★ 解决方案
1) 通过修改/etc/ssh/sshd_config文件,让sshd只监听内网ip。这样只有内网ip才能登陆ssh。但是这样的话就不能远程维护服务器了,有点得不偿失得感觉。
2) 通过修改/etc/hosts.allow和/etc/hosts.deny来限制某个ip的登陆。这个方式其实和上面得类似,你也不知道hacker会从哪个ip登陆,所以你没办法deny他得ip,deny他得时候可能连你自己也deny了。
3) 可以通过/etc/ssh/sshd_config文件来实现。
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for us-
er names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login
is allowed for all users. If the pattern takes the form US-
ER@HOST then USER and HOST are separately checked, restricting
logins to particular users from particular hosts. The allow/deny
directives are processed in the following order: DenyUsers,
AllowUsers, DenyGroups, and finally AllowGroups.
PATTERNS
A pattern consists of zero or more non-whitespace characters, `*' (a
wildcard that matches zero or more characters), or `?' (a wildcard that
matches exactly one character). For example, to specify a set of decla-
rations for any host in the ``.co.uk'' set of domains, the following pat-
tern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network
range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within
pattern-lists may be negated by preceding them with an exclamation mark
(`!'). For example, to allow a key to be used from anywhere within an
organisation except from the ``dialup'' pool, the following entry (in au-
thorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
比如不允许test用户从192.168.0.x登陆,那么可以添加一行
denyusers [email protected].
按照上面的PATTERNS说明,似乎可以加叹号来排除某个ip,但是尝试过没有成功,不知道什么原因了。
按照文档,deny是级别最高的,而设置了allow之后,就只能allow的用户访问了,所以如果想限制某个用户只能从某个ip段登陆,用这个似乎实现不了。
4) 使用ssh得RSA/DSA key。
参考地址:http://www.5ilinux.com/ssh01.html
用ssh-keygen命令生成一对公匙密匙,然后把密匙给用户,并且限制ssh只能通过RSA方式认证。这样会导致所有ssh用户都得用这种方式登陆了,会更加郁闷。
这种方式可以在用户得authorized_keys2文件中,加入from="!192.168.1.158,*"来让用户只能通过158登陆。(这个没有做过验证)
PATTERNS
A pattern consists of zero or more non-whitespace characters, `*' (a
wildcard that matches zero or more characters), or `?' (a wildcard that
matches exactly one character). For example, to specify a set of decla-
rations for any host in the ``.co.uk'' set of domains, the following pat-
tern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network
range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within
pattern-lists may be negated by preceding them with an exclamation mark
(`!'). For example, to allow a key to be used from anywhere within an
organisation except from the ``dialup'' pool, the following entry (in au-
thorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
5) 用pam。
参考地址:http://www.linuxmine.com/1078.html
看看/etc/pam.d/login文件,有没有pam_access.so的设置。我的debian系统中,ssh相关的都在/etc/pam.d/ssh文件中设置。加入一行
account required pam_access.so
然后修改他的配置文件/etc/security/access.conf文件。加入一行
-:wd:192.168.1. EXCEPT 192.168.1.158
这样,wd用户从192.168.1.x(192.168.1.158除外)的登陆权限被去掉了。也就是说,wd这个用户就只能从158这个ip以及外网ip登陆了。
大功告成。 :)
1) 通过修改/etc/ssh/sshd_config文件,让sshd只监听内网ip。这样只有内网ip才能登陆ssh。但是这样的话就不能远程维护服务器了,有点得不偿失得感觉。
2) 通过修改/etc/hosts.allow和/etc/hosts.deny来限制某个ip的登陆。这个方式其实和上面得类似,你也不知道hacker会从哪个ip登陆,所以你没办法deny他得ip,deny他得时候可能连你自己也deny了。
3) 可以通过/etc/ssh/sshd_config文件来实现。
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for us-
er names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login
is allowed for all users. If the pattern takes the form US-
ER@HOST then USER and HOST are separately checked, restricting
logins to particular users from particular hosts. The allow/deny
directives are processed in the following order: DenyUsers,
AllowUsers, DenyGroups, and finally AllowGroups.
PATTERNS
A pattern consists of zero or more non-whitespace characters, `*' (a
wildcard that matches zero or more characters), or `?' (a wildcard that
matches exactly one character). For example, to specify a set of decla-
rations for any host in the ``.co.uk'' set of domains, the following pat-
tern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network
range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within
pattern-lists may be negated by preceding them with an exclamation mark
(`!'). For example, to allow a key to be used from anywhere within an
organisation except from the ``dialup'' pool, the following entry (in au-
thorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
比如不允许test用户从192.168.0.x登陆,那么可以添加一行
denyusers [email protected].
按照上面的PATTERNS说明,似乎可以加叹号来排除某个ip,但是尝试过没有成功,不知道什么原因了。
按照文档,deny是级别最高的,而设置了allow之后,就只能allow的用户访问了,所以如果想限制某个用户只能从某个ip段登陆,用这个似乎实现不了。
4) 使用ssh得RSA/DSA key。
参考地址:http://www.5ilinux.com/ssh01.html
用ssh-keygen命令生成一对公匙密匙,然后把密匙给用户,并且限制ssh只能通过RSA方式认证。这样会导致所有ssh用户都得用这种方式登陆了,会更加郁闷。
这种方式可以在用户得authorized_keys2文件中,加入from="!192.168.1.158,*"来让用户只能通过158登陆。(这个没有做过验证)
PATTERNS
A pattern consists of zero or more non-whitespace characters, `*' (a
wildcard that matches zero or more characters), or `?' (a wildcard that
matches exactly one character). For example, to specify a set of decla-
rations for any host in the ``.co.uk'' set of domains, the following pat-
tern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network
range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within
pattern-lists may be negated by preceding them with an exclamation mark
(`!'). For example, to allow a key to be used from anywhere within an
organisation except from the ``dialup'' pool, the following entry (in au-
thorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
5) 用pam。
参考地址:http://www.linuxmine.com/1078.html
看看/etc/pam.d/login文件,有没有pam_access.so的设置。我的debian系统中,ssh相关的都在/etc/pam.d/ssh文件中设置。加入一行
account required pam_access.so
然后修改他的配置文件/etc/security/access.conf文件。加入一行
-:wd:192.168.1. EXCEPT 192.168.1.158
这样,wd用户从192.168.1.x(192.168.1.158除外)的登陆权限被去掉了。也就是说,wd这个用户就只能从158这个ip以及外网ip登陆了。
大功告成。 :)