遠程訪問及控制
一、配置OpenSSH服務端
1、服務監聽選項
[root@localhost ~]# vim /etc/ssh/sshd_config
Port 2345 //監聽端口爲2345
#AddressFamily any
ListenAddress 192.168.1.10 //監聽地址爲192.168.1.10
#ListenAddress ::
# The default requires explicit activation of protocol 1
Protocol 2 //使用SSH V2協議
......
UseDNS no //禁用DNS反向解析
2、用戶登錄控制
LoginGraceTime 2m //登錄驗證時間爲2分鐘
PermitRootLogin yes //禁止root用戶登錄
#StrictModes yes
MaxAuthTries 6 //最大重試次數爲6
PermitEmptyPasswords no //禁止空密碼用戶登錄
AllowUsers zhangsan tom [email protected] //使用AllowUsers或DenyUsers可以配置只允許或禁止某些用戶登錄
3、登錄驗證方式
密碼驗證:對服務器中本地系統用戶的登錄名稱、密碼進行驗證。這種方式使用最爲簡便, 但從客戶端角度來看,正在連接的服務器有可能被假冒;從服務器角度來看,當遭遇密碼窮舉(暴力破解)攻擊時防禦能力比較弱。
密鑰對驗證:要求提供相匹配的密鑰信息才能通過驗證。通常先在客戶端中創建一對密鑰文件(公鑰、私鑰),然後將公鑰文件放到服務器中的指定位置。遠程登錄時,系統將使用公鑰、私鑰進行加密/解密關聯驗證,大大增強了遠程管理的安全性。該方式不易被假冒, 且可以免交互登錄,在Shell中被廣泛使用。
PubkeyAuthentication yes //啓用密鑰對驗證
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys //指定公鑰庫文件
PasswordAuthentication yes //啓用密碼驗證
[root@localhost ~]# systemctl restart sshd //如果報錯請檢查SELinux和防火牆是否關閉
二、使用SSH客戶端程序
1、命令程序 ssh、scp、sftp
1、ssh遠程登錄
如果sshd服務器使用了默認的端口號(22),則在登錄時可以省略"-p"選項及端口號
[root@client ~]# ssh -p 2345 [email protected]
The authenticity of host '[192.168.1.10]:2345 ([192.168.1.10]:2345)' can't be established.
ECDSA key fingerprint is 46:cf:d2:fe:6d:ee:54:f7:2d:f6:c8:15:ec:3b:b6:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.10]:2345' (ECDSA) to the list of known hosts.
[email protected]'s password:
[zhangsan@localhost ~]$ whoami //確認當前用戶和當前主機地址
zhangsan
[zhangsan@localhost ~]$ /sbin/ifconfig ens33 | grep "inet"
inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::1749:6c57:bf18:59fb prefixlen 64 scopeid 0x20<link>
2、scp遠程複製
[root@localhost ~]# vim /etc/ssh/sshd_config //更改配置文件
PermitRootLogin yes
AllowUsers zhangsan tom root [email protected]
[root@localhost ~]# systemctl restart sshd
下行復制(下載)
[root@client ~]# scp -P 2345 [email protected]:/etc/passwd /root/pwd234.txt
[email protected]'s password:
passwd 100% 2316 2.3KB/s 00:00
上行復制(上傳)
[root@client ~]# scp -P 2345 -r /etc/vsftpd/ [email protected]:/opt
[email protected]'s password:
ftpusers 100% 125 0.1KB/s 00:00
user_list 100% 361 0.4KB/s 00:00
vsftpd.conf 100% 5116 5.0KB/s 00:00
vsftpd_conf_migrate.sh 100% 338 0.3KB/s 00:00
3、sftp安全FTP
[root@client ~]# sftp -P 2345 [email protected]
[email protected]'s password:
Connected to 192.168.1.10.
sftp> ls
sftp> put /boot/config-3.10.0-514.el7.x86_64
Uploading /boot/config-3.10.0-514.el7.x86_64 to /home/zhangsan/config-3.10.0-514.el7.x86_64
/boot/config-3.10.0-514.el7.x86_64 100% 134KB 134.5KB/s 00:00
sftp> ls
config-3.10.0-514.el7.x86_64
sftp> bye
2、圖形工具Xshell
上傳:rz
下載:sz 文件名
三、構建密鑰對驗證的SSH體系
1、在客戶端創建密鑰對(這步做完可直接到第4點)
以zhangsan用戶登錄客戶端,並生成基於ECDSA算法的SSH密鑰對文件
[root@client ~]# ssh -p 2345 [email protected]
[email protected]'s password:
Last login: Fri Jun 19 08:59:33 2020 from 192.168.1.20
[zhangsan@localhost ~]$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/zhangsan/.ssh/id_ecdsa): //指定私鑰位置(默認Enter)
Created directory '/home/zhangsan/.ssh'.
Enter passphrase (empty for no passphrase): //設置私鑰短語
Enter same passphrase again:
Your identification has been saved in /home/zhangsan/.ssh/id_ecdsa.
Your public key has been saved in /home/zhangsan/.ssh/id_ecdsa.pub.
