Host *
Protocol 2
ForwardAgent no
ForwardX11 no
HostbasedAuthentication no
StrictHostKeyChecking no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
Tunnel no
# Compute Engine times out connections after 10 minutes of inactivity.
# Keep alive ssh connections by sending a packet every 7 minutes.
ServerAliveInterval 420
修改 /etc/ssh/sshd_config 文件以使用以下配置:
# Disable PasswordAuthentication because ssh keys are more secure.
PasswordAuthentication no
# Disable root login. Using sudo provides better auditing.
PermitRootLogin no
PermitTunnel no
AllowTcpForwarding yes
X11Forwarding no
# Compute Engine times out connections after 10 minutes of inactivity.
# Keep alive ssh connections by sending a packet every 7 minutes.
ClientAliveInterval 420
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-18。"],[[["\u003cp\u003eAfter importing a virtual disk to Compute Engine, the guest environment must be installed to utilize key Compute Engine features.\u003c/p\u003e\n"],["\u003cp\u003eOptimizing an imported image for Compute Engine involves configuring settings like NTP, timezone, network performance, and security.\u003c/p\u003e\n"],["\u003cp\u003eFor high performance, it is recommended to use the ISC DHCP client, set the DHCP MTU, disable IPv6 if not needed, and remove persistent network rules.\u003c/p\u003e\n"],["\u003cp\u003eSecurity best practices for images include minimizing installed software, disabling unnecessary network services, and configuring strong password policies, as well as hardening SSH configurations.\u003c/p\u003e\n"],["\u003cp\u003eAfter configuring and optimizing the boot disk, create a new image from the boot disk and include it in an image family for easy management and instance creation.\u003c/p\u003e\n"]]],[],null,["# Manually configure imported disks\n\n*** ** * ** ***\n\nAfter you\n[manually import a virtual disk](/compute/docs/import/import-existing-image) to\nCompute Engine, you need to optimize those images so they can use\nfeatures specific to the Compute Engine environment.\n\nContents\n--------\n\nInstall the Compute Engine guest environment\n--------------------------------------------\n\nYou must install the\n[guest environment](/compute/docs/images/guest-environment) before you can use\nkey features of Compute Engine. To find out when you need to manually\ninstall the guest environment, see\n[when to manually install or update the guest environment](/compute/docs/images/guest-environment#when-to-install).\n\n[Install the guest environment](/compute/docs/images/install-guest-environment)\non the running VM instance you created after\n[manually importing your existing image](/compute/docs/import/import-existing-image).\nTo perform the installation, access the VM instance via SSH with a user\naccount you created before importing it or by\n[interacting with the Serial Console](/compute/docs/instances/interacting-with-serial-console).\n| **Important:** Install the guest environment **after** you have imported your existing image. The guest environment makes configuration changes to the instance that are specific to Compute Engine.\n| **Important:** Failure to install the guest environment on a VM instance created from an imported image results in key features of Compute Engine being unavailable to the instance. For example, you won't be able to use all of the methods for [connecting to Linux instances](/compute/docs/instances/connecting-to-instance), and the instance might be unable to participate in [load balancing](/compute/docs/load-balancing) configurations.\n\nConfigure your imported image for Compute Engine\n------------------------------------------------\n\nYou can run your boot disk image in Compute Engine without\nadditional changes, but you can also further optimize the image so that it runs\noptimally within Compute Engine and has access to all\nCompute Engine features.\n\n- Edit the `ntp.conf` file to include only the\n `server metadata.google.internal iburst` Google NTP server entry.\n\n- Set the timezone to UTC:\n\n ```\n sudo ln -sf /usr/share/zoneinfo/UTC /etc/localtime\n ```\n- To ensure high performance network capability, use the following recommended\n network configurations:\n\n - Use the [ISC DHCP client](http://www.isc.org/downloads/dhcp/).\n - Set the DHCP MTU to the network MTU. The Compute Engine DHCP server serves this parameter as the `interface-mtu` option, which most clients respect. For more information about network MTUs, see the [maximum transmission unit overview](/vpc/docs/mtu).\n - If you don't plan to [configure IPv6\n addresses](/compute/docs/ip-addresses/configure-ipv6-address), disable IPv6.\n - Remove persistent network rules to prevent the instance from remembering\n MAC addresses. For example:\n\n ```\n rm -f /etc/udev/rules.d/70-persistent-net.rules\n ```\n - Disable the operating system firewall unless you have specific\n requirements not supported by Compute Engine Firewall Rules.\n Compute Engine provides a firewall for\n inbound and outbound traffic. For more information about firewalls, see\n [Firewall rules overview](/vpc/docs/firewalls).\n\n- To ensure high performance network and disk capability, disable or remove\n the `irqbalance` daemon. This daemon does not correctly balance IRQ requests\n for the guest operating systems on virtual machine (VM) instances. Instead,\n use the scripts that are part of the\n [guest environment](#install_guest_environment) to correctly balance\n IRQ settings for virtual CPUs.\n\n- Configure SSH access to the base image:\n\n - Disable root ssh login.