In Tone

如何修改 CentOS 7 SSH Port

近期查看 /var/log/secure Log 發現大量的不明 IP 嘗試登入我的主機,產生了很多 Log,如下(每分鐘就來個6~7次,看的很煩)

[root@localhost ~]$ cat /var/log/secure
Mar 30 15:08:23 onepic sshd[8198]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:08:34 onepic sshd[8204]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:08:46 onepic sshd[8205]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:08:57 onepic sshd[8206]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:09:08 onepic sshd[8211]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:09:20 onepic sshd[8212]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:09:32 onepic sshd[8221]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:09:42 onepic sshd[8224]: refused connect from 120.48.4.5 (120.48.4.5)
Mar 30 15:09:43 onepic sshd[8225]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:09:54 onepic sshd[8226]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:10:05 onepic sshd[8238]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:10:17 onepic sshd[8239]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:10:28 onepic sshd[8250]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:10:36 onepic sshd[8251]: refused connect from 167.99.254.203 (167.99.254.203)
Mar 30 15:10:39 onepic sshd[8252]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:10:46 onepic sshd[8253]: refused connect from 209.141.43.56 (209.141.43.56)
Mar 30 15:10:51 onepic sshd[8254]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:11:02 onepic sshd[8255]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:11:13 onepic sshd[8256]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:11:24 onepic sshd[8269]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:11:35 onepic sshd[8270]: refused connect from 14.162.179.66 (14.162.179.66)
Mar 30 15:11:47 onepic sshd[8271]: refused connect from 14.162.179.66 (14.162.179.66)

過程中有使用過 fail2ban,但是在 hosts.deny 上增加了 幾千筆的資料,也有可能對方使用 偽 IP 進行 SSH 登入。

最後決定更新 SSH Port 來阻擋惡意登入用戶,也就是把 22 port 改成其它 port,因為 22 Port是大家知道的 SSH 服務端口,改了也比較不容易被攻擊。

以下是修改流程。

修改 sshd_config 設定

  • vim /etc/ssh/sshd_config 將 第17行 的 #Port 22 取消注解,下一行增加 Port 2468 (避免服務重啟後,設定失敗造成原來的 Port 22 也無法使用)
  • 存檔後進行 SSH 服務重起 systemctl restart sshd
[root@localhost ~]$ vim /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 22
Port 2468
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

:wq

[root@localhost ~]$ systemctl restart sshd
[root@localhost ~]$

防火牆 firewall 增加 2468 Port 設定

  • 增加新規則讓 2468 Port 允許對外連線 firewall-cmd --permanent --zone=public --add-port=2468/tcp
  • 重啟服務 firewall-cmd --reload
[root@localhost ~]$ firewall-cmd --permanent --zone=public --add-port=2468/tcp
success  

[root@localhost ~]$ firewall-cmd --reload

使用新的 Port 進行登入

ssh -p 2468 root@www.yourserver.com

$ ssh -p 2468 root@www.yourserver.com
root@www.yourserver.com's password: 
Last login: Wed Mar 31 15:22:35 2021 from 192.168.1.2

[root@localhost ~]$

成功登入後,就可以進行將 22 Port 進行關閉

關閉 22 Port 流程

  • 修改 sshd_config
  • 移除 firewalld 規則
[root@localhost ~]$ vim /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
Port 2468
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

:wq

[root@localhost ~]$ systemctl restart sshd
[root@localhost ~]$ firewall-cmd --permanent --zone=public --remove-port=22/tcp
success

[root@localhost ~]$ firewall-cmd --reload

小幫手

, , , ,