安全 on HiDahttps://www.0niu.cn/tags/%E5%AE%89%E5%85%A8/Recent content in 安全 on HiDaHugo -- gohugo.iozhMon, 18 Mar 2024 09:44:00 +0800修改 SSH 监听端口与 SELinux 配置https://www.0niu.cn/posts/ssh%E7%AB%AF%E5%8F%A3%E4%BF%AE%E6%94%B9%E4%B8%8Eselinux%E9%85%8D%E7%BD%AE/Mon, 18 Mar 2024 09:44:00 +0800https://www.0niu.cn/posts/ssh%E7%AB%AF%E5%8F%A3%E4%BF%AE%E6%94%B9%E4%B8%8Eselinux%E9%85%8D%E7%BD%AE/<h2 id="概述">概述</h2> <p>出于安全考虑,修改 SSH 默认端口(22)是一个常见的安全加固措施。本文介绍如何修改 SSH 监听端口,并正确配置 SELinux 以允许新端口的访问。</p> <h2 id="修改-ssh-监听端口">修改 SSH 监听端口</h2> <h3 id="1-编辑-ssh-配置文件">1. 编辑 SSH 配置文件</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo vi /etc/ssh/sshd_config </span></span></code></pre></div><p>找到 <code>#Port 22</code> 这一行,取消注释并修改为需要的端口:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#a6e22e">Port 22</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Port 2222</span> </span></span></code></pre></div><p>建议同时保留默认端口和自定义端口,便于测试。确认新端口正常工作后,再删除默认端口配置。</p> <h3 id="2-重启-ssh-服务">2. 重启 SSH 服务</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo systemctl restart sshd </span></span></code></pre></div><h3 id="3-验证新端口">3. 验证新端口</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 检查 SSH 服务监听端口</span> </span></span><span style="display:flex;"><span>sudo ss -tlnp | grep sshd </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 或使用 netstat</span> </span></span><span style="display:flex;"><span>sudo netstat -tlnp | grep sshd </span></span></code></pre></div><p>应该看到新端口(如 2222)已开始监听。</p><h2 id="概述">概述</h2> <p>出于安全考虑,修改 SSH 默认端口(22)是一个常见的安全加固措施。本文介绍如何修改 SSH 监听端口,并正确配置 SELinux 以允许新端口的访问。</p> <h2 id="修改-ssh-监听端口">修改 SSH 监听端口</h2> <h3 id="1-编辑-ssh-配置文件">1. 编辑 SSH 配置文件</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo vi /etc/ssh/sshd_config </span></span></code></pre></div><p>找到 <code>#Port 22</code> 这一行,取消注释并修改为需要的端口:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#a6e22e">Port 22</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Port 2222</span> </span></span></code></pre></div><p>建议同时保留默认端口和自定义端口,便于测试。确认新端口正常工作后,再删除默认端口配置。</p> <h3 id="2-重启-ssh-服务">2. 重启 SSH 服务</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo systemctl restart sshd </span></span></code></pre></div><h3 id="3-验证新端口">3. 验证新端口</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 检查 SSH 服务监听端口</span> </span></span><span style="display:flex;"><span>sudo ss -tlnp | grep sshd </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 或使用 netstat</span> </span></span><span style="display:flex;"><span>sudo netstat -tlnp | grep sshd </span></span></code></pre></div><p>应该看到新端口(如 2222)已开始监听。</p> <h2 id="配置-selinux">配置 SELinux</h2> <p>如果在启用了 SELinux 的系统上修改 SSH 端口,必须更新 SELinux 策略,否则 SSH 服务无法正常绑定到新端口。</p> <h3 id="1-检查当前-selinux-状态">1. 检查当前 SELinux 状态</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 查看 SELinux 状态</span> </span></span><span style="display:flex;"><span>sestatus </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 查看 SSH 允许的端口</span> </span></span><span style="display:flex;"><span>sudo semanage port -l | grep ssh </span></span></code></pre></div><p>默认情况下,SELinux 只允许 SSH 使用端口 22。</p> <h3 id="2-添加新端口到-selinux-策略">2. 添加新端口到 SELinux 策略</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 添加新端口(如 2222)到 SSH 服务</span> </span></span><span style="display:flex;"><span>sudo semanage port -a -t ssh_port_t -p tcp <span style="color:#ae81ff">2222</span> </span></span></code></pre></div><p>参数说明:</p> <ul> <li><code>-a</code>:添加</li> <li><code>-t ssh_port_t</code>:指定端口类型为 SSH 端口</li> <li><code>-p tcp</code>:协议为 TCP</li> <li><code>2222</code>:端口号</li> </ul> <h3 id="3-验证-selinux-配置">3. 验证 SELinux 配置</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 再次查看 SSH 允许的端口</span> </span></span><span style="display:flex;"><span>sudo semanage port -l | grep ssh </span></span></code></pre></div><p>应该可以看到:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>ssh_port_t tcp 2222, 22 </span></span></code></pre></div><h3 id="4-删除不需要的端口可选">4. 删除不需要的端口(可选)</h3> <p>如果需要从 SELinux 策略中移除某个端口:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo semanage port -d -t ssh_port_t -p tcp <span style="color:#ae81ff">2222</span> </span></span></code></pre></div><h2 id="配置防火墙">配置防火墙</h2> <p>根据系统使用的防火墙,需要开放新端口。