一、生成证书登录
ssh-keygen -b 2048 -t rsa
cat .ssh/id_rsa.pub | ssh account@x.x.x.x ‘cat >> .ssh/authorized_keys’
chmod 600 ~/.ssh/authorized_keys
ssh -i ~/.ssh/id_rsa account@x.x.x.x

二、禁用root登录,禁用密码登录,更改ssh对外服务端口号为22222
# vi /etc/ssh/sshd_config
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
Port 22222

service sshd restart

三、配置防火墙,只允许ping、213213/80/443端口对外开放
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 213213 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP

四、给自己丢个后门,放通自己IP的连接
iptables -A INPUT -p tcp -m tcp –s xx.xx.xx.xx –dport 22222 -j ACCEPT

五、保存防火墙配置,并加载规则到启动项
iptables-save > /root/iptables-rules
echo “iptables-restore < /root/iptables-rules" >> /etc/rc.local