Linux系统中的sshd服务安全部署及ssh客户端使用方式
1.sshd简介
sshd为secure shell的简称,可以通过网络在主机中开机shell的服务。
ssh和sshd的区别
ssh_config和sshd_config都是ssh服务器的配置文件,二者区别在于,前者是对客户端的,后者则是针对服务端的配置文件;
两个配置文件都允许你通过设置不同的选项来改变客户端程序的运行方式 。
连接方式:
ssh username@ip #文本模式的连接
ssh -X username@ip #可以在连接成功后开启图形
连接方式:
ssh username@ip #文本模式的连接
在这里插入图片描述
ssh -X username@ip #可以在连接成功后开机图形
在这里插入图片描述
注意
第一次连接陌生主机是要建立认证文件
所以会询问是否建立,需要输入yes
在次连接此主机时,因为已经生成~/.ssh/know_hosts文件 所以不需要再次输入yes
示例:
在远程主机上建立文件
ssh root@172.25.254.150 touch /root/Desktop/file{1…10}
远程复制:
scp file root@ip:dir #上传
示例:
从另一台主机中远程复制dir1文件夹到本机
[root@localhost Desktop]# mkdir dir1
[root@localhost Desktop]# scp -r dir1 kiosk@172.25.254.50:/home/kiosk/Desktop
kiosk@172.25.254.50's password:
scp root@ip:file dir #下载
[root@localhost ~]# scp -r kiosk@172.25.254.50:/home/kiosk/Desktop/test /root/Desktop
kiosk@172.25.254.50's password:
test 100% 0 0.0KB/s 00:00
2.sshd的key认证
相关生成文件
authorized_keys | 此文件出现表示加密完成 |
---|---|
id_rsa | 私钥 |
id.rsa.pub | 公钥 |
known_hosts | 客户端主机第一次连接服务端主机会/root/.ssh下生成known_hosts这个文件 |
给用户上锁
在服务端输入ssh-copy-id -i /root/.ssh/id_rsa.pub root@服务端ip
分发钥匙
scp /root/.ssh/id_rsa root@客户端ip:/root/.ssh/
测试
在客户主机中
ssh root@服务端ip ##连接时发现直接登录不需要root登录系统的密码认证
实验示例:
步骤一:打开两台虚拟机,将两台虚拟机分别命名为server和client
server端
[root@localhost ~]# hostnamectl set-hostname server.example.com
client端
[root@localhost ~]# hostnamectl set-hostname client.example.com
步骤二:将ip分别配制成(server)172.25.254.250和(client)172.25.254.150
步骤三:在两台主机的shell中分别删除/root/.ssh
因为客户端主机第一次连接服务器主机会在这个目录下生成know_hosts这个文件,为了验证这个实验效果,所以得将这个目录清空,或者直接删除
直接在家目录下面输入ls -a (查看所有文件,包括非隐藏文件和隐藏文件)
步骤四:在服务器端(server)输入ssh-keygen,生成钥匙和密码,id_rsa是钥匙 id_rsa.pub是锁。
方法1:交互式方法生成密钥
三次回车,每次回车都有原因:
第一次回车是钥匙和密码存放路径(可以直接回车,存放在默认路径下)
第二次回车是密码(可以直接回车,不设置密码,若设置密码,则密码长度必须大于四位)
第三次回车是确认密码(可以直接回车,不设置密码)
[root@server ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
2b:5c:1f:4e:8e:07:06:ba:d0:76:7c:8a:70:0c:4e:2d root@server.example.com
The key's randomart image is:
+--[ RSA 2048]----+
| |
| . |
| E . . |
| o = o . |
| + * o S o |
| = = = O . |
| o + o = |
| . . |
| |
+-----------------+
方法二:非交互式方法生成密钥
[root@server ~]# ssh-keygen -f /root/.ssh/id_rsa -P ""
Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
37:6d:74:9e:c3:22:7c:bd:af:96:e8:fc:d1:d4:78:75 root@server.example.com
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| . . E|
| . o = o+|
| S = = B +|
| . = . * |
| .o..|
| .. oo |
| .ooo..|
+-----------------+
步骤五:在服务端输入ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.254.250给root用户的sshd服务进行上锁加密
[root@server ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.254.250
The authenticity of host '172.25.254.250 (172.25.254.250)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.254.250's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.25.254.250'"
and check to make sure that only the key(s) you wanted were added.
