1.使用ssh服务管理远程主机
1.1 什么是openssh
openssh指系统中使用的SSH(SecureSHell)软件的软件实施。SSH协议簇可以用来进行远程控制,或在计算机之间传送文件。而openssh提供了服务端后台程序和客户端工具,用来加密远程控制和文件传输过程中的数据,并由此来代替原来的类似服务。
常见的远程登录工具有:
- ssh
- telnet
- dropbear
ssh //协议端口是22,tcp连接
通信过程和认证过程都是加密的,比较安全
telnet //协议端口是23,tcp连接
认证过程和数据传输都是明文的,不安全,一般都是用来测试路由
dropbear //嵌入式系统专用的SSH服务器端和客户端工具
1.2 SSH版本
openssh有两个版本,分别为v1和v2,其特点如下:
v1:基于CRC-32做MAC,无法防范中间人(man-in-middle)攻击(ARP欺骗)
v2:双方主机协议选择安全的MAC方式。基于DH算法做密钥交换,基于RSA或DSA算法实现身份认证
1.3 SSH认证方式
openssh有两种认证方式:
- 基于口令认证
- 基于密钥认证
1.4 OpenSSH的工作模式
openssh是基于C/S架构工作的
什么是C/S架构?
C代表客户端,S代表服务器,意思是基于客户端和服务器工作的
注:还有B/S架构,什么是B/S架构
B代表浏览器,S代表服务器,意思是基于浏览器和服务器工作的
服务器 //sshd,配置文件在/etc/ssh/sshd_config
客户端 //ssh,配置文件在/etc/ssh/sshd_config
ssh-keygen //密钥生成器
ssh-copy-id //将公钥传输至远程服务器
scp //跨主机安全复制工具
1.5 Secure Shell 示例
1.5.1 创建网络会话
开启两台虚拟机,一台做服务器,一台做客户端
//以当前用户身份创建远程交互式shell,然后在结束时使用exit命令返回到之前的shell
[root@zhangmianli ~]# ssh root@192.168.194.163
The authenticity of host '192.168.194.163 (192.168.194.163)' can't be established.
ECDSA key fingerprint is SHA256:3y0WkvBShyCWitvXWN3rwEp7UVLFDdU7togRByB/BKI.
ECDSA key fingerprint is MD5:f1:0a:a6:4d:7a:a3:aa:fb:22:ab:15:fb:01:13:47:94.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.194.163' (ECDSA) to the list of known hosts.
root@192.168.194.163's password:
Last login: Mon Jan 7 16:37:24 2019 from 192.168.194.1
[root@szhangmianli ~]#
Last login: Mon Jan 7 16:37:24 2019 from 192.168.194.1
[root@szhangmianli ~]# exit
logout
Connection to 192.168.194.163 closed.
[root@zhangmianli ~]#
//以其他用户身份(且并且是当前用户身份)在选定主机上连接到远程shell
1.在客户端上创建用户zml,切换用户
2.远程登录服务器,输入客户端创建用户的用户密码
[zml@zhangmianli ~]$ ssh 192.168.194.163
zml@192.168.194.163's password:
Permission denied, please try again.
zml@192.168.194.163's password:
3.登录失败,权限拒绝,在服务器上创建用户zml
4.再次使用密码登录
[zml@zhangmianli ~]$ ssh 192.168.194.163
zml@192.168.194.163's password:
Last failed login: Mon Jan 7 16:48:12 CST 2019 from 192.168.194.162 on ssh:notty
There were 8 failed login attempts since the last successful login.
[zml@szhangmianli ~]$
//以远程用户身份在远程主机上通过将输出返回到本地显示器的方式来执行命令
[root@zhangmianli ~]# ssh root@192.168.194.163 'touch zz'
root@192.168.194.163's password:
[root@szhangmianli ~]# ll
total 4
-rw-------. 1 root root 1445 Jan 7 11:51 anaconda-ks.cfg
-rw-r--r--. 1 root root 0 Jan 7 16:57 zz
[root@zhangmianli ~]# ssh root@192.168.194.163 'rm -rf zz'
root@192.168.194.163's password:
[root@szhangmianli ~]# ll
total 4
-rw-------. 1 root root 1445 Jan 7 11:51 anaconda-ks.cfg
//w命令可以显示当前登录到计算机的用户列表。这对于显示哪些用户使用ssh从哪些远程位置进行了登录以及执行了何种操作等内容特别有用
[root@szhangmianli ~]# w
16:59:10 up 34 min, 2 users, load average: 0.01, 0.03, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 16:26 32:14 0.29s 0.29s -bash
root pts/0 192.168.194.1 16:56 6.00s 0.02s 0.01s w
1.6 SSH主机密钥
ssh通过公钥加密的方式保持通信安全。(服务器是公钥)当客户端通过ssh远程连接服务器时,在客户端登录之前,服务器回向其发送公钥副本。公钥副本如下:
[root@zhangmianli ~]# ssh root@192.168.194.163
The authenticity of host '192.168.194.163 (192.168.194.163)' can't be established.
