linux 简单记录9 --服务的访问控制列表（ssh，scp，screen）

服务的访问控制列表

[root@localhost ~]# cat /etc/hosts.allow 
#
# hosts.allow    This file contains access rules which are used to
#        allow or deny connections to network services that
#        either use the tcp_wrappers library or that have been
#        started through a tcp_wrappers-enabled xinetd.
#
#        See 'man 5 hosts_options' and 'man 5 hosts_access'
#        for information on rule syntax.
#        See 'man tcpd' for information on tcp_wrappers
#
[root@localhost ~]# ll /etc/hosts.deny 
-rw-r--r--. 1 root root 460 Jun  7  2013 /etc/hosts.deny

配置 sshd 服务

[root@iscsi ~]# ssh 10.15.7.21
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:pltxR/1se5bbO1SOJQmu+9lf+l6cSpi88HW2wyK+4jk.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:2
ECDSA host key for 10.15.7.21 has changed and you have requested strict checking.
Host key verification failed.
[root@iscsi ~]# vim /root/.ssh/known_hosts 
[root@iscsi ~]# ssh 10.15.7.21
The authenticity of host '10.15.7.21 (10.15.7.21)' can't be established.
ECDSA key fingerprint is SHA256:pltxR/1se5bbO1SOJQmu+9lf+l6cSpi88HW2wyK+4jk.
ECDSA key fingerprint is MD5:8e:2e:f2:01:e7:9a:ea:60:5d:5a:34:6a:a6:f1:e3:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.15.7.21' (ECDSA) to the list of known hosts.
root@10.15.7.21's password: 
Last login: Wed Jul  8 13:57:35 2020 from 10.15.7.60
[root@localhost ~]# cat /etc/ssh/sshd_config |grep Permit
#PermitRootLogin yes  ##取消注释，禁止root用户远程登录
#PermitEmptyPasswords no

安全密钥验证
1 在客户端主机中生成“密钥对”

[root@iscsi ~]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XbUEJ/QZbS4KCFm/KMZv7BRmJg1eQCiQhEbrh4YbYq0 root@iscsi
The key's randomart image is:
+---[RSA 2048]----+
|==   ooo.  .+.=. |
|o.o . o. .   * +o|
|.. .  ..... . +o |
|o o  o +.o.o  . .|
|+= o  * S o. . . |
|+oo  . O .  .    |
|.E      =        |
|       +         |
|        .        |
+----[SHA256]-----+ 

2 把客户端主机中生成的公钥文件传送至远程主机

[root@iscsi ~]# ssh-copy-id 10.15.7.21
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.15.7.21's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '10.15.7.21'"
and check to make sure that only the key(s) you wanted were added.

3 对服务器进行设置，使其只允许密钥验证，拒绝传统的口令验证方式。

[root@localhost ~]# cat /etc/ssh/sshd_config |grep Password
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes >>PasswordAuthentication no
# systemctl restart sshd

4 在客户端尝试登录到服务器，不需要输入密码

[root@iscsi ~]# ssh 10.15.7.21
Last login: Wed Jul  8 15:34:52 2020 from 10.15.7.20
[root@localhost ~]# 

远程传输命令

scp（secure copy）是一个基于 SSH 协议在网络之间进行安全传输的命令
参数
-v 显示详细的连接进度
-P 指定远程主机的 sshd 端口号
-r 用于传送文件夹
-6 使用 IPv6 协议
# scp /root/readme.txt 192.168.10.20:/home #把文件/root/readme.txt传送到远程主机的home目录
# scp 192.168.10.20:/etc/redhat-release /root #把远程主机的文件redhat-release传送到本机的root目录

不间断会话服务

screen 是一款能够实现多窗口远程控制的开源服务程序，简单来说就是为了解决网络异
常中断或为了同时控制多个远程终端窗口而设计的程序。
[root@iscsi ~]# yum install screen -y
[root@iscsi ~]# screen -S backup

aby
[root@iscsi ~]# screen -ls
There is a screen on:
        19326.backup    (Attached)
1 Socket in /var/run/screen/S-root.

[root@iscsi ~]# screen vim /tmp/t1.txt
关闭ssh窗口，重新连接服务器
Connecting to 10.15.7.20:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last login: Wed Jul  8 15:21:39 2020 from 10.15.7.60
[root@iscsi ~]# screen -ls
There is a screen on:
    19326.backup    (Detached) #刚的会话窗口
1 Socket in /var/run/screen/S-root.

[root@iscsi ~]# screen -r backup

[root@iscsi ~]# screen -ls
There is a screen on:
        19326.backup    (Attached)
1 Socket in /var/run/screen/S-root.

