推荐方案:配置多台SSH服务器并使用DNS轮询或负载均衡器
# 在所有SSH服务器上生成相同的密钥对
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
sudo ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
# 将生成的密钥复制到其他SSH服务器
使用HAProxy配置示例:
frontend ssh_frontend
bind *:22
default_backend ssh_backend
backend ssh_backend
balance roundrobin
server ssh1 192.168.1.101:22 check
server ssh2 192.168.1.102:22 check backup
# 安装Keepalived
sudo apt-get install keepalived # Debian/Ubuntu
sudo yum install keepalived # CentOS/RHEL
# 配置示例 (/etc/keepalived/keepalived.conf)
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass yourpassword
}
virtual_ipaddress {
192.168.1.100/24
}
}
注意:Telnet是不安全的协议,建议仅在内部网络使用或升级到SSH
# 安装必要软件
sudo apt-get install telnetd xinetd # Debian/Ubuntu
sudo yum install telnet-server xinetd # CentOS/RHEL
# 配置/etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
类似SSH方案,可以使用HAProxy或Nginx进行负载均衡:
frontend telnet_frontend
bind *:23
default_backend telnet_backend
backend telnet_backend
balance roundrobin
server telnet1 192.168.1.101:23 check
server telnet2 192.168.1.102:23 check backup
禁用root直接登录:
# 在/etc/ssh/sshd_config中设置
PermitRootLogin no
更改默认端口:
Port 2222 # 在/etc/ssh/sshd_config中修改
启用防火墙限制:
sudo ufw allow 2222/tcp # Ubuntu
sudo firewall-cmd --permanent --add-port=2222/tcp # CentOS
使用Fail2Ban防止暴力破解:
sudo apt-get install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
设置日志监控:
# 监控SSH登录尝试
tail -f /var/log/auth.log | grep sshd # Debian/Ubuntu
tail -f /var/log/secure | grep sshd # CentOS/RHEL
定期更新SSH软件包:
sudo apt-get update && sudo apt-get upgrade openssh-server # Debian/Ubuntu
sudo yum update openssh-server # CentOS/RHEL
如需更详细的配置指导或遇到特定问题,可以提供更多环境信息,我可以给出更针对性的解决方案。