需求一实际操作
一、需求
为了最大程度的保护公司内网服务器的安全,公司内部有一台服务器做跳板机。运维人员在维护过程中首先要统一登录到这台服务器,然后再登录到目标设备进行维护和操作。由于业务需求,运维人员经常要ssh登录到某几台服务器上做一些操作,为了提高工作效率,运维人员需要免密码登录到指定的几台服务器。
要求如下:
运维人员所在的办公区只能访问跳板机(windows作为终端机)
运维人员通过跳板机,使用管理员账号yunwei,
可以免密码以业务
用户baobao分别
登录到product1~product2上
应用服务器product1–product2只允许跳板机访问
二、思路
1、跳板机:创建用户yunwei,赋予其管理员权限。生产环境:建立pos用户,只允许查看生产环境业务相关内容。
2、在生产环境和跳板机上安装ssh,更改端口:2222(在ssh配置文件/etc/ssh/sshd_config中修改Port),
3、设置跳板机与三台生产环境服务器的免密登录
4、利用访问控制(/etc/hosts.allow和/etc/hosts.deny)管理访问ip,用户等等
#ssh-keygen
#scp .ssh/id_rsa.pub /将公钥拷给各个服务器
三、操作步骤
1、环境部署
服务器名称 IP地址
生产服务器1(product1) 192.168.196.152
生产服务器2(product2) 192.168.196.153
跳板机(min1) 192.168.196.151
工作区机器(review1) 192.168.221.129
2、添加用户
[root@min1 ~]# useradd yunwei
[root@min1 ~]# echo 123456 |passwd --stdin yunwei
Changing password for user yunwei.
passwd: all authentication tokens updated successfully.
[root@product2 ~]# useradd baobao
[root@product2 ~]# echo 123456 |passwd --stdin baobao
Changing password for user pos.
passwd: all authentication tokens updated successfully.
[root@product1 ~]# useradd baobao
[root@product1 ~]# echo 123456 |passwd --stdin baobao
Changing password for user pos.
passwd: all authentication tokens updated successfully.
3、给用户yunwei增加管理员权限
[root@min1 ~]# vim /etc/sudoers //注意,这里给的权限太大了,实际情况一般不这么赋权
97 ## Allow root to run any commands anywhere
98 root ALL=(ALL) ALL
99 yunwei ALL=(ALL) ALL //赋予运维用户管理员权限
或者
chmod u+w /etc/sudoers
echo ‘yunwei ALL=(ALL) ALL’ >> /etc/sudoers
4、设置ssh免密登录
[root@min1 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub baobao@192.168.196.152
pos@192.168.196.152’s password:
Now try logging into the machine, with “ssh ‘pos@192.168.226.135’”, and check in:
.ssh/authorized_keys
to make sure we haven’t added extra keys that you weren’t expecting.
//将秘钥复制到product1的baobao用户
到product1 查看
su baobao
cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwdtVYgudS67wRDzPJ7Ll9FMqWJfbsb3PIq8oJtTNI/MwcCpN4q/6SNtTu+jFcd1CVYnWiok/R+NF1co+2lEGniqCbko8v/iRNfTuvN5IkBCCR1d8ud23BEd7ce563ejmgYNgmVwTvqsiCUtKjQDSlkUYRlZ+eMihMSNlgASmmAEBF/i8Pclb6pzSrhPSO9vrFnebdU2uuUeOchzCWQlwK2Fuh4ZB3wudNP/XvU+eW9EwK1RQgARQGl6SbInMl6zGuXee6iwpOPGKEdSrdKUeuJ6Xz+SzoaCFyNdJUrE9AR+rRMonaVMxjOCz2SiZqLuiP1Sa47cES62tNmBmIFo+l
复制成功!!!
[root@min1 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub baobao@192.168.196.153
baobao@192.168.196.153’s password:
Now try logging into the machine, with “ssh ‘baobao@192.168.196.153’”, and check in:
.ssh/authorized_keys
to make sure we haven’t added extra keys that you weren’t expecting.
