通过在centos stream 9中配置sshd_config文件中的allowusers参数,可以实现ssh访问控制。
一、CentOS的主要版本介绍
(图片可放大查看)
CentOS Linux与CentOS Stream
(图片可放大查看)
当前CentOS Linux有两个主要版本:
- CentOS Linux 7
- CentOS Linux 8
(图片可放大查看)
当前CentOS Stream有两个主要版本:
- CentOS Stream 8
- CentOS Stream 9
(图片可放大查看)
二、CentOS Stream 9系统安装初体验
(图片可放大查看)
1、安装过程截图
(图片可放大查看)
2、安装后关闭SELinux
getenforce setenforce 0 sed -i 's/^SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config cat /etc/selinux/config
(图片可放大查看)
接下来进入正题
三、CentOS Stream 9通过配置sshd_config中的AllowUsers实现SSH访问控制
1、CentOS Stream 9默认无/etc/hosts.allow
在CentOS Stream 9系统中:
ll /etc/hosts.allow ldd /usr/sbin/sshd
可以发现无libwrap.so.0库文件
(图片可放大查看)
系统中没有/etc/hosts.allow和/etc/hosts.deny文件
与CentOS 7系统对比
具体参考如下两篇文章
利用tcp_wrapper实现SSH登录的IP访问控制
细谈企业网络安全中堡垒机绕过问题
2、man sshd_config查看AllowUsers参数配置说明
AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR ad‐ dress/masklen format. The allow/deny users directives are processed in the follow‐ ing order: DenyUsers, AllowUsers.
(图片可放大查看)
3、SSH访问控制配置步骤实践
vi /etc/ssh/sshd_config
添加如下一行,只允许192.168.31.100上的root用户登录
AllowUsers root@192.168.31.100 systemctl restart sshd
(图片可放大查看)
验证:192.168.31.232尝试SSH登录CentOS Stream 9 192.168.31.192
输入正确密码也会提示登录失败
(图片可放大查看)
在CentOS Stream 9服务器上查看日志
tail -f /var/log/secure
可以看到如下日志
Jan 24 21:07:47 localhost sshd[1447]: User root from 192.168.31.232 not allowed because not listed in AllowUsers
(图片可放大查看)
这样就可以实现SSH访问控制
当注释掉AllowUsers这一行,重启sshd服务,就可以正常登录
(图片可放大查看)
Tips:CentOS Linux 8以后不再支持/etc/hosts.allow和/etc/hosts.deny
1、CentOS Linux 8 2、CentOS Stream 9 3、CentOS Stream 8
