云服务器初始安全配置
一、添加新用户
root用户登录后,新增一个用户,后续禁用root登录。 用户创建成功后,可以新用户和密码ssh进行登录。
root@aliyun:/home# adduser hotpod
Adding user `hotpod' ...
Adding new group `hotpod' (1000) ...
Adding new user `hotpod' (1000) with group `hotpod (1000)' ...
Creating home directory `/home/hotpod' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for hotpod
Enter the new value, or press ENTER for the default
Full Name []: hotpod
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
Adding new user `hotpod' to supplemental / extra groups `users' ...
Adding user `hotpod' to group `users' ...
root@aliyun:/home# ls
hotpod tips
二、为新用户添加sudo权限
将新用户添加至sudo用户组,添加权限:
root@aliyun:/home#测试新用户是否添加成功:sudo -l -U hotpod,出现(ALL : ALL) ALL表示成功
root@aliyun:/home# usermod -aG sudo hotpod
root@aliyun:/home# sudo -l -U hotpod
Matching Defaults entries for hotpod on aliyun:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User hotpod may run the following commands on aliyun:
(ALL : ALL) ALL
三、配置SSH密钥登录
用帐号和密码登录始终不安全,改为密钥证书登录,同时禁用帐号密码登录,也将root的ssh登录权限去掉。
- 创建RSA密钥
- 创建的证书默认在当前用户的.ssh目录下
- 使用证书登录,无须再设置密码的,回车直接下一步创建,有安全强迫症的可以同步设置证书登录密码。
hotpod@aliyun:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hotpod/.ssh/id_rsa):
Created directory '/home/hotpod/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/hotpod/.ssh/id_rsa
Your public key has been saved in /home/hotpod/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:cCqF7FJW2/cqoba6uVGYP9HhVN18bFzgdkyTdD5S7Ag hotpod@aliyun
The key's randomart image is:
+---[RSA 3072]----+
| . .. o+B*|
| . o o . E..+*B|
| = + = . ..=++|
| + + B o . o.o.|
| . = + S . |
| . + o . . |
| . = . . |
| + o . |
| =+. |
+----[SHA256]-----+
- 修改证书权限
- 创建成功后,可以在.ssh目录下看到两个文件,id_rsa为私钥,下载至本地,id_rsa.pub为公钥放在服务器。
- 公钥证书设置权限为600,证书目录.ssh权限为700
cat id_rsa.pub >> authorized_keys为下一步配置证书登录使用。
hotpod@aliyun:~$ cd .ssh/
hotpod@aliyun:~/.ssh$ ls
id_rsa id_rsa.pub
hotpod@aliyun:~/.ssh$ touch authorized_keys
hotpod@aliyun:~/.ssh$ cat id_rsa.pub >> authorized_keys
hotpod@aliyun:~/.ssh$ chmod 600 authorized_keys
hotpod@aliyun:~/.ssh$ cd ..
hotpod@aliyun:~$ chmod 700 .ssh/
- 配置证书登录
- 编辑/etc/ssh/sshd_config文件,进行登录配置 `* ``PubkeyAuthentication yes ```:启用证书登录
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2:指定证书文件PermitRootLogin no:禁用root帐号ssh登录PasswordAuthentication no:禁止用户使用帐号密码方式登录sudo systemctl restart sshd:重启sshd服务 然后退出当前ssh链接,重新登录即需要使用证书登录
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
PermitRootLogin no
PasswordAuthentication no
hotpod@aliyun:/etc/ssh$ sudo systemctl restart sshd
按照以上配置,如果再次用root帐号登录,即会出现
Authentication failed,please connect again.报错,当前只能使用证书登录了。