日志管理
//在客户端编辑配置日志配置文件,将权限日志传送到服务端。
[root@165 ~]# vi /etc/rsyslog.conf
[root@165 ~]# cat /etc/rsyslog.conf |grep @192
authpriv.* @192.168.174.164
[root@165 ~]# systemctl restart rsyslog.service
//在服务端取消这四行的注释
#KaTeX parse error: Expected 'EOF', got '#' at position 15: ModLoad imudp #̲UDPServerRun 514
#KaTeX parse error: Expected 'EOF', got '#' at position 15: ModLoad imtcp #̲InputTCPServerRun 514
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
#Provides TCP syslog reception
#for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
//重启服务
[root@164 ~]# systemctl restart rsyslog.service
[root@164 ~]#
//在xshell中远程连接到服务端,然后故意是错密码,在查看日志文件。
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-KSc6WTNR-1682565416078)(http://re6n7qlln.hn-bkt.clouddn.com/QQ%E6%88%AA%E5%9B%BE20220719163904.png)]
[root@164 ~]# tail -f /var/log/secure
Jul 19 10:40:39 localhost sshd[1600]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 19 15:55:25 192 polkitd[957]: Loading rules from directory /etc/polkit-1/rules.d
Jul 19 15:55:25 192 polkitd[957]: Loading rules from directory /usr/share/polkit-1/rules.d
Jul 19 15:55:25 192 polkitd[957]: Finished loading, compiling and executing 2 rules
Jul 19 15:55:25 192 polkitd[957]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Jul 19 15:55:27 192 sshd[1042]: Server listening on 0.0.0.0 port 22.
Jul 19 15:55:27 192 sshd[1042]: Server listening on :: port 22.
Jul 19 15:55:31 192 sshd[1439]: Accepted password for root from 192.168.174.1 port 56710 ssh2
Jul 19 15:55:31 192 systemd[1620]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jul 19 15:55:31 192 sshd[1439]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 19 16:47:39 164 unix_chkpwd[2044]: password check failed for user (root)
Jul 19 16:47:39 164 sshd[2042]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.174.1 user=root
Jul 19 16:47:41 164 sshd[2042]: Failed password for root from 192.168.174.1 port 58185 ssh2
Jul 19 16:47:44 164 sshd[2042]: error: Received disconnect from 192.168.174.1 port 58185:0: [preauth]
Jul 19 16:47:44 164 sshd[2042]: Disconnected from authenticating user root 192.168.174.1 port 58185 [preauth]
openssh
//在164主机上创建密钥
[root@164 ~]# ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:RApO0J3l2qDO+h8KoqzTAwQkXV5PVUeTnha40iGXcU4 root@164
The key's randomart image is:
+---[ECDSA 256]---+
|oo.++..o+...o=E. |
|o .+.oo* . ==o. |
|. o o + + +.o |
| . . = . o + |
|. . . S . . |
|. o |
|.o. o . |
|+.oo . . |
|+o.oo.. |
+----[SHA256]-----+
[root@164 ~]# cd .ssh/
[root@164 .ssh]# ls
id_ecdsa id_ecdsa.pub
//将164主机的公钥发送给165主机
[root@164 .ssh]# ssh-copy-id root@192.168.174.165
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ecdsa.pub"
The authenticity of host '192.168.174.165 (192.168.174.165)' can't be established.
ECDSA key fingerprint is SHA256:hoCPwfSVGMB1OU/5yB1ftdls+ytBJ3VKpwPCCZHnKWI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.174.165's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.174.165'"
and check to make sure that only the key(s) you wanted were added.
//在165主机上查看发送来的公钥
[root@165 ~]# cd .ssh/
[root@165 .ssh]# ls
authorized_keys
[root@165 .ssh]#
//在165主机上创建密钥
[root@165 .ssh]# ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:kxpziSKpC8OrdmW6/ELM5DjrBpmam5bvpKoN32VYh7s root@165
The key's randomart image is:
+---[ECDSA 256]---+
| |
| |
| |
| o o o |
| oO . * S |
|=+ * * B . |
|Bo=.= = |
|+&== o . |
|/=*==.E |
+----[SHA256]-----+
[root@165 .ssh]# ls
authorized_keys id_ecdsa id_ecdsa.pub
//将165主机的公钥发送给164主机
[root@165 .ssh]# ssh-copy-id root@192.168.174.164
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ecdsa.pub"
The authenticity of host '192.168.174.164 (192.168.174.164)' can't be established.
ECDSA key fingerprint is SHA256:hoCPwfSVGMB1OU/5yB1ftdls+ytBJ3VKpwPCCZHnKWI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.174.164's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.174.164'"
and check to make sure that only the key(s) you wanted were added.
//在164主机上查看发送来的公钥
[root@164 .ssh]# ls
authorized_keys id_ecdsa id_ecdsa.pub known_hosts
//在164主机上连接165主机
[root@164 ~]# ssh root@192.168.174.165
Last login: Tue Jul 19 16:44:44 2022 from 192.168.174.1
[root@165 ~]#
//在165主机上连接164主机
[root@165 ~]# ssh root@192.168.174.164
Last failed login: Tue Jul 19 17:00:32 CST 2022 from 192.168.174.165 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Tue Jul 19 15:55:31 2022 from 192.168.174.1
[root@164 ~]#
.165 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Tue Jul 19 15:55:31 2022 from 192.168.174.1
[root@164 ~]#