The key fingerprint is:
61:21:d0:64:d9:0a:36:da:c3:0c:f2:11:c9:c0:c7:2e [email protected]
The key's randomart image is:
+--[ECDSA 256]---+
|oooo.++o. |
|..=o+.o... |
| ooO o .o |
| Eo.= .. . |
| . . S |
| |
| |
| |
| |
+-----------------+
[zhangsan@localhost ~]$ ls -lh ~/.ssh/id_ecdsa* //確認生成的密鑰文件
-rw-------. 1 zhangsan zhangsan 227 Jun 19 09:23 /home/zhangsan/.ssh/id_ecdsa //私鑰文件,權限默認爲600
-rw-r--r--. 1 zhangsan zhangsan 192 Jun 19 09:23 /home/zhangsan/.ssh/id_ecdsa.pub //公鑰文件,用來提供給SSH服務器
2、將公鑰文件上傳至服務器*(可省略)
[zhangsan@localhost ~]$ scp -P 2345 ~/.ssh/id_ecdsa.pub [email protected]:/tmp/
The authenticity of host '[192.168.1.10]:2345 ([192.168.1.10]:2345)' can't be established.
ECDSA key fingerprint is 46:cf:d2:fe:6d:ee:54:f7:2d:f6:c8:15:ec:3b:b6:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.10]:2345' (ECDSA) to the list of known hosts.
[email protected]'s password:
id_ecdsa.pub 100% 192 0.2KB/s 00:00
3、在服務器中導入公鑰文本*(可省略)
目標用戶的公鑰數據庫位於~/.ssh目錄,默認的文件名是"authorized-keys"。如果目錄不存在,需要手動創建
[root@localhost ~]# mkdir /home/tom/.ssh
[root@localhost ~]# cat /tmp/id_ecdsa.pub >> /home/tom/.ssh/authorized_keys
[root@localhost ~]# tail -l /home/tom/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHik3IqFyyqCAGCXJy/U9ekAX+xfpr9e6A5KKhAYF7Of/g77uUgU4dzQZm82JM3Btm6hb701HTEoJX9J0G8UuaY= [email protected]
[root@localhost ~]# ls -l /home/tom/.ssh/authorized_keys //查看權限
-rw-r--r--. 1 root root 192 6月 19 09:30 /home/tom/.ssh/authorized-keys
[zhangsan@localhost ~]$ ssh -p 2345 [email protected] //登錄成功
[tom@localhost ~]$ whoami
tom
4、在客戶端使用密鑰對驗證
將公鑰自動添加到目標主機user宿主目錄下的.ssh/authorized_keys文件結尾
[zhangsan@localhost ~]$ ssh-copy-id -p 2345 -i ~/.ssh/id_ecdsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2345' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost ~]# ls -l /home/tom/.ssh/authorized_keys
-rw-------. 1 tom tom 192 6月 19 10:01 /home/tom/.ssh/authorized_keys
[root@localhost ~]# tail -l /home/tom/.ssh/authorized_keys //查看服務器中目標用戶的公鑰數據庫
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHik3IqFyyqCAGCXJy/U9ekAX+xfpr9e6A5KKhAYF7Of/g77uUgU4dzQZm82JM3Btm6hb701HTEoJX9J0G8UuaY= [email protected]
在用戶爲zhangsan時,然後通過ssh命令以服務器端用戶tom的身份進行遠程登錄
[zhangsan@localhost ~]$ ssh -p 2345 [email protected]
Last login: Fri Jun 19 09:49:10 2020 from 192.168.1.10
[tom@localhost ~]$ whoami
tom
四、TCP Wrappers訪問控制
1、TCP Wrappers 的訪問策略
1.、策略的配置格式
〈服務程序列表〉:〈客戶端地址列表〉
服務程序列表
ALL:代表所有的服務。
單個服務程序:如"vsftpd"。
多個服務程序組成的列表:如"vsftpd,sshd”
客戶端地址列表
ALL:代表任何客戶端地址。
LOCAL:代表本機地址。
單個 IP 地址:如"192.168.4.4"。
網絡段地址:如"192.168.4.0/255.255.255.0”
以".“開始的域名:如”.bdqn.com"匹配bdqn. com域中的所有主機。
以"…“結束的網絡地址:如"192.168.4.”匹配整個192.168.4.0/24網段。
嵌入通配符”※","?":前者代表任意長度字符,後者僅代表一個字符,如"10.0.8.2*"匹 配以10.0.8.2開頭的所有舊地址。不可與以開始或結束的模式混用。
多個客戶端地址組成的列表:如"192.168.1., 172.16.16., .bdqn.com”。
2、訪問控制的基本原則
首先檢查/etc/hosts.allow文件,如果找到相匹配的策略,則允許訪問;否則繼續檢查/etc/hosts.deny文件,如果找到相匹配的策略,則拒絕訪問;如果檢查上述兩個文件都找不到相匹配的策略,則允許訪問
3、TCP Wrappers 配置
[root@localhost ~]# vim /etc/hosts.allow
sshd:192.168.2.10,192.168.2.* //只從IP地址爲192.168.2.10的主機或者位於192.168.2.0/24網段的主機訪問sshd服務
[root@localhost ~]# vim /etc/hosts.deny
sshd:all //其他地址被拒絕
五、防止暴力破解ssh
腳本設置
[root@localhost ~]# vim SSHD.sh
#!/bin/bash
cat /var/log/secure | awk 'Failed/{print $(NF-3)}' |sort|uniq -c|awk '{print $2"="$1;}' > /root/satools/black.txt
DEFINE="10"
for i in `cat /root/satools/black.txt`
do
IP=`echo $i |awk -F='{print $1}'`
NUM=`echo $i|awk -F='{print $2}'`
if [ $NUM -gt $DEFINE ];then
grep $IP /etc/hosts.deny > dev/null
if [ $? -gt 0];then
echo "sshd$IP" >> /etc/hosts.deny
fi
fi
done