/ walking bear:D / linux tips about sshd.service

linux tips about sshd.service

2017-04-04 posted in []

在 network server end 開發應用一定要講「小字訣」。程式本身要短小精悍,效能才會高。接觸面要小,免得被不知名的漏洞組合給攻陷。

相對「小」之 Rule of thumb,sshd 是非常強大的,也是各種攻擊手段的目標,ex: DoS attack。很多 linux distributions 都是 default disabled。

/etc/ssh/sshd_config 可以做各種限制設定,ex: 不讓 well-known 帳號可以登入 的 PermitRootLogin no

不管怎樣設定,最好還是利用 iptables 限制 sshd.service 只能在內網使用:

# /sbin/iptables -I INPUT -p tcp --dport 22 -j REJECT
# /sbin/iptables -I INPUT -p tcp --dport 22 -s 127.0.0.1 -j ACCEPT
# /sbin/iptables -I INPUT -p tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT

在內網運行 sshd 有各種便利,如替代以往的 nfs 的 remote mount:

$ mkdir /tmp/user 
$ sshfs -o allow_other user@192.168.0.123:/home/user/Public /tmp/user

. reply_count: 0 get_replies : 0 .

walking bear:DRSS feed

关于

wkliang

Clarke's Three Laws:

  • When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.
  • The only way of discovering the limits of the possible is to venture a little way past them into the impossible.
  • Any sufficiently advanced technology is indistinguishable from magic.
  • 版权申明

    知识共享许可协议

    Fork me on GitHub

    Powered by

    Disqus, GitHub, Google Custom Search, Gravatar, HighlightJS, jekyll