ECDSA key fingerprint is SHA256:3y0WkvBShyCWitvXWN3rwEp7UVLFDdU7togRByB/BKI.
ECDSA key fingerprint is MD5:f1:0a:a6:4d:7a:a3:aa:fb:22:ab:15:fb:01:13:47:94.
Are you sure you want to continue connecting (yes/no)?
当客户端第一次使用ssh连接远程服务器后,在客户端当前用户下的/.ssh目录下有一个known_hosts文件,此文件存储登录服务器的公钥。之后用户再次登录时,就不会弹出公钥副本,并且客户端会通过对比/.ssh/known_hosts文件中的服务器条目和服务器发送的公钥,确保从服务器获得相同的公钥。如果公钥不匹配,客户端会假定网络通信已遭劫持或服务器已被入侵,并且中断连接。
这就意味着,如果服务器的公钥发生更改(由于硬盘出现故障导致公钥丢失,或者出于某些正当理由替换公钥),用户则需要更新其~/.ssh/known_hosts文件并删除旧的条目才能够进行登录
//主机ID存储在本地客户端系统上的 ~/.ssh/known_hosts 中
1.检查~/.ssh目录下的known_hosts文件是否有东西
[root@zhangmianli ~]# cd .ssh/
[root@zhangmianli .ssh]# ls
known_hosts
[root@zhangmianli .ssh]# cat known_hosts
[root@zhangmianli .ssh]#
2.客户端第一次远程登录
[root@zhangmianli ~]# ssh root@192.168.194.163
The authenticity of host '192.168.194.163 (192.168.194.163)' can't be established.
ECDSA key fingerprint is SHA256:3y0WkvBShyCWitvXWN3rwEp7UVLFDdU7togRByB/BKI.
ECDSA key fingerprint is MD5:f1:0a:a6:4d:7a:a3:aa:fb:22:ab:15:fb:01:13:47:94.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.194.163' (ECDSA) to the list of known hosts.
root@192.168.194.163's password:
Last login: Mon Jan 7 17:03:58 2019 from 192.168.194.1
[root@szhangmianli ~]# exit
logout
Connection to 192.168.194.163 closed.
[root@zhangmianli ~]# cat .ssh/known_hosts
192.168.194.163 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIFD06TmUK5SOJ5BinazXrLvNEfxmvzdXtHwf/vn861QJDKSgNMZj6Vm78mnMH/vB/VgdkypS7DTB9cI5j95hwc=
2.配置基于SSH密钥的身份认证
客户端可通过使用公钥身份验证进行ssh远程登录(公钥身份就是服务器登录的密钥)。ssh允许用户使用私钥-公钥方案进行身份验证。这意味着将生成私钥和公钥这两个密钥。私钥文件用作身份验证凭据,像密码一样。公钥复制到用户希望登录的系统,用于验证私钥。公钥并不需要保密。拥有公钥的ssh服务器可以发布仅持有您私钥的系统才可解答的问题。因此,可以根据所持有的密钥进行验证。如此一来,就不必在每次访问系统时键入密码,但安全性仍能得到保证。
使用ssh-keygen命令生成密码。将会生成私钥/.ssh/id_rsa和公钥/.ssh/id_rsa.pub。
注意:
生成密钥时,系统将提供指定密码的选项,在访问私钥时必须提供该密码。如果私钥被偷,除颁发者之外的其他任何人很难使用该私钥,因为已使用密码对其进行保护。这样,在攻击者破解并使用私钥前,会有足够的时间生成新的密钥对并删除所有涉及旧密钥的内容。
生成ssh密钥后,密钥将默认存储在家目录下的.ssh/目录中。私钥和公钥的权限就分别为600和644。.ssh目录权限必须是700。
在使用基于密钥的身份验证前,需要将客户端的公钥复制到服务器上。可以使用ssh-copy-id完成这一操作
通过ssh-copy-id将密钥复制到另一系统时,它默认复制~/.ssh/id_rsa.pub文件
//SSH密钥演示
//使用ssh-keygen生成密钥,会生成一对密钥,公钥和私钥
[root@zhangmianli ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): //使用默认的公钥文件名
Enter passphrase (empty for no passphrase): //给私钥设置密码
Enter same passphrase again: //再次输入
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:zIGHab9mcIUkw9GNKmEm6ZkE6NUGtODSdOhb31bxfrg root@zhangmianli
The key's randomart image is:
+---[RSA 2048]----+
|ooo=+.+o.o |
|oo*o=o.Bo.o |
|o=oB..=.+ .o |
|..= o..= o. . |
| o o..S. . . |
| . .oo. o . |
| .+ o |
| o E |
| |
+----[SHA256]-----+
//使用 ssh-copy-id 将公钥复制到远程系统上的正确位置
[root@zhangmianli ~]# ls .ssh/
id_rsa id_rsa.pub known_hosts
[root@zhangmianli ~]# ssh-copy-id root@192.168.194.163
