comment">#CentOS 6系统</span>
sed -i <span class="hljs-string">'1a\auth required pam_google_authenticator.so'</span> /etc/pam.d/sshd
<span class="hljs-comment">#CentOS 7系统</span>
sed -i <span class="hljs-string">"/auth[ ]*substack[ ]*pass*/a\auth required pam_google_authenticator.so"</span> /etc/pam.d/sshd
<span class="hljs-comment">#Debian/Ubuntu系统</span>
echo <span class="hljs-string">'auth required pam_google_authenticator.so'</span> <span class="hljs-meta">>></span>/etc/pam.d/sshd
如果是编译安装的,还需要做一下软链接:
<span class="hljs-comment">#CentOS系统</span>
ln -fs /usr/<span class="hljs-keyword">local</span>/lib/security/pam_google_authenticator.so /lib64/security/
<span class="hljs-comment">#Debian/Ubuntu系统</span>
ln -fs /usr/<span class="hljs-keyword">local</span>/lib/security/pam_google_authenticator.so /lib/x86_64-linux-gnu/security/
3、修改SSH文件
这里可以直接使用命令:
<span class="hljs-attribute">sed</span> -i -r <span class="hljs-string">'s#(ChallengeResponseAuthentication) no#\1 yes#g'</span> /etc/ssh/sshd_config
然后同步下时间:
<span class="hljs-meta">#</span><span class="bash">查看下服务器时间</span>
date
<span class="hljs-meta">#</span><span class="bash">如果时区不一样,再使用命令修改为本地时间</span>
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
对于CentOS
系统,还需要关闭SELINUX
,不过并不是所有系统都是开启状态,使用命令:
<span class="hljs-comment">#使用命令查看状态</span>
<span class="hljs-attribute">getenforce</span>
<span class="hljs-comment">#如果输出disabled则为关闭,反之开启,然后使用命令关闭</span>
sed -i <span class="hljs-string">'s/SELINUX=enforcing/SELINUX=disabled/g'</span> /etc/selinux/config
最后重启SSH
:
<span class="hljs-meta">#</span><span class="bash">CentOS系统</span>
service sshd restart
<span class="hljs-meta">#</span><span class="bash">Debian/Ubuntu系统</span>
service ssh restart
配置好了,再登录SSH
的时候,这里以Xshell
为例,类型选择Keyboard Interactive
方式,然后会要你输入动态验证码了。
基本上以后我们每次登录VPS
的时候,不仅会要你输入密码,还会要你输入谷歌验证的动态码才能进入VPS
,安全增加了不少。
最新评论
十塊年費是直接從這張卡裡的外幣按匯率扣?
有人申请成功了吗?我的已经两天了,没有消息,没有收到成功邮件。信用卡扣了款!