zoukankan      html  css  js  c++  java
  • CentOS7下SSH服务学习笔记


    测试环境:


    [root@nmserver-7 ~]# uname -a
    Linux nmserver-7.test.com 3.10.0-514.el7.centos.plus.i686 #1 SMP Wed Jan 25 12:55:04 UTC 2017 i686 i686 i386 GNU/Linux
    [root@nmserver-7 ~]# cat /etc/redhat-release
    CentOS release 7.3.1611 (AltArch)
    [root@nmserver-7 ~]#


    1、SSH服务安装


    linux系统安装后默认已经开启ssh服务,并且包含ssh所有需要的软件了,但是还是有必要了解下已经安装的ssh是那个包提供的,

    [root@nmserver-7 ~]# whereis sshd
    sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.gz
    [root@nmserver-7 ~]# rpm -qf /usr/sbin/sshd
    openssh-server-6.6.1p1-31.el7.i686
    [root@nmserver-7 ~]#

    也就是说假如没有ssh服务的话我们可以通过yum安装openssh-server来重新启动ssh服务
    那么openssh-server都在系统中安装了什么文件?
    [root@nmserver-7 ~]# rpm -ql  openssh-server
    /etc/pam.d/sshd                                                        
    /etc/ssh/sshd_config                     #配置文件位置
    /etc/sysconfig/sshd
    /usr/lib/fipscheck/sshd.hmac
    /usr/lib/systemd/system/sshd-keygen.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd.socket
    /usr/lib/systemd/system/sshd@.service
    /usr/libexec/openssh/sftp-server
    /usr/sbin/sshd
    /usr/sbin/sshd-keygen
    /usr/share/man/man5/moduli.5.gz
    /usr/share/man/man5/sshd_config.5.gz
    /usr/share/man/man8/sftp-server.8.gz
    /usr/share/man/man8/sshd.8.gz
    /var/empty/sshd

    2、SSH服务启动

    CentOS7.3下SSH服务的启动
    [root@nmserver-7 ~]# systemctl stop    sshd  #停止
    [root@nmserver-7 ~]# systemctl start   sshd  #开始
    [root@nmserver-7 ~]# systemctl restart  sshd  #重启
    [root@nmserver-7 ~]# systemctl status sshd
    ● sshd.service - OpenSSH server daemon
       Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
       Active: active (running) since 四 2017-08-24 16:32:52 CST; 1s ago
         Docs: man:sshd(8)
               man:sshd_config(5)
      Process: 2863 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=0/SUCCESS)
     Main PID: 2864 (sshd)
       CGroup: /system.slice/sshd.service
               └─2864 /usr/sbin/sshd

    8月 24 16:32:51 nmserver-7.test.com systemd[1]: Starting OpenSSH server d...
    8月 24 16:32:52 nmserver-7.test.com systemd[1]: PID file /var/run/sshd.pi...
    8月 24 16:32:52 nmserver-7.test.com sshd[2864]: Server listening on 0.0.0...
    8月 24 16:32:52 nmserver-7.test.com sshd[2864]: Server listening on :: po...
    8月 24 16:32:52 nmserver-7.test.com systemd[1]: Started OpenSSH server da...
    Hint: Some lines were ellipsized, use -l to show in full.

    查看ssd服务端口是否正常,
    [root@nms ~]# netstat -tlnp |grep ssh
    tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1207/sshd           
    tcp        0      0 :::22                       :::*                        LISTEN      1207/sshd           


    3、SSH原理(SSH服务器端与客户端的连接步骤)





    step1:服务器建立公钥文件
          每一次启动sshd服务时,该服务会主动去找/etc/ssh/ssh_host*文件,若系统刚安装完成,会没有公钥文件,
          sshd会主动计算出这些需要的公钥文件,同时也会计算出服务器自己需要的私钥文件。
    step2:客户端主动连接要求
        若客户端想要连接到ssh服务器,则需要使用适当的客户端程序来连接,linux系统默认已经安装openssh-clients,包含SSH客户端;
        windows下常用的客户端连接工具有xShell、SecureCart、Putty等
    step3:服务器传送公钥文件给客户端
        接收到客户端的要求后,服务器便将第一个步骤取的公钥文件以明码的形式传送给客户端;
    step4:客户端记录/比对服务器的公钥数据及随机计算自己的公私钥;
        客户端将接收到的公钥数据记录到客户端的用户主目录内的 ~/.ssh/known_hosts文件里,之后则开始计算客户端自己的公私钥数据;
    step5:返回客户端的公私钥数据到服务器端
        用户将自己的公钥传送给服务器,此时服务器具有服务器的私钥和客户端的公钥,而客户端具有服务器的公钥及客户端自己的私钥,你会看到,
        在此次连接的服务器与客户端的密钥系统(公钥+私钥)并不一样,因此,才称为非对称密钥系统;
    step6:服务器接收客户端的公钥开始双向加解密
        (1)服务器到客户端:服务器传送数据时,使用客户端的公钥加密后进行发送,客户端接收后,用自己的私钥解密;
        (2)客户端到服务器:客户端传送数据时,使用服务器的公钥进行加密数据然后发送给服务器,服务器接收后用服务器的私钥解密数据;


    4、SSHD服务器配置

    SSHD服务器的详细设置都放在/etc/ssh/sshd_config配置文件中,在配置文件中,只要是未被注释的设置值即为“默认值”

    [root@nmserver-7 ssh]# cat /etc/ssh/sshd_config
    #    $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/local/bin:/usr/bin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options override the
    # default value.

