首先確保機器掛在好光盤鏡像,然后查看軟件包信息
[root@xuegod63 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 16G 4.9G 9.9G 34% /
tmpfs 996M 224K 996M 1% /dev/shm
/dev/sda1 194M 34M 151M 19% /boot
/dev/sr0 3.6G 3.6G 0 100% /mnt/cdrom
.host:/ 466G 427G 40G 92% /mnt/hgfs
[root@xuegod63 ~]# rpm -qi /mnt/cdrom/Packages/openssh-
openssh-5.3p1-94.el6.x86_64.rpm #服務端和客戶端需要的核心文件
openssh-askpass-5.3p1-94.el6.x86_64.rpm #用於圖形界面下輸入口令的,一般不需要
openssh-clients-5.3p1-94.el6.x86_64.rpm #客戶端軟件包
openssh-server-5.3p1-94.el6.x86_64.rpm #服務端軟件包
查看軟件包的具體版本信息使用
[root@xuegod63 ~]# rpm -pqi /mnt/cdrom/Packages/openssh-server-5.3p1-94.el6.x86_64.rpm
或者使用
[root@xuegod63 ~]# yum info openssh #前提配置好YUM源
查看機器是否已安裝
[root@xuegod63 ~]# rpm -qi /mnt/cdrom/Packages/openssh-server-5.3p1-94.el6.x86_64.rpm
package /mnt/cdrom/Packages/openssh-server-5.3p1-94.el6.x86_64.rpm is not installed
如果沒有安裝,直接YUM安裝或者使用rpm逐個安裝
[root@xuegod63 ~]# yum install openssh
ssh命令格式
ssh [遠程主機用戶名]@[遠程主機IP或者主機名]
[root@xuegod63 ~]# ssh xuegod64
ssh: Could not resolve hostname xuegod64: Temporary failure in name resolution
出現這種提示,我們應該編輯本機的/etc/hosts文件並添加如下內容
192.168.186.163 xuegod63 #接下來會用到
192.168.186.164 xuegod64
192.168.186.165 xuegod65 #接下來會用到
開始連接
[root@xuegod63 ~]# ssh xuegod64 #在沒有指定遠程主機用戶名時,默認使用命令提示符中的用戶名
The authenticity of host 'xuegod64 (192.168.186.164)' can't be established.
RSA key fingerprint is a5:c4:4e:54:ea:2d:72:3f:9e:65:a2:ac:cd:41:ce:ca.
Are you sure you want to continue connecting (yes/no)? yes #首次連接需要輸入
Warning: Permanently added 'xuegod64,192.168.186.164' (RSA) to the list of known hosts.
root@xuegod64's password: #輸入密碼
Last login: Thu Mar 9 08:05:40 2017 from 192.168.186.163
[root@xuegod64 ~]# hostname #連接成功
xuegod64
[root@xuegod64 ~]# exit
logout
Connection to xuegod64 closed
使用指定用戶名登陸
[root@xuegod63 ~]# ssh sishen@xuegod64 #使用指定用戶登錄,前提是該遠程主機用戶存在並且可以登錄系統
sishen@xuegod64's password: 輸入用戶sishen的密碼
[root@xuegod63 ~]# ssh -l sishen xuegod64 使用 -l參數來指定用戶名
sishen@xuegod64's password:
Last login: Thu Mar 9 08:47:37 2017 from 192.168.186.163
遠程主機圖像回傳 –X 參數
[root@xuegod63 ~]# ssh -X -l root xuegod64
root@xuegod64's password:
Last login: Thu Mar 9 08:46:38 2017 from 192.168.186.163
[root@xuegod64 ~]# firefox
如果遠程主機的SSH端口不是22,修改遠程主機的端口號並使用指定端口號登錄
修改xuegod64上的/etc/ssh/sshd_config文件
Port 2220 #增加此行
#Port 22 #默認端口號
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
保存退出,重啟sshd服務
[root@xuegod64 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
使用指定端口號登錄
[root@xuegod63 ~]# ssh -l sishen xuegod64 -p 2220
sishen@xuegod64's password:
Last login: Thu Mar 9 08:50:14 2017 from 192.168.186.163
設置監聽端口和IP
server端:xuegod64
client端: xuegod63
在xuegod64上編輯/etc/ssh/sshd_config
Port 2220 #修改此行,默認值:Port 22
#AddressFamily any
ListenAddress 192.168.186.164 #默認值:0.0.0.0
#ListenAddress ::
[root@xuegod64 ~]# service sshd restart
[root@xuegod63 ~]# ssh root@xuegod64 -p 2220
root@xuegod64's password:
Last login: Thu Mar 9 09:05:53 2017
[root@xuegod64 ~]# hostname
xuegod64
[root@xuegod64 ~]# exit
logout
Connection to xuegod64 closed.
