当前位置 博文首页 > 莫忘、初心:centos7 修改和优化ssh
修改ssh服务前必须修改selinux 配置,不然会出现ssh链接错误
/bin/bash: Permission denied
修改selinux配置文件
SELINUX=enforcing
修改为
SELINUX=disabled
[root@192-168-1-1 ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
然后重启服务器
[root@192-168-1-1 ~]# reboot
vim /etc/ssh/sshd_config
在
#port 22
下新建一行
Port 22222
#Port 22
Port 22222
重启sshd服务
systemctl restart sshd
因为防火墙中此时并未开放端口22222
所以我们需要关闭防火墙在测试端口是否可用
systemctl restart firewalld.service
如今大多数安全测试和渗透都要求隐藏Openssh服务的版本号
查看sshd文件的路径
# whereis sshd
sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.gz
备份sshd文件,注意,此步万万不可省略,防止出错后无法修改
[root@192-168-1-1 ~]# cd /usr/sbin/
[root@192-168-1-1 sbin]# cp sshd sshd.bak
[root@192-168-1-1 sbin]# ll sshd*
-rwxr-xr-x. 1 root root 853040 4月 11 2018 sshd
-rwxr-xr-x. 1 root root 853040 12月 23 14:55 sshd.bak
-rwxr-xr-x. 1 root root 3613 4月 11 2018 sshd-keygen
查看openssh服务的版本号
[root@192-168-1-1 ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
查看文件中关于OpenSSH相关的字符
ssh的版本号即为OpenSSH_7.4
[root@192-168-1-1 sbin]# strings /usr/sbin/sshd | grep OpenSSH
OpenSSH_7.4p1-RHEL7-7.4p1-16
OpenSSH_7.4
OpenSSH_7.4p1
OpenSSH_2.3.0*
OpenSSH_2.3.*
OpenSSH_2.5.3*
OpenSSH_3.*
OpenSSH_4*
OpenSSH_5*
OpenSSH_6.6.1*
OpenSSH_6.5*,OpenSSH_6.6*
OpenSSH*
OpenSSH-2.0*,OpenSSH-2.1*,OpenSSH_2.1*,OpenSSH_2.2*
OpenSSH_2.5.0p1*,OpenSSH_2.5.1p1*
OpenSSH_2.5.0*,OpenSSH_2.5.1*,OpenSSH_2.5.2*
OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
修改openssh服务的版本号
[root@192-168-1-1 sbin]# sed -i 's/OpenSSH_7.4/TestSSH_A.a/g' sshd
sed -i 代表替换
OpenSSH_7.4 代表原来的值
TestSSH_A.a 代表替换后的值
sshd 代表替换的文件 (/usr/sbin/sshd)
重启sshd服务,并查看版本信息
[root@192-168-1-1 sbin]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
[root@192-168-1-1 sbin]# sshd -V
unknown option -- V
TestSSH_A.ap1, OpenSSL 1.0.2k-fips 26 Jan 2017
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
cs