第十周-day40-SSH远程连接服务.png

SSH服务

准备工作-2台机器
m01：
10.0.0.61 / 172.16.1.61
backup：
10.0.0.41 / 172.16.1.41

远程连接工具
ssh
telnet服务
sftp上传下载

一、SSH VS telnet

需要安装的软件
yum install -y telnet-server

1.确认是否安装,重启一下

[09:10 root@m01 ~]# rpm -qa telnet-server
telnet-server-0.17-64.el7.x86_64
[09:13 root@m01 ~]# systemctl restart  telnet.socket 

2.添加一个telnet 连接的模板机

3.本地shell连接一下

visudo里提前添加好 oldboy ALL=(ALL) NOPASSWD:ALL

[d:\~]$ telnet 10.0.0.61 23


Connecting to 10.0.0.61:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Kernel 3.10.0-957.el7.x86_64 on an x86_64
m01 login: oldboy
Password: 
Last login: Mon May 27 09:22:26 from ::ffff:10.0.0.1
[09:24 oldboy@m01 ~]$ hostname -I
10.0.0.61 172.16.1.61 

4.用wireshark(windows+Linux)抓包 /tcpdump(linux)抓包

对应着本地连接的顺序

输入密码：

密码为123456

登录后显示的日期时间

显示PS1的变量

5.检查ssh软件是否安装

[09:18 oldboy@m01 ~]$ rpm -qf `which ssh`
openssh-clients-7.4p1-16.el7.x86_64
[09:36 oldboy@m01 ~]$ rpm -qf `which scp`
openssh-clients-7.4p1-16.el7.x86_64
[09:36 oldboy@m01 ~]$ rpm -qf /etc/ssh/sshd_config 
openssh-server-7.4p1-16.el7.x86_64

查看详细内容：
rpm -ql openssh
rpm -ql openssh-clients 
rpm -ql openssh-server 

6.第一次连接某台服务器的时候会提示

[09:39 oldboy@m01 ~]$ ssh 10.0.0.41
The authenticity of host '10.0.0.41 (10.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:88rBReEHynIVVIC2gIUWhJmKf55XkLnQMzZ/Gntdt48.
ECDSA key fingerprint is MD5:34:f7:e4:ea:d9:45:cc:7f:c5:94:2d:43:71:47:19:0c.
Are you sure you want to continue connecting (yes/no)?  yes

7.在客户端连接backup执行一条命令或多条命令

[09:44 root@m01 ~]# ssh -p22 10.0.0.41 whoami
root@10.0.0.41's password: 
root
[09:45 root@m01 ~]# ssh -p22 oldboy@10.0.0.41 whoami
oldboy@10.0.0.41's password: 
oldboy
[09:48 root@m01 ~]# ssh -p22 10.0.0.41 whoami;id;pwd
root@10.0.0.41's password: 
root
uid=0(root) gid=0(root) groups=0(root)
/root

8.取个ip玩玩

不要接太复杂的命令

[09:52 root@m01 ~]# ssh -p22 root@10.0.0.41 ip a s eth0|awk 'NR==3{print $2}'
root@10.0.0.41's password: 
10.0.0.41/24

二、scp 远程传输数据

rcp 未加密
-P 指定端口号
-r 复制目录

[[09:54 root@m01 ~]# scp -P22 /etc/hosts backup:/tmp
hosts                                              100%  349   205.2KB/s   00:00    
[[09:54 root@backup ~]# ll /tmp/
total 4
-rw-r--r-- 1 root root 349 May 27 16:50 hosts

三、sftp上传和下载

类似 rz和sz

用sftp连接一下backup服务端

[09:59 root@m01 ~]# sftp 10.0.0.41
root@10.0.0.41's password: 
Connected to 10.0.0.41.
sftp> pwd
Remote working directory: /root

1.put—从本地上传到服务端41

sftp> put /etc/hostname 
Uploading /etc/hostname to /root/hostname
/etc/hostname                                 100%    4     9.9KB/s   00:00   

2.get—从服务端41下载到本地

sftp> get /etc/hostname  /opt/
Fetching /etc/hostname to /opt/hostname
/etc/hostname                                 100%    7     6.0KB/s   00:00    
sftp> bye  \\退出