[root@server ~]# ls /root/.ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
注:出现authorized_keys文件,说明上锁成功
步骤六:修改服务端sshd服务的配置文件(做完密钥认证后再进行修改)
[root@server ~]# vim /etc/ssh/sshd_config
[root@server ~]# systemctl restart sshd.service
/etc/ssh/sshd_config 中修改的内容:
文件修改过后需要重启服务使得更改生效
在客户端测试发现,原始的输入密码的登陆方式失效
[root@client ~]# ssh root@172.25.254.250
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
步骤七:服务端向客户端发送私钥
[root@server ~]# scp /root/.ssh/id_rsa root@172.25.254.150:/root/.ssh/
The authenticity of host '172.25.254.150 (172.25.254.150)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.150' (ECDSA) to the list of known hosts.
root@172.25.254.150's password:
id_rsa 100% 1679 1.6KB/s 00:00
步骤八:验证客户端是否可以免密连接服务端
[root@client ~]# ssh root@172.25.254.250
The authenticity of host '172.25.254.250 (172.25.254.250)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.250' (ECDSA) to the list of known hosts.
Last login: Mon Oct 14 12:06:46 2019 from 172.25.254.50
如图所示,已经完成免密连接
一点说明:
当在服务端更改密钥认证信息,在客户端将不能通过ssh服务读取到服务端的文件,则s将不能进行免密连接。
[root@server ~]# cd /root/.ssh/
[root@server .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[root@server .ssh]# mv authorized_keys authorized_keys.bak
在客户端:
[root@client ~]# ssh root@172.25.254.250
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
若客户端想继续通过ssh服务进行对服务端进行连接,将文件名称改回原始名称即可。
该操作可实现对于客户端登陆的限制,什么时间能登,什么时间不能登,谁可以登,谁不可以登。
3.sshd的安全设定
(1)为什么要进行安全设定?
因为服务端root权限太大,客户端如果使用服务端的root权限极不安全,为了保证ssh服务器的安全性:服务端开放的权限不能太多,一般不太让客户端主机用服务端主机的超级用户root。
在/etc/ssh/sshd_config文件中对于安全性进行配置
常用的安全性配置
PasswordAuthentication yes|no ##是否允许用户通过登录系统的密码做sshd的认证
PermitRootLogin yes|no ##是否允许root通过sshd的服务认证
Allowusers student westos ##设定用户白名单,白名单出现默认不在名单的用户不能使用sshd
Denyuser westos ##设定用户黑名单,黑名单出现默认不在名单的用户可以使用sshd
注意:每次改完一个参数重新启动服务才会生效,在服务端 systemctl restart sshd.service
实验示例:
步骤一:在客户端恢复到没有建立连接状态。
[root@server ~]# logout
Connection to 172.25.254.150 closed.