</p> <h3 id="firewalldrhelcentosfedora">firewalld(RHEL/CentOS/Fedora)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 添加新端口到防火墙规则</span> </span></span><span style="display:flex;"><span>sudo firewall-cmd --permanent --add-port<span style="color:#f92672">=</span>2222/tcp </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 重新加载防火墙配置</span> </span></span><span style="display:flex;"><span>sudo firewall-cmd --reload </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 查看当前开放的端口</span> </span></span><span style="display:flex;"><span>sudo firewall-cmd --list-ports </span></span></code></pre></div><h3 id="ufwubuntudebian">ufw(Ubuntu/Debian)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 允许新端口</span> </span></span><span style="display:flex;"><span>sudo ufw allow 2222/tcp </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 查看防火墙状态</span> </span></span><span style="display:flex;"><span>sudo ufw status </span></span></code></pre></div><h3 id="iptables">iptables</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 添加规则</span> </span></span><span style="display:flex;"><span>sudo iptables -A INPUT -p tcp --dport <span style="color:#ae81ff">2222</span> -j ACCEPT </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 保存规则(根据发行版不同,命令可能不同)</span> </span></span><span style="display:flex;"><span>sudo service iptables save </span></span><span style="display:flex;"><span><span style="color:#75715e"># 或</span> </span></span><span style="display:flex;"><span>sudo netfilter-persistent save </span></span></code></pre></div><h2 id="测试连接">测试连接</h2> <p>在确认所有配置正确后,测试新端口的连接:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ssh -p <span style="color:#ae81ff">2222</span> username@server_ip </span></span></code></pre></div><p>如果连接成功,可以回到 SSH 配置文件中删除默认端口(22),然后重启 SSH 服务:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#a6e22e">Port 2222</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo systemctl restart sshd </span></span></code></pre></div><h2 id="常见问题">常见问题</h2> <h3 id="问题-1修改端口后无法连接">问题 1:修改端口后无法连接</h3> <p><strong>可能原因</strong>:</p> <ul> <li>SELinux 未配置允许新端口</li> <li>防火墙未开放新端口</li> <li>SSH 服务未正确重启</li> </ul> <p><strong>排查步骤</strong>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 检查 SELinux 日志</span> </span></span><span style="display:flex;"><span>sudo ausearch -m avc -ts recent | grep sshd </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 检查 SSH 服务状态</span> </span></span><span style="display:flex;"><span>sudo systemctl status sshd </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 检查端口监听</span> </span></span><span style="display:flex;"><span>sudo ss -tlnp | grep <span style="color:#ae81ff">2222</span> </span></span></code></pre></div><h3 id="问题-2semanage-命令不存在">问题 2:semanage 命令不存在</h3> <p><strong>解决方法</strong>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># RHEL/CentOS/Fedora</span> </span></span><span style="display:flex;"><span>sudo dnf install policycoreutils-python-utils </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Ubuntu/Debian</span> </span></span><span style="display:flex;"><span>sudo apt install policycoreutils-python-utils </span></span></code></pre></div><h3 id="问题-3selinux-阻止-ssh-绑定端口">问题 3:SELinux 阻止 SSH 绑定端口</h3> <p>查看 SELinux 拒绝日志:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo ausearch -m avc -ts recent | grep sshd | grep denied </span></span></code></pre></div><p>如果看到类似 <code>bind</code> 操作被拒绝,说明 SELinux 策略未正确配置,按照上述步骤添加端口即可。</p> <h2 id="安全建议">安全建议</h2> <ol> <li><strong>选择非标准端口</strong>:避免使用容易被扫描的端口,如 2222、22222 等</li> <li><strong>定期更换端口</strong>:在高安全要求的环境中,定期更换 SSH 端口</li> <li><strong>结合其他安全措施</strong>: <ul> <li>启用密钥认证,禁用密码登录</li> <li>配置 fail2ban 防止暴力破解</li> <li>限制允许访问的 IP 地址</li> </ul> </li> <li><strong>保持 SELinux 启用</strong>:SELinux 提供了额外的安全防护层,建议保持启用状态</li> </ol> <h2 id="参考资料">参考资料</h2> <ul> <li><a href="https://docs.redhat.com/zh-cn/documentation/red_hat_enterprise_linux/9/html/using_selinux/configuring-selinux-policies_configuring-selinux">Red Hat SELinux 端口管理文档</a></li> <li><a href="https://www.openssh.com/manual.html">OpenSSH 官方文档</a></li> </ul>