当前位置:论坛首页 > Linux面板 > Linux面板教程

SSH 双因子认证。 ---杜绝一切的SSH爆破

发表在 Linux面板2019-11-25 17:33 [复制链接] 5 3594

我只是测试了Centos7  其他的系统版本我木有测试
一、安装谷歌认证

yum install google-authenticator  -y


TIM截图20191125172132.png

二、设置SSH的配置

2.1 设置/etc/pam.d/sshd

[root@localhost ~]# vim /etc/pam.d/sshd

  1. auth required pam_google_authenticator.so        #在第一行(即auth required pam_sepermit.so的下一行)添加该语句
复制代码




TIM截图20191125172247.png

2.2 设置/etc/ssh/sshd_config



  1. ChallengeResponseAuthentication yes        #找到相应的参数,修改其选项为yes
复制代码

TIM截图20191125172511.png


2.3 重启ssh 服务
[root@localhost ~]# systemctl restart sshd


三、设置谷歌认证


  1. [root@localhost ~]# google-authenticator

  2. Do you want authentication tokens to be time-based (y/n) y
  3. Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  4.   https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost%3Fsecret%3DX7GNO4B5NVYYYFI747A4UOLFR4%26issuer%3Dlocalhost
复制代码
TIM截图20191125172643.png


  1. Your new secret key is: X7GNO4B5NVYYYFI747A4UOLFR4
  2. Your verification code is 968659
  3. Your emergency scratch codes are:
  4.   22394869
  5.   95632253
  6.   87095313
  7.   80140198
  8.   71922478

  9. Do you want me to update your "/root/.google_authenticator" file? (y/n) y

  10. Do you want to disallow multiple uses of the same authentication
  11. token? This restricts you to one login about every 30s, but it increases
  12. your chances to notice or even prevent man-in-the-middle attacks (y/n) y

  13. By default, a new token is generated every 30 seconds by the mobile app.
  14. In order to compensate for possible time-skew between the client and the server,
  15. we allow an extra token before and after the current time. This allows for a
  16. time skew of up to 30 seconds between authentication server and client. If you
  17. experience problems with poor time synchronization, you can increase the window
  18. from its default size of 3 permitted codes (one previous code, the current
  19. code, the next code) to 17 permitted codes (the 8 previous codes, the current
  20. code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
  21. between client and server.
  22. Do you want to do so? (y/n) y

  23. If the computer that you are logging into isn't hardened against brute-force
  24. login attempts, you can enable rate-limiting for the authentication module.
  25. By default, this limits attackers to no more than 3 login attempts every 30s.
  26. Do you want to enable rate-limiting? (y/n) y
复制代码


这里只要一路按Y 就可以了


四、安装谷歌认证


TIM截图20191125172813.png






五、Windows 登陆


这里使用的Xshell


TIM截图20191125172921.png

然后点击确定,后面点登陆
TIM截图20191125173038.png
TIM截图20191125173149.png


六、Linux 登陆
  1. [root@localhost ~]# ssh 192.168.1.191
  2. The authenticity of host '192.168.1.191 (192.168.1.191)' can't be established.
  3. ECDSA key fingerprint is SHA256:dX8t6SUvwVX9/IzwSrP6Zf4Zx8T14IKS5myTTeow3D4.
  4. ECDSA key fingerprint is MD5:5e:d6:e2:73:74:f6:44:a0:e2:e2:81:6a:4b:3f:c3:b9.
  5. Are you sure you want to continue connecting (yes/no)? yes
  6. Warning: Permanently added '192.168.1.191' (ECDSA) to the list of known hosts.
  7. Verification code:
  8. Password:
  9. Last login: Mon Nov 25 17:32:27 2019 from 192.168.20.159
复制代码




这里是先输入验证码然后再输入密码的






END 完结










使用道具 举报 只看该作者 回复
发表于 2019-11-25 18:15:11 | 显示全部楼层
学习了。
使用道具 举报 回复
发表于 2019-11-26 17:11:50 | 显示全部楼层
这就厉害了
使用道具 举报 回复 支持 反对
发表于 2019-11-26 17:29:16 | 显示全部楼层
密钥有泄露风险,密码加动态密码的登陆形式,似乎是不错的选择。
使用道具 举报 回复 支持 反对
发表于 2019-11-27 16:01:26 | 显示全部楼层
感觉不错...不知道后面会不会直接出插件?
使用道具 举报 回复 支持 反对
发表于 2019-11-27 17:11:40 | 显示全部楼层
Hax0412 发表于 2019-11-27 16:01
感觉不错...不知道后面会不会直接出插件?

不是很想出插件。这个东西小白用不明白
使用道具 举报 回复 支持 反对
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

企业版年付运维跟进群

普通问题处理

论坛响应时间:72小时

问题处理方式:排队(仅解答)

工作时间:白班:9:00 - 18:00

紧急问题处理

论坛响应时间:10分钟

问题处理方式:1对1处理(优先)

工作时间:白班:9:00 - 18:00

工作时间:晚班:18:00 - 24:00

立即付费处理

工作时间:09:00至24:00

快速回复 返回顶部 返回列表