ssh is "secure shell protocol" shorthand, before data transmission, prior to leveling ssh packets encrypted by encryption,
After encryption to transmit data, thereby ensuring the security of data;
ssh protocol is designed to provide security for remote login session, and other network services, use the ssh protocol can effectively prevent information leakage remote management process issues
In the current production environment, operation and maintenance, the vast majority of enterprises widely used ssh protocol services instead of the traditional insecure remote online software services, such as telnet (23 ports, non-encrypted);
In the case of default, ssh service provides two services: a remote online services like telnet, ssh remote connection that is, another similar
FTP service sftp-server, protocol to transfer data via ssh, sftp safer service;
ssh client contains a secure remote copy command scp;
9.1, view the port number:
[root@web01 ~]# netstat -tunlp | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1827/sshd
# 0.0.0.0 (representatives monitor all network cards): 22 Port Number
tcp 0 0 :::22 :::* LISTEN 1827/sshd
9.2 Start: /etc/init.d/start
9.3 View process: ps -ef | grep sshd | grep -v grep
9.4, boot from the start: chkconfig sshd on
[root@web01 .ssh]# chkconfig --list sshd
sshd 0: Close 1: Close 2: Enabled 3: Enable 4: Enable 5: 6 Enable: Off
1, according to the port number corresponding to the detected service
lsof -i :22
netstat -tunlp | grep -w 22
2, see the corresponding port number based on the process name:
netstat -tunlp | grep “sshd”
9.5, ssh Summary:
1, ssh connection command basic syntax:
ssh -p22 [email protected]
-p: parallel port is the default port 22 may be omitted
@:
@ In front of the user name, if the connection with the current user can not specify a user
@ Behind the server you want to connect the ip
2. Tip: ssh -p52113 [email protected] / sbin / ifconfig eth0 (you will be prompted to enter the password of the remote server)
This represents the ssh command to a remote server, execute commands, but also on the local server
3, ssh connection error:
(1)ssh -p22 [email protected]
ssh: connect to host 10.0.0.61 port 52113: Connection refused # reject a connection
The reason: The remote server port service does not start port is wrong with your firewall
(2)no route to host
Cause: The firewall may not be closed
4, knowledge points:
ssh is secure encryption protocol for remote connection linux server
ssh default port number is 22, the security protocol version ssh2, out of 2 than there ssh1 (vulnerable)
ssh server contains two main services and sftp ssh remote connection service
Linux ssh ssh remote connection client contains the command, and the remote copy command like scp
ssh server is a daemon process called sshd;
9.6, ssh authentication service type:
ssh through symmetric encryption for data encryption and password verification or by the secret key to validate logon, the latter is more secure because the former might be listening middleman to obtain the password of the remote server;
Symmetric encryption is encrypted using the public key of the other, each using its own secret key to decrypt the root key where the public key to verify the legitimacy;
Usually symmetric encryption and asymmetric encryption public key will be stored in memory on the other hosts;
ssh encryption and encrypted https not unique verification, because the root key is common https, ssh public key is shared; OpenVPN authentication data encryption with the user's unique, since it is only the root key,
1, password authentication:
Vulnerable middle attack; the client is currently available to users in any user login to a remote host under the remote host, the remote host's public key deposit will be stored in the client's current user ~ / .ssh / directory;
ssh -p22 [email protected]
Just know ssh server connection account and password, logs in to the server via ssh client;
远程主机收到用户的第一次登录请求时,由于客户端本地没有远程主机的公钥,无法得知远程主机的真实性,会发出警告(询问客户端是否接受服务端的公钥);
当远程主机的公钥被接受以后,它就会被客户端保存在文件$HOME/.ssh/known_hosts之中;
用户使用这个公钥,将登录密码加密后,发送给服务器端;
远程主机用自己的私钥,解密登录密码,如果密码正确,就同意用户登录;
下次再连接这台主机,系统就会认出它的公钥已经保存在本地了,从而跳过警告部分,直接提示输入密码;
秘钥认证(秘钥、公钥存放家目录的用户和登陆的用户必须一致,且是建立在口令认证之上的;一对一,类似于nfs的用户模式;)
使用口令认证,每次都必须输入密码,非常麻烦。好在SSH还提供了秘钥认证,可以省去输入密码的步骤;
客户端事先建立一对秘钥对,然后把公钥放在需要访问的远程主机上,另外还需把私有秘钥放到对应的客户端服务器上;
当客户端请求登录时远程主机会向用户发送一段随机字符串,用户用自己的私钥加密后再发送给远程给主机;
远程主机用事先储存的公钥进行解密,如果成功,就证明用户是可信的,直接允许登录shell,不再要求密码;
2、ssh秘钥认证建立过程:
(1)所有机器在root下创建用户和密码(当ssh被优化时,root用户是没有ssh登录权限的)
useradd lc(所有的服务器都要建立该用户)
echo '123456' | passwd --stdin lc
(2)建立秘钥对:
[lc@m01 .ssh]$ ssh-keygen -t dsa #直接回车;默认存放目录是~/.ssh/
id_dsa#秘钥600
id_dsa.pub#公钥644
(3)非交互式建立秘钥对
[lc@m01 .ssh]$ ssh-keygen -t dsa -P ' ' -f ~/.ssh/id_dsa >/dev/null 2>&1
(4)发送公钥到远程主机:
默认ssh端口是22:
[lc@m01 .ssh]$ ssh-copy-id -i ~/.ssh/id_dsa.pub [email protected]
更改ssh端口后:
[lc@m01 .ssh]$ ssh-copy-id -i ~/.ssh/id_dsa.pub "-p 52113 [email protected]"
#此方法只能发送公钥,且发送的位置是远程主机的~/.ssh/目录下,名字变为‘authorized_keys’(权限位600),不能够发送私钥,如果
需要发送公钥需要使用scp命令拷贝到对应用户的家目录下并改名为authorized_keys,修改权限位600;
9.7、企业中ssh连接的三种方案:
1、直接root ssh key:
条件:允许root用户ssh登录,比较不安全;
2、利用sudo提权实现拷贝没有权限用户的拷贝(root用户被禁用的情况下)
[lc@m01 ~]$ scp -P52113 /etc/hosts [email protected]:/home/lc/ #只有增量的功能
hosts 100% 360 0.4KB/s 00:00
3、利用ssh隧道模式进行数据的拷贝:
[lc@m01 ~]$ rsync -avz /etc/hosts -e "ssh -p 52113" [email protected]:/home/lc/ #增量和加密
[root@m01 ~]# echo ‘lc ALL=(ALL) NOPASSWD:ALL (/usr/bin/rsync) ’ >>/etc/sudoers
[lc@m01 ~]$ ssh -p52113 -t [email protected] sudo rsync -vz ~/hosts /etc/ #使用的是root的权限
4、利用suid来实现拷贝(root用户被禁用的情况下,了解就可以,不用于实际的环境,通过给名利设置suid权限(比较不安全),使得所有的用户都可以像root用户一样使用该用户不能使用的命令,且文件属于当前用户;)
[lc@m01 ~]$ scp -P52113 /etc/hosts [email protected]:/home/lc/
hosts 100% 360 0.4KB/s 00:00