[root@client ~]#
步骤二:关闭免密操作,在服务端修改 vim /etc/ssh/sshd_config这个文件
[root@server .ssh]# vim /etc/ssh/sshd_config
[root@server .ssh]# systemctl restart sshd.service
将PasswordAuthentication 状态改成yes
重启服务
在客户端:
[root@client ~]# cd /root/.ssh/
[root@client .ssh]# rm -fr id_rsa
[root@client .ssh]# ssh root@172.25.254.250
root@172.25.254.250's password:
Last login: Tue Oct 15 08:51:08 2019 from 172.25.254.150
发现免密功能被还原,需要使用密码进行登陆。
更改sshd服务默认使用的端口
在服务端:
关闭selinux 和火墙(否则实验将会出错)
查看sshd服务使用的端口,看到sshd服务使用的端口是22端口
[root@server .ssh]# setenforce 0
[root@server .ssh]# getenforce
Permissive
[root@server .ssh]# systemctl stop firewalld.service
[root@server .ssh]# netstat -antlupe | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 134186 7129/sshd
tcp 0 0 172.25.254.250:22 172.25.254.150:57806 ESTABLISHED 0 135247 7376/sshd: root@pts
tcp 0 0 172.25.254.250:22 172.25.254.50:48400 ESTABLISHED 0 61776 2884/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 0 134188 7129/sshd
nestat 后接各参数意义
-a 所有
-n 不做解析,解析的意思是,将ip解析成域名,或者将域名解析成ip。
-t 表示使用tcp协议
-l 正在使用的端口
-u 表示使用udp协议
-p 表示进程名称
-e 表示扩展信息
显示信息中0 0.0.0.0 表示在任何接口中22端口都开了。
[root@server .ssh]# vim /etc/ssh/sshd_config
[root@server .ssh]# systemctl restart sshd.service
[root@server .ssh]# netstat -antlupe | grep sshd
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 0 140065 8044/sshd
tcp 0 0 172.25.254.250:22 172.25.254.150:57806 ESTABLISHED 0 135247 7376/sshd: root@pts
tcp 0 0 172.25.254.250:22 172.25.254.50:48400 ESTABLISHED 0 61776 2884/sshd: root@pts
tcp6 0 0 :::8888 :::* LISTEN 0 140067 8044/sshd
将sshd默认端口改成8888(示例)
在客户端:
[root@client ~]# ssh root@172.25.254.250
ssh: connect to host 172.25.254.250 port 22: Connection refused
[root@client ~]# ssh root@172.25.254.250 -p 8888
root@172.25.254.250's password:
Last login: Tue Oct 15 11:52:21 2019 from 172.25.254.150
测试发现不添加-p 指定端口信息后,连接失败
固定所能使用连接端口的ip
在服务端:(该实验在一台主机中进行)
首先将端口信息恢复为默认的22
在未更改使用连接端口的ip时发现ssh root@127.0.0.1和ssh root@172.25.254.250都可使用sshd服务连接成功
[root@server .ssh]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:00:32:0b brd ff:ff:ff:ff:ff:ff
inet 172.25.254.250/24 brd 172.25.254.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe00:320b/64 scope link
valid_lft forever preferred_lft forever
[root@server .ssh]# ssh root@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Last login: Tue Oct 15 12:25:16 2019 from 172.25.254.150
[root@server ~]# logout
Connection to 127.0.0.1 closed.
[root@server .ssh]# ssh root@172.25.254.250
Last login: Tue Oct 15 12:33:43 2019 from localhost
更改使用连接端口的ip
[root@server .ssh]# vim /etc/ssh/sshd_config
[root@server .ssh]# systemctl restart sshd.service
[root@server .ssh]# netstat -antlupe | grep sshd
tcp 0 0 172.25.254.250:22 0.0.0.0:* LISTEN 0 145933 8759/sshd
tcp 0 0 172.25.254.250:22 172.25.254.50:48400 ESTABLISHED 0 61776 2884/sshd: root@pts
tcp 0 0 172.25.254.250:8888 172.25.254.150:48422 ESTABLISHED 0 141903 8291/sshd: root@pts
[root@server .ssh]# ssh root@172.25.254.250
Last login: Tue Oct 15 12:38:10 2019 from 172.25.254.250
[root@server ~]# logout
Connection to 172.25.254.250 closed.
[root@server .ssh]# ssh root@127.0.0.1
ssh: connect to host 127.0.0.1 port 22: Connection refused
实验测试发现,仅有172.25.254.250可以连接
使root用户不能登录服务器
在服务端:(该实验在一台主机中进行)
[root@server ~]# vim /etc/ssh/sshd_config
[root@server ~]# systemctl restart sshd.service
在/etc/ssh/sshd_config 中修改
[root@server ~]# ssh root@172.25.254.250
root@172.25.254.250's password:
Permission denied, please try again.
root@172.25.254.250's password:
Permission denied, please try again.