\n - Disable password authentication.\n - Disable host-based authentication.\n - Enable strict, host-key checking.\n - Use `ServerAliveInterval` to keep connections open.\n - Remove SSH keys from your image so that others can't access the public\n or private keys in your image. Instead, use Compute Engine to\n [manage access to instances](/compute/docs/instances/managing-instance-access).\n\n - Edit the `/etc/ssh/ssh_config` file to use the following configuration:\n\n ```\n Host *\n Protocol 2\n ForwardAgent no\n ForwardX11 no\n HostbasedAuthentication no\n StrictHostKeyChecking no\n Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc\n Tunnel no\n\n # Compute Engine times out connections after 10 minutes of inactivity.\n # Keep alive ssh connections by sending a packet every 7 minutes.\n ServerAliveInterval 420\n ```\n - Edit the `/etc/ssh/sshd_config` file to use the following configuration:\n\n ```\n # Disable PasswordAuthentication because ssh keys are more secure.\n PasswordAuthentication no\n\n # Disable root login. Using sudo provides better auditing.\n PermitRootLogin no\n\n PermitTunnel no\n AllowTcpForwarding yes\n X11Forwarding no\n\n # Compute Engine times out connections after 10 minutes of inactivity.\n # Keep alive ssh connections by sending a packet every 7 minutes.\n ClientAliveInterval 420\n ```\n\nAfter you configure and optimize your boot disk on Compute Engine,\ncreate an image from that boot disk so that you can create instances from\na fully-optimized version of the image rather than having to configure each\ninstance every time you create it.\n\nConfigure security best practices\n---------------------------------\n\nYou should always provide a secure operating system environment, but it can\nbe difficult to strike a balance between a secure and an accessible environment.\nVirtual machines that are vulnerable to attack can consume expensive\nresources. Google strongly recommends that your images comply with the\nfollowing security best practices:\n\n- Minimize the amount of software installed by default (for example, perform a minimal install of the OS).\n- Enable automatic updates.\n- By default, disable all network services except for SSH, DHCP, and NTPD. You can allow a mail server, such as Postfix, to run if it is only accepting connections from localhost.\n- Do not allow externally listening ports except for sshd.\n- Install the [denyhosts](http://denyhosts.sourceforge.net/faq.html#1_0) package to help prevent SSH brute-force login attempts.\n- Remove all unnecessary non-user accounts from the default install.\n- In `/etc/passwd`, set the shell of all non-user accounts to `/sbin/nologin` or `/usr/sbin/nologin` (depending on where your OS installed nologin).\n- Configure your OS to use salted SHA512 for passwords in `/etc/shadow`.\n- Set up and configure [pam_cracklib](http://linux.die.net/man/8/pam_cracklib) for strong passwords.\n- Set up and configure [pam_tally](http://linux.die.net/man/8/pam_tally) to lock out accounts for 5 minutes after 3 failures.\n- In `/etc/shadow`, configure the root account to be locked by default. Run\n the following command to lock the root account:\n\n ```\n usermod -L root\n ```\n- Deny root in `/etc/ssh/sshd_config` by adding the following line:\n\n ```\n PermitRootLogin no\n ```\n- Create\n [AppArmor](https://www.kernel.org/doc/html/latest/admin-guide/LSM/apparmor.html)\n or\n [SELinux](http://selinuxproject.org/page/Main_Page)\n profiles for all default running network-facing services.\n\n- Use file system capabilities where possible to remove the need for the S\\*ID\n bit and to provide more granular control.\n\n- Enable compiler and runtime exploit mitigations when compiling network-facing\n software. For example, here are some of the mitigations that the\n [GNU Compiler Collection (GCC)](http://gcc.gnu.org/)\n offers and how to enable them:\n\n - Stack smash protection: Enable this with `-fstack-protector`. By default, this option protects functions with a stack-allocated buffer longer than eight bytes. To increase protection by covering functions with buffers of at least four bytes, add `--param=ssp-buffer-size=4`.\n - Address space layout randomization (ASLR): Enable this by building a position-independent executable with `-fPIC -pie`.\n - Glibc protections: Enable these protections with `-D_FORTIFY_SOURCE=2`.\n - Global Offset Table (GOT) protection: Enable this runtime loader feature with `-Wl,-z,relro,-z,now`.\n - Compile-time errors for missing format strings: `-Wformat -Wformat-security -Werror=format-security`\n- Disable\n [`CAP_SYS_MODULE`](http://man7.org/linux/man-pages/man7/capabilities.7.html),\n which allows for loading and unloading of kernel modules. To disable this\n feature, edit the `/etc/sysctl.conf` file and include the following setting:\n\n ```\n kernel.modules_disabled = 1\n ```\n- Remove the\n [kernel symbol table](http://en.wikipedia.org/wiki/System.map):\n\n ```\n sudo rm /boot/System.map\n ```\n\nWhat's next\n-----------\n\n- After your image is ready for production, [create a final version](/compute/docs/images/create-delete-deprecate-private-images) of that custom image and [include the image in an image family](/compute/docs/images/create-delete-deprecate-private-images#setting_families) so that you can easily manage updated versions of the custom image.\n- Learn how to [start an instance from an image](/compute/docs/instances/creating-and-starting-an-instance#startinginstancwithimage)."]]