74 lines
1.3 KiB
Markdown
74 lines
1.3 KiB
Markdown
> 本文作者:丁辉
|
||
|
||
# 系统安全策略配置
|
||
|
||
## 限制 Linux 最大限制远程登录次数
|
||
|
||
### 方法一
|
||
|
||
1. 编辑 SSH 服务配置文件
|
||
|
||
```bash
|
||
vi /etc/ssh/sshd_config
|
||
```
|
||
|
||
修改如下内容
|
||
|
||
```bash
|
||
# 设置每个IP地址的最大登录尝试次数
|
||
MaxAuthTries 3
|
||
|
||
# 设置封锁的时间,单位为秒(这里设置为300秒,即5分钟)
|
||
LoginGraceTime 300
|
||
```
|
||
|
||
2. 重载配置
|
||
|
||
```bash
|
||
systemctl reload sshd
|
||
```
|
||
|
||
### 方法二
|
||
|
||
1. 安装 fail2ban
|
||
|
||
```bash
|
||
yum install epel-release -y
|
||
yum install fail2ban -y
|
||
```
|
||
|
||
2. 配置 fail2ban
|
||
|
||
```bash
|
||
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
|
||
```
|
||
|
||
编辑`jail.local`文件,找到并更改以下参数
|
||
|
||
```bash
|
||
# 设置ban的时间(以秒为单位,默认值为600秒,即10分钟)
|
||
bantime = 600
|
||
|
||
# 允许尝试登录的最大次数
|
||
maxretry = 5
|
||
|
||
# 将这个值设置为yes,fail2ban将禁止任何主机的IP,如果该主机的IP多次失败,这对于保护你的系统非常有用。
|
||
# 但要谨慎使用,以防止合法用户因错误登录被阻止。
|
||
banaction = iptables-multiport
|
||
```
|
||
|
||
3. 启动 fail2ban 服务
|
||
|
||
```bash
|
||
systemctl start fail2ban
|
||
systemctl enable fail2ban
|
||
```
|
||
|
||
4. 检查fail2ban状态
|
||
|
||
```bash
|
||
fail2ban-client status
|
||
```
|
||
|
||
|