#修改配置文件
$ sudo vi /etc/ssh/sshd_config
#端口,设置监听端口
Port 20105
#禁用root登录
PermitRootLogin no
#日志级别
LogLevel VERBOSE
#默认设置下,通过sshd登录Ubuntu后,必须在出现操作提示符的120秒(2分钟)内登录系统,不然sshd将会自动切断与主机的连接。这个时间值可以通过LoginGraceTime进行设置
#将LoginGraceTime设置为20秒。可以有效的防御自动化阻遏(thwarting automated),暴力攻击ssh,和拒绝服务式攻击(DDOS)。
LoginGraceTime 20
#如果你不希望有人能够通过ssh使用图形用户界面的程序(这些程序通过SSH通道-SSH tunnel显示),你可以通过X11Forwarding指令将其关闭,由此来减少很多攻击的可能。
X11Forwarding no
#有一个的不欢迎警示条目可以帮你成功起诉攻击者,或别的组织未经许可的尝试经由ssh访问你的服务器。
Banner /etc/issue.net
登录openssh-server时候,会发现要等很长时间,服务器才返回输入密码的提示语。原因在于openssh-server默认情况下会根据用户的IP地址,反向查询DNS,从而导致延时很大。其中具体原因还有待进一步研究 ^_^ 。可以通过在配置文件中关闭这种功能来提速客户端的访问。具体做法是,在配置文件/etc/ssh/sshd_config中添加如下两行即可:
GSSAPIAuthentication no
UseDNS no
# 除了用户zeng,不许其它用户登录
DenyUsers 'zeng'
=========================================
编辑提醒文件
$ sudo vi /etc/issue
内容为:
本服务器只能通过授权才能使用,不欢迎非授权用户使用。
警告:你的IP与相关信息已记录,非许可不允许访问本机,我方保留追究法律权限。
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************
保存文件,并且创建一个符号连结到 /etc/issue.net
$ sudo ln -s /etc/issue /etc/issue.net
执行以下语句,重启ssh
$ /etc/init.d/ssh restart