SSH 双因子认证。 —杜绝一切的SSH爆破


我只是测试了Centos7  其他的系统版本我木有测试

一、安装谷歌认证

yum install google-authenticator  -y

TIM截图20191125172132.png (86.67 KB, 下载次数: 22)

2019-11-25 17:21 上传

二、设置SSH的配置

2.1 设置/etc/pam.d/sshd

[[email protected]
~]# vim
/etc
/pam.d
/ssh

  1. auth required pam_google_authenticator.so        
  2. #在第一行(即auth required pam_sepermit.so的下一行)添加该语句

复制代码

TIM截图20191125172247.png (33.04 KB, 下载次数: 14)

2019-11-25 17:23 上传

2.2 设置/etc/ssh/sshd_config

  1.  
  2. ChallengeResponseAuthentication yes        #找到相应的参数,修改其选项为yes

复制代码

TIM截图20191125172511.png (66.18 KB, 下载次数: 17)

2019-11-25 17:25 上传

2.3 重启ssh 服务

[[email protected]
~]# systemctl restart sshd

三、设置谷歌认证

[[email protected] ~]# google-authenticator

 

Do you want authentication tokens to be time-based (y/n) y

Warning: pasting the following URL into your browser exposes the OTP secret to Google:

 

复制代码

TIM截图20191125172643.png (5.6 KB, 下载次数: 18)

2019-11-25 17:27 上传

  1. Your new secret key is: X7GNO4B5NVYYYFI747A4UOLFR4
  2. Your verification code is 968659
  3. Your emergency scratch codes are:
  4.   22394869
  5.   95632253
  6.   87095313
  7.   80140198
  8.   71922478
  9.  
  10. Do you want me to update your “/root/.google_authenticator” file? (y/n) y
  11.  
  12. Do you want to disallow multiple uses of the same authentication
  13. token? This restricts you to one login about every 30s, but it increases
  14. your chances to notice or even prevent man-in-the-middle attacks (y/n) y
  15.  
  16. By default, a new token is generated every 30 seconds by the mobile app.
  17. In order to compensate for possible time-skew between the client and the server,
  18. we allow an extra token before and after the current time. This allows for a
  19. time skew of up to 30 seconds between authentication server and client. If you
  20. experience problems with poor time synchronization, you can increase the window
  21. from its default size of 3 permitted codes (one previous code, the current
  22. code, the next code) to 17 permitted codes (the 8 previous codes, the current
  23. code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
  24. between client and server.
  25. Do you want to do so? (y/n) y
  26.  
  27. If the computer that you are logging into isn’t hardened against brute-force
  28. login attempts, you can enable rate-limiting for the authentication module.
  29. By default, this limits attackers to no more than 3 login attempts every 30s.
  30. Do you want to enable rate-limiting? (y/n) y
  31.  

复制代码

这里只要一路按Y 就可以了

四、安装谷歌认证

TIM截图20191125172813.png (31.7 KB, 下载次数: 19)

2019-11-25 17:28 上传

五、Windows 登陆

这里使用的Xshell

TIM截图20191125172921.png (51 KB, 下载次数: 23)

2019-11-25 17:29 上传

然后点击确定,后面点登陆

TIM截图20191125173038.png (36.59 KB, 下载次数: 14)

2019-11-25 17:30 上传

TIM截图20191125173149.png (40.06 KB, 下载次数: 19)

2019-11-25 17:32 上传

六、Linux 登陆

  1. [[email protected] ~]# ssh 192.168.1.191
  2. The authenticity of host ‘192.168.1.191 (192.168.1.191)’ can’t be established.
  3. ECDSA key fingerprint is SHA256:dX8t6SUvwVX9/IzwSrP6Zf4Zx8T14IKS5myTTeow3D4.
  4. ECDSA key fingerprint is MD5:5e:d6:e2:73:74:f6:44:a0:e2:e2:81:6a:4b:3f:c3:b9.
  5. Are you sure you want to continue connecting (yes/no)? yes
  6. Warning: Permanently added ‘192.168.1.191’ (ECDSA) to the list of known hosts.
  7. Verification code:
  8. Password:
  9. Last login: Mon Nov 25 17:32:27 2019 from 192.168.20.159
  10.  

复制代码

这里是先输入验证码然后再输入密码的

END 完结


转自   https://www.bt.cn/bbs/forum.php?mod=viewthread&tid=40582&extra=page%3D10%26filter%3Dtypeid%26typeid%3D10