PUBKEY替换成自己的公钥，复制到终端执行即可

#!/bin/bash
# SSH仅允许密钥登录配置脚本
# 适用于 Debian / Ubuntu

PUBKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtiootU93S5rn1Igz+Z1Xqm/9H26mDLevdAuZjCw/PrF4h+1GkLOw3w0KPzsNroFfvTp998IIwghDqEPMtJrNutK8jTMkWKC62HYPDnqrl6kVMBGdDeXry/MVHEdsfHKDWMRNC+iPLAhhfkVZl0f//AWW3dBxqyebz5bByQwY/TYBVjvHVLjaPTDflciJRCFC2jaArOxa8tH7bf1+0CsGTaW9Ff2Y+d5eM1x79RQJ0SGHLu+kqUv8F21QYtJ6ihQvHxveeXUvbb/fryW9xbezwP/ZJlltJCFjD7C+FlUb+Ud/ZiEBoyUymQ4sKlnbbfL2WEUuaBXg8GMjTCCBKX63R skey-0bcx0f2v"

echo ">>> 创建 ~/.ssh 目录并写入公钥..."
mkdir -p ~/.ssh
chmod 700 ~/.ssh

echo "$PUBKEY" > ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

# 修改 SSH 配置
SSHD_CONFIG="/etc/ssh/sshd_config"

echo ">>> 修改 SSH 配置，仅允许密钥登录..."
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' $SSHD_CONFIG
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' $SSHD_CONFIG
sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' $SSHD_CONFIG
grep -q "^AuthorizedKeysFile" $SSHD_CONFIG || echo "AuthorizedKeysFile .ssh/authorized_keys" >> $SSHD_CONFIG

# 重启 SSH 服务
echo ">>> 重启 SSH 服务..."
systemctl restart ssh

echo "✅ 配置完成！现在仅允许密钥登录。"
echo "⚠️ 请勿关闭当前终端，确认使用密钥能正常登录后再断开连接。"

设置仅允许某个IP登录版本，记得IP和公钥替换成自己的

#!/bin/bash
# SSH仅允许密钥登录 + 限定IP的安全配置脚本
# 适用于 Debian / Ubuntu

# === 配置项 ===
ALLOWED_IP="43.154.78.99"
PUBKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtiootU93S5rn1Igz+Z1Xqm/9H26mDLevdAuZjCw/PrF4h+1GkLOw3w0KPzsNroFfvTp998IIwghDqEPMtJrNutK8jTMkWKC62HYPDnqrl6kVMBGdDeXry/MVHEdsfHKDWMRNC+iPLAhhfkVZl0f//AWW3dBxqyebz5bByQwY/TYBVjvHVLjaPTDflciJRCFC2jaArOxa8tH7bf1+0CsGTaW9Ff2Y+d5eM1x79RQJ0SGHLu+kqUv8F21QYtJ6ihQvHxveeXUvbb/fryW9xbezwP/ZJlltJCFjD7C+FlUb+Ud/ZiEBoyUymQ4sKlnbbfL2WEUuaBXg8GMjTCCBKX63R skey-0bcx0f2v"

# === 1. 写入密钥 ===
echo ">>> 配置 SSH 公钥..."
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "$PUBKEY" > ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

# === 2. 修改 SSH 配置 ===
SSHD_CONFIG="/etc/ssh/sshd_config"

echo ">>> 备份原 SSH 配置为 ${SSHD_CONFIG}.bak"
cp $SSHD_CONFIG ${SSHD_CONFIG}.bak

echo ">>> 修改 SSH 设置，仅允许密钥登录..."
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' $SSHD_CONFIG
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' $SSHD_CONFIG
sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' $SSHD_CONFIG
grep -q "^AuthorizedKeysFile" $SSHD_CONFIG || echo "AuthorizedKeysFile .ssh/authorized_keys" >> $SSHD_CONFIG

# === 3. 设置防火墙规则，仅允许特定 IP 访问 22 端口 ===
echo ">>> 配置防火墙，仅允许 $ALLOWED_IP 通过 SSH 登录..."

# 允许来自指定 IP 的 SSH
iptables -A INPUT -p tcp -s $ALLOWED_IP --dport 22 -j ACCEPT

# 拒绝其他所有 SSH 连接
iptables -A INPUT -p tcp --dport 22 -j DROP

# 允许本地环回与已建立连接
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 保存防火墙规则（Debian/Ubuntu）
if command -v netfilter-persistent &>/dev/null; then
    netfilter-persistent save
else
    apt update -y && apt install -y iptables-persistent
    netfilter-persistent save
fi

# === 4. 重启 SSH 服务 ===
echo ">>> 重启 SSH 服务..."
systemctl restart ssh

echo "✅ 配置完成！"
echo "仅允许以下 IP 登录 SSH：$ALLOWED_IP"
echo "⚠️ 请不要关闭当前会话，确认新规则生效且可登录后再断开。"

如果误操作导致无法登录，可用宿主机控制台恢复：

mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
systemctl restart ssh