Kei*_*age 5 linux networking ssh openssh
我是一个初学者,对开发板和整个 Linux 很陌生,并且一直在 Debian 中使用精彩的 SSH 软件包(我相信这是 OpenSSH)来修补和学习更多信息,而无需通过物理连接到我的 Pi。串行电缆。
我关注了该论坛上的各个网站和主题,以强化和调整我的 SSH,使其更加安全。然而,我想对我的sshd_config文件进行的一项重要更改却让我烦恼 - ListenAddress。据我了解, 中的ListenAddress值sshd_config定义了服务器应侦听请求的 IP 地址的严格参数。
ListenAddressin的默认值为,sshd_config已0.0.0.0被注释掉。据我了解,在使用“注释掉默认值”策略时,应用程序将默认为该值。我已阅读手册页,其中表明默认值是
监听当前路由域上的所有本地地址
and while I can't profess to know a lot about networking, I've read elsewhere 0.0.0.0 indicates the server will listen for requests from any IPv4 address from the internet at large? I am worried this may make my (internet facing) Pi a target for attack, and it seems prudent to limit ListenAddress to only listen for requests from my internal network. I won't have need for access anywhere other than home.
My router (Apple Airport) DHCP Range is 10.0.1.2 to 10.0.1.200, with the router at 10.0.1.1. (This seems to be the default, if I had known more perhaps I should have changed this to 192.168.1.1).
I have tried setting the following ListenAddress values, all of which have locked me out of SSH, necessitating connecting with a USB serial cable to revert ListenAddress back to default:
10.0.1.0 - I thought setting the last octet at 0 may indicate all IPs on the 10.0.1. range
10.0.1.* - I thought using * as a wildcard may work as per the first example as above
10.0.1.** - In case the single * wildcard only indicated a .1 to .9 range
10.0.1.1 - It seems silly now but I thought setting the router's IP may do the trick, as this is the magic 'box' handing out the IP addresses
10.0.1.1/24 - Using /24 to define the first three octets, leaving the last octet as the open 'range'. But it seems sshd_config doesn't recognise the / character
127.0.0.1 - I learned about the localhost or loop back address option, but this didn't work either
10.0.1.24 - My computer's IP. This last throw of the dice didn't work, and on running systemctl status ssh.service returned error: Bind to port 22 on 10.0.1.24 failed: Cannot assign requested address, fatal: Cannot bind any address and Failed to start OpenBSD Secure Shell server messages.
I hope this goes some way to explaining my thinking, and what I've tried so far - I feel I've exhausted all logical options and perhaps 0.0.0.0 is the only permitted option for what I am trying to achieve. Do let me know if my question is better suited to the networking forum instead.
Worryingly, systemctl status ssh.service also advised Deprecated option for the following sshd_config values:
Deprecated option KeyRegenerationInterval
Deprecated option RhostsRSAAuthentication
Deprecated option RSAAuthentication
Deprecated option KeyRegenerationInterval
Deprecated option RhostsRSAAuthentication
Deprecated option RSAAuthentication
However I'm at a loss as to what the program's favoured values for these should be.
I am pushing the limits of my (very limited) knowledge thus far, but I understand from my previous query to this board plenitude and prolixity is encouraged to assist your kind replies.
My sshd_config defaults are v1.103 and the changes I have made are:
AddressFamily inet
AllowUsers keith
Protocol 2
LoginGraceTime 30
KeyRegenerationInterval 3600
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 1
PubkeyAuthentication yes
IgnoreUserKnownHosts yes
IgnoreRhosts yes
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
AuthenticationMethods publickey keyboard-interactive
UsePAM yes
X11Forwarding no
PrintMotd no
TCPKeepAlive no
ClientAliveInterval 360
ClientAliveCountMax 0
I have been using a variety of websites and sources for guidance, so some of these values may now be superannuated. I understand SSH security is constantly evolving and something of a moveable feast.
I hope this explains my thought process and methodology, and my apologies for the lack of brevity. Thank you all for your kind help thus far, it is very much appreciated. Never stop learning!
实际上是ListenAddress告诉 SSH 服务器应该侦听哪个系统接口(0:0:0:0 使其侦听所有接口)。例如,如果您的系统有一个 Wifi(在 10.0.1.4 上)和一个以太网(10.0.1.12),ListenAddress 10.0.1.12则将使其仅在以太网接口上侦听,而其他计算机将必须通过 SSH 才能10.0.1.12获得连接。
要将外部用户限制在给定的地址范围内,您可以直接使用防火墙iptables(但它不适合人类)或使用更容易接受的前端,例如ufw.
然而,由于您位于路由器后面,路由器可能已经阻止外部访问,路由器另一侧的系统看不到您的10.0.1.*地址,对他们来说,一切都来自一个地址:您的路由器,并启动从外部到您的本地计算机之一必须将路由器设置为执行端口转发(到路由器上某些指定端口的连接将转发到本地网络上的特定本地地址:端口)。
| 归档时间: |
|
| 查看次数: |
25841 次 |
| 最近记录: |