Apache禁止游览列出的目录文件列表

环境:

CentOS release 6.8 (Final)
Linux host.localdomain 4.10.4-1.el6.elrepo.i686 #1 SMP Sat Mar 18 11:05:18 EDT 2017 i686 i686 i386 GNU/Linux
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

安装一些软件依赖

yum -y install wget gcc make pam-devel libpng-devel

该软件为非必须包，其主要用于在终端下生成二维码用。

wget http://fukuchi.org/works/qrencode/qrencode-3.4.1.tar.gz
tar zxf qrencode-3.4.1.tar.gz
cd qrencode-3.4.1
./configure --prefix=/usr && make && make install

google authenticator PAM插件安装

git clone https://github.com/google/google-authenticator-libpam
cd google-authenticator-libpam/
sh bootstrap.sh 
 ./configure -prefix=/usr/google
 make && make install 

运行google-authenticator

cd /usr/google/
 ./google-authenticator 

此时终端显示二维码与五个码用于在取不到或错的验证码有错时，用于应急用的。不过每个只能用一次，不能重复使用。

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@wyw%3Fsecret%3DHLGYC5FTL4WKEGNE  #这个链接只能在FQ条件下才能打开 
Your new secret key is: HLGYC5FTL4WKEGNE  #如果在手机的谷歌身份验证器上不想通过"扫描条形码"的方式添加，就输入这个key，通过"手动输入验证码的方式"。账号就是服务器主机
Your verification code is 237334
Your emergency scratch codes are:  #下面会生成5个紧急验证码(当无法获取动态验证码或验证码不能使用使用可以使用这5个)
  23037330                         #需要注意的是：这5个验证码用一个就会少一个！请保存好！
  22153353
  56825949
  98098052
  63067449

Do you want me to update your "/root/.google_authenticator" file (y/n) y  #提示是否要更新验证文件，选择y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y #禁止使用相同口令

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n #默认动态验证码在30秒内有效，由于客户端和服务器可能会存在时间差，可将时间增加到最长4分钟，是否要这么做：这里选择是n，继续默认30秒

If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y #是否限制尝试次数，每30秒只能尝试最多3次，这里选择y进行限制 

使用google authenticator 手机客户端扫描二维码 连接成功后

#每30秒换一个

系统配置pam
/etc/pam.d/sshd 在第一行添加

auth required /usr/google/lib/security/pam_google_authenticator.so

配置sshd
/etc/ssh/sshd_config 修改一个字段为

ChallengeResponseAuthentication yes

重载ssh服务

service sshd reload

使用CRT ssh时 要配置

连接时 第一个弹窗时google auth的验证码 第二个是root的密码

---

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。