root@172.25.254.250's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@server ~]# ssh student@172.25.254.250
student@172.25.254.250's password:
Last login: Tue Oct 15 12:50:52 2019 from 172.25.254.250
发现的root用户不能登陆,而student(其他用户)可以登陆成功
设置用户黑名单
在服务端:(该实验在一台主机中进行)
[root@server ~]# useradd ahtm
[root@server ~]# useradd ahtl
[root@server ~]# passwd ahtm
Changing password for user ahtm.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@server ~]# passwd ahtl
Changing password for user ahtl.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@server ~]# vim /etc/ssh/sshd_config
[root@server ~]# systemctl restart sshd.service
[root@server ~]# ssh ahtm@172.25.254.250
ahtm@172.25.254.250's password:
Permission denied, please try again.
ahtm@172.25.254.250's password:
Permission denied, please try again.
ahtm@172.25.254.250's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
测试发现写入配置文件黑名单中的用户不能连接成功
设定用户白名单
在服务端:(该实验在一台主机中进行)
[root@server ~]# vim /etc/ssh/sshd_config
[root@server ~]# systemctl restart sshd.service
在/etc/ssh/sshd_config 中添加
[root@server ~]# ssh ahtm@172.25.254.250
ahtm@172.25.254.250's password:
Last failed login: Tue Oct 15 13:02:22 EDT 2019 from 172.25.254.250 on ssh:notty
There were 3 failed login attempts since the last successful login.
[ahtm@server ~]$ logout
Connection to 172.25.254.250 closed.
[root@server ~]# ssh ahtl@172.25.254.250
ahtl@172.25.254.250's password:
Permission denied, please try again.
ahtl@172.25.254.250's password:
Permission denied, please try again.
ahtl@172.25.254.250's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
测试得ahtm用户可以登陆,ahtl(除ahtm用户)不可以登陆成功
若想在白名单中添加用户,可以在配置文件参数后通过空格隔开添加
4.添加sshd登录信息
vim /etc/motd ##编辑文件内容,则登录时显示该内容
[root@client ~]# ssh root@172.25.254.150
root@172.25.254.150's password:
Last failed login: Mon Oct 14 16:48:30 EDT 2019 from 172.25.254.250 on ssh:notty
There were 8 failed login attempts since the last successful login.
Last login: Mon Oct 14 16:12:30 2019 from 172.25.254.250
Hello!!
5.用户的登陆审计
(1)w ##查看正在适用当前系统的用户
-f ##查看使用来源
-i ##显示ip
/var/run/utmp(不能用cat来查看/var/run/utmp 只能用file来看 因为此文件是个data数据)
[root@localhost Desktop]# w
13:58:35 up 38 min, 2 users, load average: 0.00, 0.01, 0.05
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 13:20 3.00s 0.09s 0.02s w
[root@localhost Desktop]# w -i
13:58:59 up 38 min, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 172.25.254.50 13:20 3.00s 0.07s 0.00s w -i
[root@localhost Desktop]# w -f
13:59:23 up 39 min, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 172.25.254.50 13:20 3.00s 0.07s 0.00s w -f
[root@localhost Desktop]# file /var/run/utmp
/var/run/utmp: data
(2)last #查看试用过并退出的用户信息
/var/log/wtmp
[root@localhost Desktop]# file /var/log/wtmp
/var/log/wtmp: data
(3)lastb ##试图登录但没成功的用户
/var/log/btmp
[root@localhost Desktop]# lastb
root :0 :0 Wed Oct 9 06:09 - 06:09 (00:00)
root pts/0 Tue Oct 8 06:26 - 06:26 (00:00)
ahtl pts/0 Tue Oct 8 06:26 - 06:26 (00:00)
ahtm pts/0 Tue Oct 8 06:19 - 06:19 (00:00)
root ssh:notty 172.25.254.50 Mon Oct 7 10:29 - 10:29 (00:00)
btmp begins Mon Oct 7 10:29:55 2019
[root@localhost Desktop]# file /var/log/btmp
/var/log/btmp: DBase 3 index file