1. Description of remote service concept
ssh | Remote secure connection | 22 | Internet server | The default root user can log in remotely |
---|---|---|---|---|
telnet | Remote Connection | 23 | The network equipment is connected to the LAN in the computer room | Cannot use root to log in remotely |
Remote service can realize remote connection management host
Remote service can realize remote download and transmission of data
Use SSH telnet service to achieve remote connection
SSH: Encrypted data transmission method (higher security, higher complexity) Access port via Internet connection: 22 Support root user remote connection to telnet by default
: Clear text transmission method (lower security, complicated Less access) Access port via LAN connection: 23 By default, root users are forbidden to connect remotely
telnet service
The telnet-server service in the Linux system does not support root user login and can only log in as a normal user, followed by the su command
ssh @ root 172.16 in Linux system . 1.41 represents the current user when no user is added
Second, the principle of remote service connection
2.1 ssh connection diagram
2.2 ssh connection process
Client: send connection establishment communication request
Server: reply key information confirmation
Client: perform key information confirmation
Server: send public key information to send
Client: receive public key to save, and send confirmation information (~ / .ssh / known_hosts)
Server: Send password verification information (encryption processing)
Server: Enter password information (encryption processing)
Data connection is established and
data is transmitted (encryption processing)
Three, remote connection
3.1 Remote connection based on password
Steps: ①: ssh + IP address ②: enter the user name (host name) ③: enter the password (password of the corresponding host name) For example: ①: ssh 10.0 . 0.8 ②: root ③: abc123
3.2 Remote connection based on key
3.2.1 Simple configuration:
Management server (m01-192.168.81.161):
Step 1: Create a key pair
[root@m01 ~]# ssh-keygen -t dsa 生成公钥和私钥
[root@m01 ~]# ll ~/.ssh/id*
Step 2: The management end distributes the public key (interaction is required here)
[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub [email protected]
Step 3: Conduct remote connection test (you can connect directly without entering password information)
[root@m01 ~]# ssh [email protected] hostname
At this time, there are two problems: 1. How to manage multiple hosts in batches 2. How to write scripts to distribute public keys in batches?
The easiest way to write scripts: heap commands
#!/bin/bash for ip in 163 164 do ssh-copy-id -i /root/.ssh/id_dsa.pub root@192.168.81.$ip done
But there are still problems:
1, need to confirm yes / no
2. Need to enter password information
3. The service port number has changed, how to distribute the public key?
3.2.2 Realize the interactive key-free input of password information to distribute the public key
The first step: download and install the software sshpass yum install - y sshpass The second step: execute the exchange-free public key distribution command sshpass -p123456 ssh -copy- id -i / root /. Ssh / id_dsa.pub root @ 192.168 . 81.163 service The port number has changed, how to distribute public keys in batches: sshpass -p123456 ssh -copy- id -i / root /. Ssh /id_dsa.pub root @ 192.168 . 81.163 -p 52113 " -o StrictHostKeyChecking = no "
3.2.3 Batch distribution of public key scripts:
1. Prepare the host address file to cooperate with the script:
cat /server/scripts/ip_list.txt 192.168.81.163 192.168.81.164 192.168.81.165
2. Script for public key distribution in batches :
# cat distribute_public_key.sh #!/bin/bash for ip in $(cat /server/scripts/ip_list.txt) do sshpass -p654321 ssh-copy-id -i /root/.ssh/id_rsa.pub $ip -o StrictHostKeyChecking=no &>/dev/null if [ $? -eq 0 ] then echo "to $ip distribute_key " echo "public key distribute success" echo "" else echo "to $ip distribute_key" echo "public key distribute faild" echo "" fi done
3. Distribute the public key check script (batch management script)-serial serial management
[root@m01 scripts]# cat check_pub_key.sh
#!/bin/bash
CMD=$1
for ip in $(cat /server/scripts/ip_list.txt)
do
echo "==================== host $ip check ==================== "
ssh $ip $CMD
echo ""
done
Four, SSH service configuration file analysis
/ etc / ssh / sshd_config Port 22 --- Specify service start port information (default comment state default port is 22) ListenAddress 0.0 . 0.0 --- Which network is allowed to connect through which network card ****** PS: Listening address It must be the address PermitRootLogin no on the local network card- whether to allow the root user to connect remotely, it is recommended to change to no PermitEmptyPasswords no --- whether to allow remote users to log in with an empty password, it is recommended to change to no PasswordAuthentication yes- whether to support Use password to remotely connect to GSSAPIAuthentication no- whether to turn off GSSAPI authentication mode, turn off UseDNS no when not in use- whether to turn on DNS reverse resolution, it is recommended to turn it off
Fifth, the enterprise environment batch distribution public key exercise
5.1 Corporate environment
m01 root linux @ 123 ssh service port 22 web01 root linux @ 123 ssh service port 65531 web02 root linux @ 123 ssh service port 65532 nfs01 root linux @ 123 ssh service port 65533 backup root linux @ 123 ssh service port 65534
5.2 Write host information file
cat /server/scripts/ip_list.txt 192.168.81.162:linxu@123:65531 192.168.81.163:linxu@123:65532 192.168.81.164:linxu@123:65533 192.168.81.165:linxu@123:65534
5.3 Writing public key files for batch distribution
# cat distribute_public_key.sh #!/bin/bash for host in $(cat /server/scripts/ip_list.txt) do host_ip=$(echo $host|awk -F ":" '{print $1}') host_pass=$(echo $host|awk -F ":" '{print $2}') host_port=$(echo $host|awk -F ":" '{print $3}') sshpass -p$host_pass ssh-copy-id -i /root/.ssh/id_rsa.pub $host_ip -o StrictHostKeyChecking=no -p$host_port &>/dev/null if [ $? -eq 0 ] then echo "to $host_ip distribute_key " echo "public key distribute ok" echo "" else echo "to $host_ip distribute_key" echo "public key distribute no" echo "" fi done
Six, SSH remote service prevention intrusion program
1. Log in with a key and log in to the VPN / bastion machine without a password. 2. Array method: solve the SSH security problem a. Firewall closes SSH and specifies source IP restrictions (LAN, trusted public network) b. Open SSH and only listen to the local Network IP (ListenAddress 192.168.81.162) 3. Try not to give the server an external network IP 4. Minimize (software installation-authorization) 5. Make a fingerprint for important files or commands of the system / etc / profile /etc/rc.local
/ etc / passwd md5sum 11110000aaaabbbb monitoring
inotify / bin monitoring
6, important files are locked chattr + i + a
Seven, common problems with remote transmission
When reading file information using while read line, the loop is suddenly interrupted Analysis point 01: The loop is correct when the ssh command is not used Analysis point 02: As long as the ssh command has standard input, the loop correctly analyzes point 03: Change the loop mode circulating properly analyze point 04: the ssh command into the background, the loop correctly using the cat command to read a file, all the information will be put into the memory buffer in time but while read buffer read each line of information, the normal Read line by line while read line + ssh to read the buffer empty