[root@iscsi ~]# screen vim /tmp/t1.txt
[root@iscsi ~]# screen vim /tmp/t1.txt
[root@iscsi ~]# tail -f /var/log/messages
Jul  8 16:03:58 iscsi named[1652]: network unreachable resolving 'ns-1326.awsdns-37.org/AAAA/IN': 2600:9000:5306:6500::1#53
Jul  8 16:03:58 iscsi named[1652]: network unreachable resolving 'ns-1716.awsdns-22.co.uk/AAAA/IN': 2600:9000:5307:1a00::1#53
Jul  8 16:03:58 iscsi named[1652]: network unreachable resolving 'netdna-cdn.com/DS/IN': 2001:502:8cc::30#53
Jul  8 16:03:58 iscsi named[1652]: network unreachable resolving 'netdna-cdn.com/DS/IN': 2001:500:856e::30#53
Jul  8 16:03:58 iscsi named[1652]: network unreachable resolving 'netdna-cdn.com/DS/IN': 2001:502:7094::30#53
Jul  8 16:03:58 iscsi named[1652]: network unreachable resolving 'netdna-cdn.com/DS/IN': 2001:503:d2d::30#53
Jul  8 16:03:58 iscsi named[1652]: network unreachable resolving 'netdna-cdn.com/DS/IN': 2001:503:39c1::30#53
Jul  8 16:03:58 iscsi named[1652]: network unreachable resolving 'netdna-cdn.com/DS/IN': 2001:503:a83e::2:30#53
Jul  8 16:03:58 iscsi named[1652]: network unreachable resolving 'netdna-cdn.com/DS/IN': 2001:501:b1f9::30#53
Jul  8 16:03:58 iscsi named[1652]: network unreachable resolving 'netdna-cdn.com/DS/IN': 2001:503:d414::30#53
Jul  8 16:06:27 iscsi systemd: Started Session 218 of user root.
Jul  8 16:06:27 iscsi systemd-logind: New session 218 of user root.
Jul  8 16:06:27 iscsi systemd: Starting Session 218 of user root.
Jul  8 16:06:27 iscsi gdm-launch-environment]: AccountsService: ActUserManager: user (null) has no username (object path: /org/freedesktop/Accounts/User0, uid: 0)
Jul  8 16:06:27 iscsi journal: ActUserManager: user (null) has no username (object path: /org/freedesktop/Accounts/User0, uid: 0)
Jul  8 16:06:28 iscsi dbus[603]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Jul  8 16:06:28 iscsi dbus-daemon: dbus[603]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Jul  8 16:06:28 iscsi dbus[603]: [system] Successfully activated service 'org.freedesktop.problems'
Jul  8 16:06:28 iscsi dbus-daemon: dbus[603]: [system] Successfully activated service 'org.freedesktop.problems'
Jul  8 16:06:28 iscsi journal: g_dbus_interface_skeleton_unexport: assertion 'interface_->priv->connections != NULL' failed
退出screen模式
[root@iscsi ~]# exit
[root@iscsi ~]# screen -r backup
[screen is terminating]
[root@iscsi ~]# 

会话共享功能
screen 命令不仅可以确保用户在极端情况下也不丢失对系统的远程控制，保证了生产环
境中远程工作的不间断性，而且它还具有会话共享、分屏切割、会话锁定等实用的功能。

client A连接服务器10.15.7.20

[root@localhost ~]# ssh 10.15.7.20
The authenticity of host '10.15.7.20 (10.15.7.20)' can't be established.
ECDSA key fingerprint is SHA256:e3ojzJkCJROOPDXuV1CTrzCr9PvDPeyC8LiN093Wl6w.
ECDSA key fingerprint is MD5:0a:95:7f:a7:82:d9:40:cf:4d:72:30:c5:c6:7e:8e:cd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.15.7.20' (ECDSA) to the list of known hosts.
root@10.15.7.20's password: 
Last login: Wed Jul  8 16:06:28 2020 from 10.15.7.60
[root@iscsi ~]# screen -S hong

[root@iscsi ~]# cat /tmp/null_sta_coresh.log 


Fri Jul  3 09:50:21 CST 2020 : Logs cleand up

Sat Jul  4 02:00:01 CST 2020 : Logs cleand up

Sun Jul  5 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.123 is appoint on 20200705; 
Sun Jul  5 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.12234 is appoint on 20200705; 
Sun Jul  5 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.122234 is appoint on 20200705; 
Sun Jul  5 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.12212 is appoint on 20200705; 
Sun Jul  5 02:00:01 CST 2020 : Logs cleand up

Mon Jul  6 02:00:01 CST 2020 : Logs cleand up

Tue Jul  7 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.12234 is appoint on 20200707; 
Tue Jul  7 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.122234 is appoint on 20200707; 
Tue Jul  7 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.12212 is appoint on 20200707; 
Tue Jul  7 02:00:01 CST 2020 : Logs cleand up

client B连接服务器10.15.7.20

[root@localhost ~]# ssh 10.15.7.20
The authenticity of host '10.15.7.20 (10.15.7.20)' can't be established.
RSA key fingerprint is f3:55:8c:b5:e7:c3:42:ae:1a:b7:fc:20:80:0e:62:67.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.15.7.20' (RSA) to the list of known hosts.
root@10.15.7.20's password: 
Last login: Wed Jul  8 16:10:02 2020 from 10.15.7.21
[root@iscsi ~]# screen -x

这时候在A上面执行任何操作，B都会看得见