//将秘钥复制到product2的baobao用户
6、免密ssh登录测试
[root@min1 ~]# ssh baobao@192.168.196.152
Last login: Sat Jun 23 18:14:27 2018 from 192.168.196.151
[pos@product1 ~]$
[root@min1 ~]# ssh pos@192.168.196.153
Last login: Sat Jun 23 18:15:11 2018 from 192.168.196.151
7、修改ssh端口号为2222,禁止远程登录
[root@product2 ~]# vim /etc/ssh/sshd_config
13 Port 2222
42 PermitRootLogin no
[root@product2 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@product1 ~]# vim /etc/ssh/sshd_config
13 Port 2222
42 PermitRootLogin no
[root@product1 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
如果提示
Redirecting to /bin/systemctl restart sshd.service
Job for sshd.service failed because the control process exited with error code. See “systemctl status sshd.service” and “journalctl -xe” for details.
执行:setenforce 0
8、测试
[root@min1 ~]# ssh -p2222 baobao@192.168.196.152
Last login: Sat Jun 23 18:18:55 2018 from 192.168.226.137
[pos@product1 ~]$
[root@min1 ~]# ssh -p2222 baobao@192.168.196.153
Last login: Sat Jun 23 18:19:12 2018 from 192.168.226.137
[pos@product2 ~]$
//2222端口登录成功
[root@min1 ~]# ssh -p2222 root@192.168.196.152
root@192.168.196.152’s password:
Permission denied, please try again.
//root用户被拒绝
9、访问控制(只允许跳板机(min1)登录)
[root@product1 ~]# vim /etc/hosts.deny
14 sshd:ALL EXCEPT 192.168.196.151
//测试
[root@product2 ~]# ssh -p2222 baobao@192.168.196.152
ssh_exchange_identification: Connection closed by remote host
[root@min1 ~]# ssh -p2222 baobao@192.168.196.152
Last login: Sat Jun 23 18:45:35 2018 from 192.168.196.151
//测试成功,只有跳板机可以连接
[root@product2 ~]# vim /etc/hosts.deny
14 sshd:ALL EXCEPT 192.168.196.151
//测试
[root@product1 ~]# ssh -p2222 baobao@192.168.196.153
ssh_exchange_identification: Connection closed by remote host
[root@min1 ~]# ssh -p2222 baobao@192.168.196.153
Last login: Sat Jun 23 18:53:46 2018 from 192.168.226.135
[pos@product2 ~]$
//测试成功,只有跳板机可以连接
//开启防火墙
[root@product1 ~]# service iptables start
iptables: Applying firewall rules: [ OK ]
[root@product2 ~]# service iptables start
iptables: Applying firewall rules: [ OK ]
//防火墙开启后访问失败
[root@min1 ~]# ssh -p2222 baobao@192.168.196.153
ssh: connect to host 192.168.196.151 port 2222: No route to host
[root@product1 ~]# iptables -P INPUT DROP //设置默认input策略为DROP
[root@product1 ~]#iptables -t filter -I INPUT -s 192.168.196.151 -p tcp --dport 2222 -j ACCEPT //设置策略允许跳板机(min1)使用ssh的2222端口登录
[root@product1 ~]#service iptables save
//测试
[root@min1 ~]# ssh -p2222 baobao@192.168.196.153
Last login: Sat Jun 23 18:52:38 2018 from 192.168.226.137
[pos@product1 ~]$
//成功
[root@product2 ~]# iptables -P INPUT DROP //设置默认input策略为DROP
[root@product2 ~]#iptables -t filter -I INPUT -s 192.168.226.137 -p tcp --dport 2222 -j ACCEPT //设置策略允许跳板机(min1)使用ssh的2222端口登录
//测试
[root@min1 ~]# ssh -p2222 pos@192.168.226.136
Last login: Sat Jun 23 18:55:51 2018 from 192.168.226.137
[pos@product2 ~]$
//成功
[root@product2 ~]#service iptables save
参考网站:
https://www.cnblogs.com/liqinggai/articles/10528459.html
https://blog.51cto.com/zengxin/1890655
https://www.jianshu.com/p/5fe9152fe78d
扫一扫
1727
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