3.在两端查看一下传过过来了没

m01:
[10:03 root@m01 ~]# cat /opt/hostname 
backup

backup：
[10:04 root@backup ~]# cat hostname 
m01

4.连接指定端口号参数用 -P +端口号

[10:04 root@m01 ~]# sftp -P 22 10.0.0.41
root@10.0.0.41's password: 
Connected to 10.0.0.41.
sftp> pwd
Remote working directory: /root  \\当前在root目录工作

windows上的远程连接工具—xftp 6.exe

点此链接下载xftp提取码: wc5p

※四、ssh服务端配置文件

1.ssh服务端配置文件/etc/ssh/sshd_config

[16:14 root@m01 ~]# vim /etc/ssh/sshd_config   \\目前只列出主要修改的内容
17 #Port 22       \\远程连接端口号

19 #ListenAddress 0.0.0.0  \\监听的地址 用户可以通过哪个地址(ip) 远程连接
                             \\监听本地网卡的ip地址
                              \\不同网段 不同端口
38 #PermitRootLogin yes      \\是否禁止root远程登录

64 #PermitEmptyPasswords no  \\是否准许空密码--必须关了

65 PasswordAuthentication yes   \\是否开启通过密码登录(认证)
                                \\开启密钥认证时可以打开

79 GSSAPIAuthentication no   \\解决ssh远程连接慢的问题
115 UseDNS no                \\解决ssh远程连接慢的问题

2.修改ssh配置文件如下两行

[10:58 root@m01 ~]# egrep -i  '^port|^permitroot' /etc/ssh/sshd_config
Port 52113
PermitRootLogin no

3.指定内网IP连接，平滑重启sshd服务

ListenAddress 172.16.1.61

[11:09 root@m01 ~]# ss -lntup|grep sshd
tcp    LISTEN     0      128       *:22                    *:*                   users:(("sshd",pid=7188,fd=3))
tcp    LISTEN     0      128      :::22                   :::*                   users:(("sshd",pid=7188,fd=4))
[11:10 root@m01 ~]# systemctl reload sshd.service 
[11:10 root@m01 ~]# ss -lntup|grep sshd
tcp    LISTEN     0      128    172.16.1.61:22                    *:*                   users:(("sshd",pid=7188,fd=3))

案例：多个网段多端口

ssh配置文件修改端口号为：Port 52113

尝试在别的机器上用ssh scp sftp连接内网段和外网段的 不同端口

连接外网段 全部报错 :

ssh   -p 52113   10.0.0.61 
sftp  -P 52113   10.0.0.61 
scp   -P 52113 /etc/hosts 10.0.0.61:/tmp

[11:14 root@backup ~]# ssh   -p 52113   10.0.0.61 
ssh: connect to host 10.0.0.61 port 52113: Connection refused \\报错：

连接内网段 全部可以执行:

ssh   -p 52113   172.16.1.61
sftp  -P 52113   172.16.1.61
scp   -P 52113 /etc/hosts 172.16.1.61:/tmp

[11:14 root@backup ~]# ssh   -p 52113   172.16.1.61
root@172.16.1.61's password: 
Last login: Mon May 27 17:08:49 2019 from 172.16.1.41
[17:14 root@m01 ~]#   \\成功

4.修改ssh配置文件/etc/ssh/sshd_config

20 ListenAddress 10.0.0.61:52113
21 ListenAddress 172.16.1.61:22

平滑重启后查看端口号

[11:25 root@m01 ~]# systemctl reload sshd
[11:25 root@m01 ~]# ss -lntup |grep sshd 
tcp    LISTEN     0      128    10.0.0.61:52113                 *:*                   users:(("sshd",pid=7188,fd=4))
tcp    LISTEN     0      128    172.16.1.61:22                    *:*                   users:(("sshd",pid=7188,fd=3))

本地shell连接一下

之前已经创建了oldboy普通用户
并在visudo里提前添加好 oldboy ALL=(ALL) NOPASSWD:ALL
禁止了root远程登录 PermitRootLogin no

[d:\~]$ ssh root@10.0.0.61 52113  不通

[d:\~]$ ssh oldboy@10.0.0.61 52113 通了
Last login: Mon May 27 16:40:36 2019 from 10.0.0.1
[17:22 oldboy@m01 ~]$ 

三、秘钥连接

SSH认证方式
密码认证
秘钥认证

秘钥认证

单向的认证
免密登录

步骤：
安装软件 sshpass pssh
客户端创建秘钥 ssh-keygen -t dsa
客户端发送秘钥 ssh-copy-id -i ~/.ssh/id_dsa.pub +ip地址
服务端的秘钥地址 ~/.ssh/authorized_keys

1.安装软件，保证端口号是22

yum install -y   sshpass pssh 

[12:11 root@m01 ~]# ss -lntup|grep sshd
tcp    LISTEN     0      128       *:22               *:*                   users:(("sshd",pid=7188,fd=3))
tcp    LISTEN     0      128      :::22               :::*                  users:(("sshd",pid=7188,fd=4))