[root@nfs01 .ssh]# chmod u+s `which rsync`
[root@nfs01 .ssh]# ls -l `which rsync`
-rwsr-xr-x. 1 root root 414968 4月 30 2014 /usr/bin/rsync
[lc@m01 ~]$ ssh -p52113 [email protected] rsync -avz ~/hosts /etc/ #连接nfs01服务器,拷贝的是原用户属性;
5、批量分发管理脚本(使用sudo进行提权操作,也可以使用saltstack)
[root@m01 ~]$ mkdir -p /server/scripts
[root@m01 ~]$ vim /server/scripts/fenfa.sh
#!/bin/sh
. /etc/init.d/functions
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
for n in 8 31 41;do
scp -P52113 /etc/hosts [email protected].${n}:/home/lc >/dev/null 2>&1
ssh -p52113 -t [email protected].${n} sudo rsync -az ~/hosts /etc/hosts >/dev/null 2>&1
if [ $? -eq 0 ];then
action "hosts 172.16.1.$n" /bin/true
else
action "hosts 172.16.1.$n" /bin/false
fi
done
[lc@m01 ~]$ sh /server/scripts/fenfa.sh
9.8、优化ssh服务默认登录配置:
1、更改配置前进行相应的备份:
cp -av /etc/ssh/{sshd_config,sshd_config.ori}
提示:一般来说ssh服务使用默认的配置就已经能够很好的工作了,如果对安全要求不高,仅提供ssh服务的情况下,可以不需要修改任何的更改;
2、相关参数说明:
Port:指定sshd进程监听的端口号,默认是22,可以使用指令监听多个端口,默认将在本机的所有网络接口上监听,
可以通过ListenAddress指定某个特定的接口上监听;
PermitEmptyPasswords:是否允许密码为空的用户远程登录,默认为no
PermitRootLogin:是否允许root登录,yes表示允许(默认),no表示禁止;
without-password:表示禁止使用密码认证登录,默认是不开启的;
forced-commands-only:表示只有在指定了command选项的情况下才允许使用公钥认证登录,同时其他认证方法全部被禁用,这个值常用于做远程备份;
GSSAPIAuthentication :解决linux之间使用ssh远程连接慢的问题;
UseDns:指定sshd是否应该对远程主机名进行反向解析,以检查此主机名是否与其IP地址真实对应,默认值是yes
3、windows服务器的默认远程端口号是3389,管理员用户是administrator,普通用户是guest。linux管理员用户是root,普通用户默认是多个,
远程连接端口是22,这些黑客都知道,为了系统的安全要隐藏或更改上述的配置;
vim /etc/password 里面不用的用户注释掉;
4、优化设置:
vim /etc/ssh/sshd_config
13 Port 52113 #端口号改为52113
15 ListenAddress 172.16.1.61:52113 #设置监听的端口号地址
42 PermitRootLogin no #不允许roo用户ssh登录
65 PermitEmptyPasswords no #不允许用户空密码ssh登录
80 GSSAPIAuthentication no #解决端ssh连接慢的问题;
122 UseDNS no #不使用Dns
[lc@m01 ~]$ sed -i '13 i Port 52113\nListenAddress 172.16.1.61:52113\nPermitRootLogin no\nPermitEmptyPasswords no\nGSSAPIAuthentication no\nUseDNS no' /etc/ssh/sshd_config
5、vimdiff 进行比较:
vimdiff sshd_config sshd_config.ori
6、平滑重启sshd服务:
/etc/init.d/sshd reload
7、进行连接验证:
[root@web01 ~]# ssh -p52113 [email protected] #连接外网网卡,被拒绝
ssh: connect to host 10.0.0.61 port 52113: Connection refused
[root@web01 ~]# ssh -p52113 [email protected] #由于设置了禁止root用户登录,所以用root用户不可以登录
[email protected]'s password:
Permission denied, please try again.
[root@web01 ~]# ssh -p52113 [email protected] #登录成功;
[email protected]'s password:
welcom to lc_linux
[lc@m01 ~]$
#用户可登录后可以使用su - root 切换用户,但是为了更好地保护密码 ,根据不同的用户给于不同的sudo权限是最好的,我这里用visudo设置的权限是(lc ALL=(ALL) NOPASSWD:ALL)
8、此时用户也无法使用scrt进行登录,需要修改scrt中的配置
9、如何防止ssh登录入侵:
使用秘钥登录,不用密码登录
牤牛阵法:解决ssh安全问题
防火墙封闭ssh,指定源ip限制(局域网,信任公网)
开机ssh只监听本地内网ip(ListenAddress 172.16.1.41:52113)
尽量不给服务器外网ip地址
(1)各服务器上都建立了lc用户,并给于sudo (lc ALL= NOPASSWD:ALL )权限,lc就可以看做是管理员;
(2)跳板机服务器和其它服务器建立了ssh秘钥登录,lc用户之间的;
(3)ssh已经优化,监听特定的网卡和端口,不允许root用户登录;
(4)这种设置不影响网络的联通性,只是改变了远程连接的范围,在有外网和内网接到一台服务器的
时候使用最好,如果是纯内网可以不使用;