欢迎信息的通常配置文件有如下的,可直接修改或删除为安全起见:
/etc/issue #通过本地登陆的时显示的欢迎信息
/etc/issue.net # 通过SSH或者Telnet登陆时显示的欢迎信息
# 需要在sshd_config 中配置Banner 项,默认为 none
/etc/redhat-release # 显示版本信息
/etc/motd # 显示公告
效果如下:
/etc/ssh/sshd_config 配置说明:
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# 如果在SELinux系统中修改了端口,需要在此配置里面修改,命令如下:
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22 --> 端口,推荐修改为5位以上的陌生端口
#AddressFamily any -->
#ListenAddress 0.0.0.0 --> SSHD服务器的IP V4地址
#ListenAddress :: --> SSHD 服务器的IP V6 地址
# The default requires explicit activation of protocol 1
# 默认使用的SSH1,但存在漏洞;推荐使用 SSH2;一般的客户端链接工具可自动选择
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key --> SSH1中服务器密钥文件路径
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key --> SSH2中服务器密钥文件路径
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h --> 服务器重新生成密钥的时间
#ServerKeyBits 1024 --> 服务器密钥长度
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO --> SSHD日志消息的级别
# Authentication:
#LoginGraceTime 2m --> 登陆失败,切断链接前服务器的等待时间
#PermitRootLogin yes --> 设置Root是否能远程登陆,yes表示可以但不安全,可以配置 /etc/sudoers来获取超管权限
#StrictModes yes --> SSH严谨模式,会检查用户根目录与rhosts文件的权限和所有权
#MaxAuthTries 6 --> 最大尝试登陆次数,设置合理可以防止穷举登陆检测
#MaxSessions 10 -->
#RSAAuthentication yes --> RSA验证,只有在SSH1中使用
PubkeyAuthentication yes --> 公钥验证
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
# 公钥配置路径,默认会检查两个目录,此配置会覆盖
# 配合"PubkeyAuthentication"使用
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no -->使用RhostsRSAAuthentication验证时,是否忽略用户的 "$HOME/.ssh/known_hosts"
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes --> 是否使用 ~/.rhosts和 ~/.shosts文件
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no --> 空密码登陆
PasswordAuthentication no --> 密码验证
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no --> 禁用 s/key 密码
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes --> 通过PAM验证
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes --> x11 转发
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes --> 打印 /etc/motd信息
#PrintLastLog yes --> 打印最后一次登陆信息
#TCPKeepAlive yes --> 防止死链接
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no --> DNS反向解析
#PidFile /var/run/sshd.pid --> SSHD 的PID文件
#MaxStartups 10:30:100 --> 尚未登入的联机数,即:已链接SSHD但未输入密码
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner /etc/issue.net
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
#AllowUsers <用户名> --> 允许登陆的用户,多个以空格分隔
#AllowGroups <组名> --> 允许的组,多个以空格分隔
#DenyUsers <用户名> --> 禁止的用户,多个以空格分隔
#DenyGroups <组名> --> 禁止的组,多个以空格分隔