LinuxのCentos7は、キーログイン、tcpwrappersのアクセス制御をリモートログインを-sshd

LinuxのCentos7は、キーログイン、tcpwrappersのアクセス制御をリモートログインを-sshd

この章環境:VMの仮想マシン、サーバーなどのサーバー、クライアントとサーバー

この章の目的:SSHDのTelnet管理、キー検証、Tcpのwappersアクセス制御

リモートログイン.sshd

1. sshdサービスを確認

 [root@localhost ~]# netstat -ntap | grep 22
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      3252/dnsm      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      968/sshd       //默认我们的SSHD是开启的
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      16227/sshot@pt 
tcp        0      0 192.168.17.128:49342    180.97.251.226:80       TIME_WAIT   -              
tcp        0      0 192.168.17.128:42522    202.141.176.110:80   

2. SSHDサーバの設定ファイルを理解します

[ルート@ localhostの〜]#のvimのは、/ etc / ssh / sshd_config // SSHDサーバの設定ファイル

17の#Port 22の//ポート
18 #AddressFamily任意の
19 //読み込み#ListenAddress 0.0.0.0リスニングアドレス
20 #ListenAddress :: // IPv6アドレス

37#LoginGraceTime 2m  //2分钟会话时间 
 38 #PermitRootLogin yes  //允许ROOT登录
 39 #StrictModes yes    //验证你的访问权限
 40 #MaxAuthTries 6   //验证次数
 41 #MaxSessions 10   // 访问最大连接数10个

#PubkeyAuthentication yes  //公钥验证开启

3.サーバのrootユーザにTelnetクライアントを使用します

[root@test02 ~]# ssh [email protected]
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Last login: Mon Sep 16 12:07:36 2019

4.リモートログインrootユーザーは、サーバーの電源をオフにします

37 #LoginGraceTime 2m
 38 #PermitRootLogin no  //禁止远程用户用ROOT登录
 39 #StrictModes yes
 40 #MaxAuthTries 6
 41 #MaxSessions 10

5.ユーザがrootにログインできることを確認するために、サーバーに移動します

[root@test02 ~]# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 

6.クライアントは、通常のユーザリージに切り替え、その後、ルートユーザ線(危険)に切断しました

[root@test02 ~]# ssh [email protected]
[email protected]'s password: 
[lisi@test01 ~]$ su - root
密码:
上一次登录:一 9月 16 12:17:31 CST 2019pts/2 上
最后一次失败的登录:一 9月 16 12:25:59 CST 2019pts/2 上
最有一次成功登录后有 1 次失败的登录尝试。
[root@test01 ~]# 

7.オープンエンドPAM認証サービス

vim /etc/pam.d/su
//把“#”号去掉auth            required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin

8.検証するためにクライアントにアクセスしてください

[lisi@test01 ~]$ su - root
密码:
su: 拒绝权限

クライアント9.間違ったパスワードを3回入力しようとすると、それは撤回した、と私たちは、サーバーが番号を確認するように設定されていた6回です

[root@test02 ~]# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[root@test02 ~]# 

クライアントユーザにカット10 ROOTは、検証の数が8で設定しました

[root@test01 ~]# ssh -o NumberOfPasswordPrompts=8 [email protected]
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Received disconnect from 192.168.17.128 port 22:2: Too many authentication failures
Authentication failed.
[root@test01 ~]# 

11. SSHリモートログインのブラックリストとホワイトリストを設定します。

37 #LoginGraceTime 2m
 38 #PermitRootLogin no
 39 #StrictModes yes
 40 #MaxAuthTries 6
 41 #MaxSessions 10
 42 Allow Users [email protected]
//只允许chen这个用户用192.168.17.130地址登录
[root@test01 ~]# systemctl restart sshd

12.リモート管理の3種類を理解します

scp 远程复制
sftp  get 远程下载文件
sftp put  远程上传文件

II。キーログイン検証

1.サービスは、公開鍵と秘密鍵の検証ログインで有効になっています

[ルート@ localhostの〜]#のvimのは、/ etc / ssh / sshd_config // SSHDサーバの設定ファイル

43 PubkeyAuthentication yes  把“#”去掉开启公私钥验证登录
 44 
 45 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys    2
 46 # but this is overridden so installations will only check .ssh/authorized_ke    ys
 47 AuthorizedKeysFile      .ssh/authorized_keys
                                           //生成的公私密钥会在这个目录底下

