远程服务-SSH
1.远程管理服务介绍
(1)SSH是(Secure Shell Protocol)的简写,由IETF网络工作小组制定;在进行数据传输之前,SSH先对联机数据包通过加密技术进行机密处理,加密后在进行文件传输,确保了传递的数据安全。端口号是22(默认可以让root用户连接)
ssh抓包.png
(2)Telnet不安全的链接,数据传输是明文的,端口号是23(默认不可以让root用户连接)
telnet抓包.png
2.ssh远程管理服务远程连接的原理
(1)客户端:执行远程连接命令
(2)客户端:建立三次握手过程
(3)服务端:让客户端进行确认是否接受服务端的公钥信息
(4)客户端:进行公钥确认,接受到公钥信息
(5)服务端:让客户端确认用户密码信息
(6)客户端:进行密码信息确认
(7)远程连接建立成功
私钥和公钥的作用:
a.利用私钥和公钥对数据信息进行加密处理
b.利用公钥和私钥进行用户身份确认
基于密码的方式进行远程连接:公钥和私钥只能完成数据加密过程
基于私钥的方式进行远程连接:公钥和私钥可以完成认证身份的工作
ssh建立连接过程.png
3.ssh远程连接方式
(1)基于口令的方式进行远程连接:连接比较麻烦,连接不太安全
(2)基于秘钥的方式进行远程连接:连接方便,连接比较安全
基于秘钥方式连接过程(原理)
1.客户端(管理端) 执行命令创建秘钥对
客户端(管理端) 建立远程连接(口令),发送公钥信息
客户端(管理端) 再次建立远程连接
服务端(被管理端) 发送公钥质询信息
客户端(管理端) 处理公钥质询信息,将质询结果返回给服务端
服务端(被管理端) 接收到质询结果,建立好远程连接
4.ssh实现基于秘钥连接的部署
(1)管理端创建密钥对
[root@m01 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:h/xJtYDRMWBQhA1KWk8bY3U2PKr13kJL/RqA0LEDVyM root@m01
The key's randomart image is:
+---[DSA 1024]----+
| o OOE=O. |
| + =.O.O++ |
| . . + =.... |
| oo+ o . |
| oS.+.. |
| . ++o. |
| +oo.. |
| + ... |
| ... |
+----[SHA256]-----+
(2)管理端需要将公钥进行分发
[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub 10.0.0.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
The authenticity of host '10.0.0.41 (10.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:l5Dqj1zZpxfY5PZZP3+40i4CdG2kw52NLl1PYL++bds.
ECDSA key fingerprint is MD5:3f:ea:c5:82:f7:c2:1d:63:54:da:1a:48:a3:ea:00:27.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.41's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '10.0.0.41'"
and check to make sure that only the key(s) you wanted were added.