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.194.163's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.194.163'"
and check to make sure that only the key(s) you wanted were added.
//使用ssh命令远程登录无需输入密码
[root@zhangmianli ~]# ssh root@192.168.194.163
Last login: Mon Jan 7 17:15:28 2019 from 192.168.194.162
[root@szhangmianli ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:d9:80:64 brd ff:ff:ff:ff:ff:ff
inet 192.168.194.163/24 brd 192.168.194.255 scope global dynamic ens32
valid_lft 1294sec preferred_lft 1294sec
inet6 fe80::d76:7c88:ee44:7b78/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::7744:d652:d7f2:4ae/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
//更改公钥文件名
[root@zhangmianli ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/zz_rsa //更改公钥文件名
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/zz_rsa.
Your public key has been saved in /root/.ssh/zz_rsa.pub.
The key fingerprint is:
SHA256:Z4yV9xN1AyhgKA7Pr2o1SZBvc8Iv+nwNRmMSAAWXL3U root@zhangmianli
The key's randomart image is:
+---[RSA 2048]----+
|++=. .o. ....o|
| =.o..E . o .o|
| Ooo. + . . |
| .%.= + . . . |
| o.@ . S + o |
| = = o . |
| o = o |
| o.. . . |
|..oo. |
+----[SHA256]-----+
//使用 ssh-copy-id 将公钥复制到远程系统上的正确位置
[root@zhangmianli ~]# ssh-copy-id -i /root/.ssh/zz_rsa root@192.168.194.163
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/zz_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.194.163's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.194.163'"
and check to make sure that only the key(s) you wanted were added.
//使用 ssh 命令无密码登录远程主机
[root@zhangmianli ~]# ssh -i /root/.ssh/zz_rsa 192.168.194.163
Last login: Mon Jan 7 19:02:41 2019 from 192.168.194.162
//用scp来实现无密码登录远程主机
//使用ssh-keygen生成密钥,会生成一对密钥,公钥和私钥
[root@zhangmianli ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:k3c31p1nzo/08DdXoeCoX2eSkDfrRPkIY6Bg7Ep4Vk8 root@zhangmianli
The key's randomart image is:
+---[RSA 2048]----+
| |
| . |
| +. E. |
|. o..o. ..... oo|
|..o. .. S*+=o =.*|
|.o. .+*o*+ =o|
| . . B +o +|
| . + +. *+|
| .. . . B|
+----[SHA256]-----+
//将公钥文件用scp传给服务器,并更改名字,修改权限,权限是600
[root@zhangmianli ~]# scp .ssh/id_rsa.pub root@192.168.194.163:/root/.ssh/authorized_keys
root@192.168.194.163's password:
id_rsa.pub 100% 398 124.0KB/s 00:00
[root@szhangmianli ~]# cd .ssh/
[root@szhangmianli .ssh]# ll
total 8
-rw-r--r--. 1 root root 398 Jan 7 19:23 authorized_keys
-rw-r--r--. 1 root root 177 Jan 7 19:03 known_hosts
[root@szhangmianli .ssh]# chmod 600 authorized_keys
//用客户端无密码远程登录服务器
[root@zhangmianli ~]# ssh root@192.168.194.163
Last login: Mon Jan 7 19:06:54 2019 from 192.168.194.162
//使用scp命令上传文件
[root@zhangmianli ~]# touch a
[root@zhangmianli ~]# scp a root@192.168.194.163:/tmp/
