当前位置:首页 > 行业动态 > 正文

Unix怎么限制root远程登录

简介

Unix是一种操作系统,它以其稳定性、安全性和灵活性而受到广泛赞誉,由于其开放性和自由性,root用户在远程登录时可能存在一定的安全隐患,本文将介绍如何在Unix系统中限制root用户的远程登录。

方法一:修改SSH配置文件

1、打开SSH配置文件

在终端中输入以下命令,以root身份打开SSH配置文件:

sudo vi /etc/ssh/sshd_config

2、修改配置选项

在配置文件中找到PermitRootLogin这一行,如果没有找到,可以在文件末尾添加一行,将其值设置为no,以禁止root用户通过SSH进行远程登录:

PermitRootLogin no

3、保存并退出

按下Esc键,输入:wq,然后按回车键,保存并退出编辑器。

4、重启SSH服务

为了使更改生效,需要重启SSH服务,在终端中输入以下命令:

sudo systemctl restart sshd

5、检查配置是否生效

再次使用vi命令打开SSH配置文件,查看PermitRootLogin的值是否已经变为no:

sudo vi /etc/ssh/sshd_config

方法二:使用PAM(Pluggable Authentication Modules)模块

1、安装PAM工具包

在Debian/Ubuntu系统中,可以使用以下命令安装PAM工具包:

sudo apt-get install libpam0g-dev libpam-systemd

在CentOS/RHEL系统中,可以使用以下命令安装PAM工具包:

sudo yum install pam-devel pam-systemd

2、创建PAM配置文件

在/etc/pam.d/common-auth(Debian/Ubuntu)或/etc/pam.d/system-auth(CentOS/RHEL)目录下创建一个名为password-auth的新文件:

sudo vi /etc/pam.d/common-auth/password-auth || sudo vi /etc/pam.d/system-auth/password-auth

3、编辑PAM配置文件

在新的PAM配置文件中,添加以下内容:

auth required pam_unix.so nullok try_first_pass local_users_only authfail_delay=300 use_authtok shadow remember=5 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 account=10 minclass=3 maxclass=3 status=1 audit deny=5 password expire=300 use_uid=1000 faillock_time=600 type=OK authsucceeded textsuccess silent auditfailed=2 success=2 undefok=baduser invalid_user deny=4 unlock_time=900 lastlog_time=1800 faillock_time=900 is_root=false use_default_subj=no default_subj="%u@%h" use_authtok_param=off session_required=true session_args=[!unused] session_type=posix setcredential=2 retry=3 lock_time=300 has_mpx=false is_syslog=false is_strict_mode=false is_disabled=false is_locked=false is_expired=false is_invalidated=false use_firstpass=${HOME} use_lastpass=${HOME} force_for_root=${FORCE} ignore_empty_token=${IGNORE} use_with_privsep=${USEPRIVSEP} use_with_mkhomedir=${USEMKHOMEDIR} prefer_utf8=${PREFERUTF8} debug_level=${DEBUGLEVEL} debug_file=${DEBUGFILE} debug_flags=${DEBUGFLAGS} auditallowdeny=${AUDITALLOWDENY} auditignoredeny=${AUDITIGNOREDENY} auditoptindeny=${AUDIOTPINDENY} auditnonemptyhome=${AUDINONEMPTYHOME} auditrenamehome=${AUDINREINAMEHOME} auditreadwriteperms=${AUDIRRDWPERMS} auditnosuid=${AUDIOSUID} auditnoexec=${AUDIONOEXEC} auditnostickbit=${AUDIANOSTEBDIGBIT} auditrelabeluseloginat=${AUDIRLLABELUSELOGINAT} auditlocaltime=${AUDILTLOCALTIME} auditsessioncontrol=${AUDIRTSESSCONTROL} audittargetsuccess=%u@%h all xauthfilename=${XAUTHORITY} authfaildelay=(PROMPT %U|PROMPT %W) authtimeout=5 authretry=3 authretrycountmax=3 authfailcountmax=3 xauthfilename=${XAUTHORITY} authrequired xauthnlimitdefault=3 xauthnlimitfile=${XAUTHORITY} xauthdomainfile=${XAUTHORITY} include${HOME}/.pam_*.conf include${HOME}/.profile include${HOME}/.bashrc include${HOME}/.bash*/*.bash include${HOME}/.zshrc include${HOME}/.zsh*/*.zsh session optional create new session required pam_limits.so limit failed use_uid retry adduser shadow remember cyrus clearenv noupdateshadow nochage nolistnocreate sessionoptional sessionrequired valid_now sessiontimeout checkrtmin checkrmtmin postsession escape su to openbsd noupdateoldchk nolastlog shadow remember cyrus clearenv noupdateshadow nochage nolistnocreate sessionoptional sessionrequired valid_now sessiontimeout checkrtmin checkrmtmin postsession escape su to openbsd noupdateoldchk nolastlog eof ${USERNAME} eof ${USERNAME}.lock eof ${USERNAME}.failure eof ${USERNAME}.timestamp eof ${USERNAME}.timestamp.next eof ${USERNAME}.timestamp.prev eof ${USERNAME}.timestamp.warn eof ${USERNAME}.timestamp.error eof ${USERNAME}.timestamp.audit eof ${USERNAME}.timestamp.audit.next eof ${USERNAME}.timestamp.audit.prev eof ${USERNAME}.timestamp.audit.warn eof ${USERNAME}.timestamp.audit.error eof $'
' eof $'
' endif end of pam_${USERNAME}_access module requires at least one parameter username
0