(3)被管理端检查公钥信息
[root@backup ~]# cat /root/.ssh/authorized_keys
ssh-dss AAAAB3NzaC1kc3MAAACBAOrox0Ml74i6I1B1as0xg9wfpFNvpLGw673r0jciVYSpXXbn8LV8xK/UR90VcNnKH2Xfw5rPU/dX9on0HnaJW2lIMqzhmCCEigXotmO1q8Djbi10q2FLphpArmXdh7kcSW73JXsB+tP4LkvOuuq4kwZet6wnETcVVH7ocCglwMuDAAAAFQCLQz3xaSR/iu2ArrUK90fGivLJLQAAAIEA0dlRLq6gB34C7UMZXBwbxozzaAoabwYIltK7PtuAwkgF3Rt8aVSPxg5yEJOYwOWa0r5M6BnwpjUr/VwpI2NdZDhlI/T9Raw6Lnsutpl+RlgfJ8BKIJlA+ZnwL+p1AplOJzy29AV0SKwMsInDAb7TKy1z9E4hiYNVWWaUvXcNCKYAAACAYm6QX1/rksSjeWvy6HC9q1oyOj7J/13OJOc3zbv8KdO4rXJOV5sIKk+Mfce02rPeL4JN0yyRjBlCoUlSGZzsW9WD02Ndq50nDEHGDyKTKPSewqit7LFVeyeBq2bDR/190i50aHohmrnJSBgFvmpAeVlIp+nx99y/11D/r14rjCU= root@m01
(4)进行远程连接测试
[root@m01 ~]# ssh 10.0.0.41 hostname
backup
(5)免交互进行公钥分发
a.下载软件
[root@m01 ~/.ssh]# yum install -y sshpass
[root@m01 ~/.ssh]# sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub root@10.0.0.41 -p22 "-o StrictHostKeyChecking=no"
(6)批量分发公钥的脚本
#!/bin/bash
for ip in {7,31,41}
do
echo "=============== fenfa pub_key with 172.16.1.$ip =============== "
sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub 172.16.1.$ip -o StrictHostKeyChecking=no &>/dev/null
if [ $? -eq 0 ]
then
echo "公钥信息分发成功 [ok]"
echo ""
else
echo "公钥信息分发失败 [failed]"
echo ""
fi
done
[root@m01 ~/.ssh]# sh fenfa.sh
=============== fenfa pub_key with 172.16.1.7 ===============
公钥信息分发成功 [ok]
=============== fenfa pub_key with 172.16.1.31 ===============
公钥信息分发成功 [ok]
=============== fenfa pub_key with 172.16.1.41 ===============
公钥信息分发成功 [ok]
(7)对远程主机进行批量检查
#!/bin/bash
CMD=$1
for ip in {7,31,41}
do
echo "=============== check pub_key with 172.16.1.$ip =============== "
ssh 172.16.1.$ip $CMD >/dev/null
if [ $? -eq 0 ]
then
echo "分发测试检查成功 [ok]"
echo ""
else
echo "公钥测试检查失败 [failed]"
echo ""
fi
done
[root@m01 ~/.ssh]#
[root@m01 ~/.ssh]# sh check.sh "ip a"
=============== check pub_key with 172.16.1.7 ===============
分发测试检查成功 [ok]
=============== check pub_key with 172.16.1.31 ===============
分发测试检查成功 [ok]
=============== check pub_key with 172.16.1.41 ===============
分发测试检查成功 [ok]
5.SSH服务配置文件
/etc/ssh/sshd_config 服务端配置文件
/etc/ssh/ssh_config 客户端配置文件
Port 22 ------ssh端口(默认为22)
ListenAddress 0.0.0.0 ------监听地址(指定一块网卡接收远程访问的请求,指定的地址是本地网卡的ip地址)
PermitEmptyPasswords no ------否允许远程用户使用空密码登录(默认不允许)
PermitRootLogin yes ------是否允许root用户登录(建议关闭)
GSSAPIAuthentication no ------是否开启GSSAPI认证功能(建议关闭)
UseDNS no ------是否开启反向DNS解析功能 (建议关闭)
6.ssh远程连接安全防范思路
1.用密钥登录,不用密码登陆
2.牤牛阵法:解决SSH安全问题
a.防火墙封闭SSH,指定源IP限制(局域网、信任公网)
b.开启SSH只监听本地内网IP(ListenAddress 172.16.1.61)
3.尽量不给服务器外网IP
4.最小化(软件安装-授权)
5.给系统的重要文件或命令做一个指纹 /etc/passwd md5sum inotify /bin 监控
6.给文件上锁 chattr +i
7.ssh服务相关命令
ssh-keygen ------创建公钥
ssh-copy-id ------分发公钥
sshpass ------免交互
##################################
sftp 172.16.1.41
ls 查看远程ftp服务器信息
cd --- 查看远程ftp服务器信息
lls 查看本地ftp客户端信息
lcd --- 查看本地ftp客户端信息
get --- 下载信息
put --- 上传信息
help --- 查看命令帮助
bye --- 退出ftp连接</pre>
```