    # If you want to change the port on a SELinux system, you have to tell
    # SELinux about this change.
    # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
    #
    #Port 22
    #ssh默认使用22端口,也可以使用多个Port,例如想要开放sshd在22和2200,则多加一行内容为:Port 2200 然后重启SSHD服务即可;

    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    #监听的主机网卡,默认值是监听所有接口的SSH要求
    # The default requires explicit activation of protocol 1
    #Protocol 2
    #选择SSH协议版本,默认支持V2  如要支持旧版本V1,则改为“Protocol 2,1”
    # HostKey for protocol version 1       
    #HostKey /etc/ssh/ssh_host_key             #ssh 版本使用的私钥
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key          #ssh 版本2使用的RSA私钥
    #HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key         #ssh 版本2使用的ECDSA私钥
    HostKey /etc/ssh/ssh_host_ed25519_key
    #说明主机Private Key 放置的位置,默认使用上面文件
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024          #设置生产密钥的位数

    # Ciphers and keying
    #RekeyLimit default none

    # Logging
    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH           #当有人使用SSH登录系统的时候,SSH会记录信息;
    SyslogFacility AUTHPRIV
    #LogLevel INFO                  #设置日志等级

    # Authentication: # 以下是安全设置项目

    #LoginGraceTime 2m
    #PermitRootLogin yes      #是否允许root登录。默认是允许的,建议设置成no
    #StrictModes yes          #是否让SSDH去检查用户主目录或相关文件的权限数据;
    #MaxAuthTries 6
    #MaxSessions 10

    #RSAAuthentication yes
    #PubkeyAuthentication yes   #是否允许用户自行使用成对的密钥系统进行登录;

    # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
    # but this is overridden so installations will only check .ssh/authorized_keys
    AuthorizedKeysFile    .ssh/authorized_keys    #自定义的公钥数据放置于用户主目录下 .ssh/authorized_keys内

    #AuthorizedPrincipalsFile none

    #AuthorizedKeysCommand none
    #AuthorizedKeysCommandUser nobody

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication yes

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication no

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no
    #KerberosUseKuserok yes

    # GSSAPI options
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials no
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no
    #GSSAPIEnablek5users no

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
    # problems.
    UsePAM yes

    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PermitTTY yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    UsePrivilegeSeparation sandbox        # Default for new installations.
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #ShowPatchLevel no
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10:30:100
    #PermitTunnel no
    #ChrootDirectory none
    #VersionAddendum none

    # no default banner path
    #Banner none

    # Accept locale-related environment variables
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS

    # override default of no subsystems
    Subsystem    sftp    /usr/libexec/openssh/sftp-server

    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #    X11Forwarding no
    #    AllowTcpForwarding no
    #    PermitTTY no
    #    ForceCommand cvs server


    4、SSH简易安全设置

        4.1 服务器软件本身的设置强化
        SSHD服务器配置文件/etc/ssh/sshd_config默认项目已经很完备了,出于安全考虑需要设置:禁止root这个账号使用sshd服务;
        [root@db2017 ~]# vi /etc/ssh/sshd_config

        # Authentication:

        #LoginGraceTime 2m
        #PermitRootLogin yes  #去掉注释且修改成PermitRootLogin no
         PermitRootLogin no
        #StrictModes yes
        #MaxAuthTries 6
        #MaxSessions 10
        4.2、TCP Wrapper使用:/etc/hosts.allow  /etc/hosts.deny
        假如只想让本机以及局域网192.168.1.0/24、192.168.0.0/24及192.168.100.0/24网段内的主机能够登录的话,可以这样设置:
        [root@db2017 ~]# vi /etc/hosts.allow
    #
    # hosts.allow   This file contains access rules which are used to
    #               allow or deny connections to network services that
    #               either use the tcp_wrappers library or that have been
    #               started through a tcp_wrappers-enabled xinetd.
    #
    #               See 'man 5 hosts_options' and 'man 5 hosts_access'
    #               for information on rule syntax.
    #               See 'man tcpd' for information on tcp_wrappers
    #
    sshd:127.0.0.1  192.168.0.0/255.255.255.0   192.168.1.0/255.255.255.0   192.168.100.0/255.255.255.0       #新添加的SSHD规则!

    [root@db2017 ~]# vi /etc/hosts.deny

    #               the tcp_wrappers library or that have been
    #               started through a tcp_wrappers-enabled xinetd.
    #
    #               The rules in this file can also be set up in
    #               /etc/hosts.allow with a 'deny' option instead.
    #
    #               See 'man 5 hosts_options' and 'man 5 hosts_access'
    #               for information on rule syntax.
    #               See 'man tcpd' for information on tcp_wrappers

    sshd:ALL
        4.3、iptables数据包过滤防火墙
        [root@db2017 sysconfig]# vi /etc/sysconfig/iptables
        增加规则:
        iptables -A INPUT -i EXTIF -s 192.168.0.0/24  -p tcp --dport 22  -j ACCEPT
        iptables -A INPUT -i EXTIF -s 192.168.1.0/24  -p tcp --dport 22  -j ACCEPT






  • 相关阅读:
    【Docker】解析器指令之 escape
    【Docker】解析器指令之 syntax
    【Docker】Dockerfile 解析器指令
    【Docker】Dockerfile 格式
    【Docker】Dockerfile 介绍
    【Docker】Spring Boot 和 Docker
    【Docker】理解 Docker 中的 OverlayFS
    【Docker】使用 OverlayFS 存储驱动
    【Docker】选择存储驱动
    kuangbin专题 专题一 简单搜索 Fire! UVA
  • 原文地址:https://www.cnblogs.com/me80/p/7424394.html
Copyright © 2011-2022 走看看