2.クライアントは、ユーザーが陳の鍵を生成し、

[root@client ~]# ls /home/
chen
[root@client ~]# ssh-keygen -t ecdsa 
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:HqV9MQWYPqLHSodJciQEDpGhsbQheF3gVqXLMD6mhTo root@client
The key's randomart image is:
+---[ECDSA 256]---+
|B*.+ooo..  o...  |
|*=+.o...  o  .   |
|oo. =o.  .. o    |
|   +.+o..+o  o   |
|  . =+o=S....    |
| . + .=.+. .     |
|E .  . +.        |
| .    .          |
|                 |
+----[SHA256]-----+

3.プライベートディレクトリ陳間でユーザーを見ます

[root@client ~]# ls -a
.                    .bash_logout   .dbus                 .mozilla     模板
..                   .bash_profile  .esd_auth             .ssh         视频
.1234.txt.swp        .bashrc        .ICEauthority         .tcshrc      图片
abc                  .cache         initial-setup-ks.cfg  test         文档
abc.txt              chen           is                    this         下载
anaconda-ks.cfg      chenchen       .lesshst              .viminfo     音乐
.anacond-ks.cfg.swp  .config        .local                .Xauthority  桌面
.bash_history        .cshrc         lshelp1.txt           公共
[root@client ~]# cd .ssh/
[root@client .ssh]# ls
id_ecdsa  id_ecdsa.pub  known_hosts

4.公開鍵ディレクトリ・チェンは、公開鍵でサーバに送信しました

[root@client .ssh]# ssh-copy-id -i id_ecdsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

5.陳サーバーのユーザーの公開鍵があった場合Goは見ます

[root@localhost chen]# cd .ssh/
[root@localhost .ssh]# ls
authorized_keys
[root@localhost .ssh]# cat authorized_keys 
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3jJu7k3skpOWd5azNtHhohBCyQvcE5vMQblIICOn48GGL3h1tQ9d7m34liu7YdXcdY+oLyQvgl23xiP9Au8ug= root@client

6.クライアントリモートログイン認証鍵ペア

[root@client .ssh]# ssh [email protected]
Enter passphrase for key '/root/.ssh/id_ecdsa': 
Last login: Sat Aug 10 00:32:52 2019

7.ログイン認証キーの必要性を排除し、無料のインタラクティブ

[chen@localhost ~]$ exit
登出
Connection to 192.168.17.128 closed.
[root@client .ssh]# ssh-agent bash  //代理bash环境
[root@client .ssh]# ssh-add             //添加我们密钥对的密码
Enter passphrase for /root/.ssh/id_ecdsa: 
Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
[root@client .ssh]# ssh [email protected]
Last login: Mon Sep 16 13:09:06 2019 from 192.168.17.134
[chen@localhost ~]$ 

三の.Tcp wappersアクセス制御

アクセス制御ポリシー:
最初のチェックhosts.allowのは、アクセスが、一致が発見された許可された
アクセスが拒否され、それ以外の場合は、その後、hosts.denyのを確認してください見つける
両方のファイルで一致するポリシー場合は、デフォルトでは許可
のアクセスを

1.アクセス制御は、サーバに提供されます

[ルート@ localhostの〜]#のVimの/etc/hosts.allowを


 hosts.allow   This file contains access rules which are used to
               allow or deny connections to network services that
               either use the tcp_wrappers library or that have been
               started through a tcp_wrappers-enabled xinetd.

               See 'man 5 hosts_options' and 'man 5 hosts_access'
               for information on rule syntax.
              See 'man tcpd' for information on tcp_wrappers

sshd:192.168.17.130   //添加只允许访问的地址
~              

[ルート@ localhostの〜]#のVimの/etc/hosts.denyを

hosts.deny    This file contains access rules which are used to
               deny connections to network services that either use
               the tcp_wrappers library or that have been
               started through a tcp_wrappers-enabled xinetd.

               The rules in this file can also be set up in
               /etc/hosts.allow with a 'deny' option instead.

               See 'man 5 hosts_options' and 'man 5 hosts_access'
               for information on rule syntax.
               See 'man tcpd' for information on tcp_wrappers

sshd:192.168.17.128                                                                                     
~                                                                                       
~                                                                                       
~        

これらはすべて、当社のコンテンツアップされています

おすすめ

転載: blog.51cto.com/14449524/2438217