root@192.168.194.163's password:
a 100% 0 0.0KB/s 00:00
[root@szhangmianli ~]# ls /tmp/
a
ks-script-piI0JV
systemd-private-cd9bc6c5a7154ad48f08dc6d700d6b62-vgauthd.service-CbiMg9
systemd-private-cd9bc6c5a7154ad48f08dc6d700d6b62-vmtoolsd.service-g66ZIr
systemd-private-dd06613ecc044b1ca54fd244f697e046-vgauthd.service-U6TA7E
systemd-private-dd06613ecc044b1ca54fd244f697e046-vmtoolsd.service-KMWdao
yum.log
//使用scp命令下载文件到本地
[root@szhangmianli ~]# touch /tmp/xiazai
[root@zhangmianli ~]# scp root@192.168.194.163:/tmp/xiazai ~/
root@192.168.194.163's password:
xiazai 100% 0 0.0KB/s 00:00
[root@zhangmianli ~]# ls
a anaconda-ks.cfg xiazai
3. 自定义SSH服务配置
虽然OpenSSH服务器通常无需修改,但会提供其他安全措施,可以在配置文件/etc/ssh/sshd_config中修改OpenSSH服务器的各个方面。
4.SSH安全注意事项
[root@szhangmianli ~]# openssl rand 40 -base64
RQRmETUkxBGvEsFTF+BRmlUizwkZPX7ME3U/vlQhEeQhi2lmGHEZDw== //生成40位随机密码
[root@szhangmianli ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs
5xlEL0SGWXo_0jAY7OSy9VJRQO43cN //生成30位随机密码
- 使用非默认端口
- 限制登录客户端地址
- 仅监听特定的IP地址
- 禁止管理员直接登录
- 仅允许有限制用户登录
- AllowUsers
- AllowGroups
- 使用基于密钥的认证
- 禁止使用空密码
- 禁止使用SSHv1版本
- 设定空闲会话超时时长
- 利用防火墙设置ssh访问策略
- 限制ssh的访问频度和并发在线数
- 做好日志的备份,经常分析(集中于某台服务器)
5. iptabels和firewalld防火墙
5.1 三种防火墙
- iptables
- firewalld
- ebtables
iptabels //防火墙规则默认是允许,在红帽7以前使用
firewalld //防火墙规则默认是拒绝,从红帽7开始使用
ebtables //红帽8
5.2 使用firewalld防火墙来拒绝和允许访问
//默认区域不再允许该服务的流量
[root@szhangmianli ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@szhangmianli ~]# firewall-cmd --permanent --remove-service=ssh
success
[root@szhangmianli ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services: dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
//允许客户端192.168.194.162的主机远程访问服务器
[root@szhangmianli ~]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.194.162/32 service name=ssh accept'
success
//重新加载规则
[root@szhangmianli ~]# firewall-cmd --reload
success
//客户端远程登录
[root@zhangmianli ~]# ssh root@192.168.194.163
root@192.168.194.163's password:
Last login: Mon Jan 7 18:27:56 2019 from 192.168.194.162
[root@szhangmianli ~]#
//默认区域允许该服务的流量
[root@szhangmianli ~]# firewall-cmd --permanent --add-service=ssh
Warning: ALREADY_ENABLED: 'ssh' already in 'public'
success
[root@szhangmianli ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.194.162/32" service name="ssh" accept
//重新加载规则
[root@szhangmianli ~]# firewall-cmd --reload
success
//拒绝客户端192.168.194.162的主机远程访问服务器
[root@szhangmianli ~]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.194.162/32 service name=ssh reject'
success
//重新加载规则
[root@szhangmianli ~]# firewall-cmd --reload
success
//客户端远程登录
[root@zhangmianli ~]# ssh root@192.168.194.163
ssh: connect to host 192.168.194.163 port 22: Connection refused