2.创建秘钥

ssh-keygen -t dsa

[12:11 root@m01 ~]# ssh-keygen -t dsa   \\创建秘钥的命令
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_dsa.  \\你的私钥路径
Your public key has been saved in /root/.ssh/id_dsa.pub.  \\你的公钥路径
The key fingerprint is:
SHA256:wsT45xD36AFN6onAidMbvLRJrj8dC0zaJIyrP6/RpJ0 root@m01
The key's randomart image is:
+---[DSA 1024]----+
|        .        |
| = . o +         |
|= X . * o        |
|o*oB * = o       |
| O* o B S .      |
|o.+=.. * .       |
|o ooEo  o        |
|..o.o            |
| .+=.            |
+----[SHA256]-----+

3.在客户端m01发送：

[12:16 root@m01 ~]# ssh-copy-id -i ~/.ssh/id_dsa.pub 172.16.1.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.41's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

4.在客户端就可以免密连接了

[12:16 root@m01 ~]# ssh 172.16.1.41 hostname
backup
[12:21 root@m01 ~]# ssh  10.0.0.41 animalsay a
 ___
< a >
 ---
      \                _
       \              (_)   <-- TeleBEARS
        \   ^__^       / \
         \  (oo)\_____/_\ \
            (__)\  you  ) /
                ||----w ((
                ||     ||>>   ....

5.我们可以去服务端backup看一下秘钥的目录

~/.ssh/ 当前目录下的.ssh

[12:16 root@backup ~]# ll ~/.ssh/
total 8
-rw------- 1 root root 598 May 27 12:16 authorized_keys
-rw-r--r-- 1 root root 683 May 27 11:12 known_hosts

6.我们打开web01机器也给web01添加秘钥认证

把秘钥文件发送到web01

[12:34 root@m01 ~]# ssh-copy-id -i ~/.ssh/id_dsa.pub 172.16.1.7

查看web01下的秘钥文件

[12:33 root@web01 ~]# ll .ssh/
total 4
-rw------- 1 root root 598 May 27 12:34 authorized_keys

7.客户端m01取个web01的ip

[12:34 root@m01 ~]# ssh 172.16.1.7 ip a s eth0|awk -F"[ /]+" 'NR==3{print $3}'
10.0.0.7   \\成功

四、批量管理

Xshell
pssh

pssh

让多台机器执行同一条命令我们可以用pssh

参数
-h 指定被管理的主机列表
-P 显示屏幕输出
-A 用户的输入密码

1.检查是否安装

[12:39 root@m01 ~]# rpm -qa pssh
pssh-2.3.1-5.el7.noarch

2.创建一个文件，写入连接的ip和端口

[12:44 root@m01 ~]# vim hosts.txt
root@172.16.1.41:22
root@172.16.1.7:22

3.然后用pssh执行一条命令,看是否执行成功

[12:44 root@m01 ~]# pssh -Ph hosts.txt  hostname
172.16.1.41: backup
[1] 12:46:40 [SUCCESS] root@172.16.1.41:22
172.16.1.7: web01
[2] 12:46:40 [SUCCESS] root@172.16.1.7:22

4.如果删除秘钥的话

用pssh推送失败

[12:50 root@m01 ~]# rm -rf .ssh/ *
[12:50 root@m01 ~]# pssh -Ph hosts.txt  touch 888.txt
[1] 12:50:20 [FAILURE] root@172.16.1.41:22 Exited with error code 255
[2] 12:50:20 [FAILURE] root@172.16.1.7:22 Exited with error code 255

5.用prsync传输也可以了

需要输入密码 但是不支持 -P参数

[12:52 root@m01 ~]# prsync -A -azh  hosts.txt  /etc/hostname  /tmp/
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 12:52:49 [SUCCESS] root@172.16.1.41:22
[2] 12:52:49 [SUCCESS] root@172.16.1.7:22

6.用pssh查看一下推送到/tmp下的hostname

[17:54 root@m01 ~]#  pssh -A  -Ph hosts.txt cat /tmp/hostname 
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
172.16.1.7: m01
[1] 17:54:41 [SUCCESS] root@172.16.1.7:22
172.16.1.41: m01
[2] 17:54:41 [SUCCESS] root@172.16.1.41:22

测试后记得把秘钥分发到backup和web01

分享自51cto博客的：

不死鸟一辉
一次ssh被篡改的***事件
https://blog.51cto.com/phenixikki/1546669

未完待续....