搬瓦工买来用来翻越“墙”的vps被入侵了,应该是密码设置的太简单了,被人抓了肉鸡,在上面搭建了SMTP邮件系统,发送了大量的垃圾邮件,我不过买来用来翻翻墙,用得着这样么?后果当然是被搬瓦工官方察觉了,直接把vps停掉了,发邮件给我说下不为例。。。。。。不是我干得好吗!
所以,我现在要把vps,弄得相对安全一点,嗯,没有绝对的安全啊
关于Google 验证器的原理可以参考:http://www.zhihu.com/question/20462696/answer/18731073?utm_campaign=rss&utm_medium=rss&utm_source=rss&utm_content=title
目前客户端有:
android版:https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
iOS版:https://itunes.apple.com/cn/app/google-authenticator/id388497605
一、安装依赖
yum -y install mercurial pam-devel
二、下载、编译、安装、google authenticator
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0
make && make install
三、配置
cp pam_google_authenticator.so /etc/pam.d/ ##这个一定要复制到/etc/pam.d/目录
vim /etc/pam.d/sshd ## 更改登陆验证文件
auth required pam_google_authenticator.so ## 添加到第一行
vim /etc/ssh/sshd_config ## 更改etc/ssh/sshd_config配置文件
ChallengeResponseAuthentication yes
UsePAM yes
yum -y install mercurial pam-devel
二、下载、编译、安装、google authenticator
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0
make && make install
三、配置
cp pam_google_authenticator.so /etc/pam.d/ ##这个一定要复制到/etc/pam.d/目录
vim /etc/pam.d/sshd ## 更改登陆验证文件
auth required pam_google_authenticator.so ## 添加到第一行
vim /etc/ssh/sshd_config ## 更改etc/ssh/sshd_config配置文件
ChallengeResponseAuthentication yes
UsePAM yes
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2 tar jxvf libpam-google-authenticator-1.0-source.tar.bz2 cd libpam-google-authenticator-1.0 make && make install
三、配置
cp pam_google_authenticator.so /etc/pam.d/ ##这个一定要复制到/etc/pam.d/目录
vim /etc/pam.d/sshd ## 更改登陆验证文件
auth required pam_google_authenticator.so ## 添加到第一行
vim /etc/ssh/sshd_config ## 更改etc/ssh/sshd_config配置文件
ChallengeResponseAuthentication yes
UsePAM yes
cp pam_google_authenticator.so /etc/pam.d/ ##这个一定要复制到/etc/pam.d/目录 vim /etc/pam.d/sshd ## 更改登陆验证文件 auth required pam_google_authenticator.so ## 添加到第一行 vim /etc/ssh/sshd_config ## 更改etc/ssh/sshd_config配置文件 ChallengeResponseAuthentication yes UsePAM yes
配置完成之后输入命令:google-authenticator
Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DIROR73FZN6VGPRMA Your new secret key is: IROR78AZN6VGPRMA ## 密匙,如果上面的二维码网址不能打开,就可以用这个 Your verification code is 066451 ## 这个不知道干嘛的 Your emergency scratch codes are: ## 紧急验证码,如果没有带手机,这个就派上用场了。 29394833 72337263 97202244 28255132 90836618 Do you want me to update your "/root/.google_authenticator" file (y/n) y ## 是否要更新配置文件 Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y ## 禁止同一认证多种用途 By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor ## 验证码多久改变一次 30秒 time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. ## 次数限制3次 Do you want to enable rate-limiting (y/n) y