SSH服務的位置
[root@xuegod64 ~]# tailf /var/log/secure
Mar 9 09:18:18 xuegod64 sshd[4281]: fatal: Cannot bind any address.
Mar 9 09:18:57 xuegod64 sshd[4302]: Server listening on 192.168.186.164 port 2220.
Mar 9 09:18:59 xuegod64 sshd[4302]: Received signal 15; terminating.
Mar 9 09:18:59 xuegod64 sshd[4321]: Server listening on 192.168.186.164 port 2220.
……..
因為secure存放了很多服務器的日志,對日志分析很不方便,我們可以修改日志文件存放的位置
在xuegod64上編輯/etc/ssh/sshd_config
SyslogFacility local1 #修改此行,默認值為AUTHPRIV
編輯/etc/rsyslog.conf
末尾添加一行
local1.* /var/log/sshd.log
保存退出,重啟服務
[root@xuegod64 ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@xuegod64 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
測試查看
[root@xuegod64 ~]# tailf /var/log/sshd.log
Mar 9 09:30:01 xuegod64 sshd[4860]: Server listening on 192.168.186.164 port 2220.
Mar 9 09:30:46 xuegod64 sshd[4865]: Accepted password for root from 192.168.186.163 port 44221 ssh2
如果有時候遇到SSH登錄很慢可以嘗試使用如下方法
[root@xuegod64 ~]# vim /etc/ssh/sshd_config
UseDNS no #默認值為yes,改為no
GSSAPIAuthentication no #默認值為yes,改為no
重啟sshd服務
[root@xuegod64 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
配置免密碼登錄
[root@xuegod63 ~]# ssh-keygen #客戶端生成公私鑰
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): #直接回車
Enter same passphrase again: #直接回車
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:#直接回車
92:d7:89:4f:ad:0b:59:33:f1:59:94:8a:cf:52:e5:89 root@xuegod63
The key's randomart image is:
+--[ RSA 2048]----+
| .. |
| .o |
| .. =.. |
| . o.=Eoo |
| o S B++ |
| o =.+o |
| o o. |
| . . |
| . |
+-----------------+
[root@xuegod63 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub xuegod64 #將公鑰發布到服務器上
root@xuegod64's password: #輸入密碼
Now try logging into the machine, with "ssh 'xuegod64'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@xuegod63 ~]# ssh xuegod64 #不必輸入密碼,直接登錄到了xuegod64上
Last login: Thu Mar 9 09:38:42 2017 from 192.168.186.163
普通用戶的免密碼登錄
[root@xuegod63 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub sishen@xuegod64
sishen@xuegod64's password:
Now try logging into the machine, with "ssh 'sishen@xuegod64'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@xuegod63 ~]# ssh -l sishen xuegod64
Last login: Thu Mar 9 08:58:00 2017 from 192.168.186.163
[sishen@xuegod64 ~]$
SSH變量傳遞
定義變量
[root@xuegod63 ~]# declare -x myenv=`/bin/cat /etc/yum.conf`
[root@xuegod63 ~]# echo $myenv
[main] cachedir=/var/cache/yum/$basearch/$releasever keepcache=0 debuglevel=2 logfile=/var/log/yum.log exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 installonly_limit=3 # This is the default, if you make this bigger yum won't see if the metadata # is newer on the remote and so you'll "gain" the bandwidth of not having to # download the new metadata and "pay" for it by yum not having correct # information. # It is esp. important, to have correct metadata, for distributions like # Fedora which don't keep old packages around. If you don't like this checking # interupting your command line usage, it's much better to have something # manually check the metadata once an hour (yum-updatesd will do this). # metadata_expire=90m # PUT YOUR REPOS HERE OR IN separate files named file.repo # in /etc/yum.repos.d
在xuegod63上編輯/etc/ssh/ssh_config
SendEnv myenv #末未添加此行
保存退出,重啟sshd服務
在xuegod64上編輯/etc/ssh/sshd_config
AcceptEnv XMODIFIERS #此行原有,在此行下面添加下面一行內容
AcceptEnv myenv
重啟sshd服務
登錄查看myenv
[root@xuegod63 ~]# ssh xuegod64
Last login: Thu Mar 9 09:46:00 2017 from 192.168.186.163
[root@xuegod64 ~]# echo $myenv
[main] cachedir=/var/cache/yum/$basearch/$releasever keepcache=0 debuglevel=2 logfile=/var/log/yum.log exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 installonly_limit=3 # This is the default, if you make this bigger yum won't see if the metadata # is newer on the remote and so you'll "gain" the bandwidth of not having to # download the new metadata and "pay" for it by yum not having correct # information. # It is esp. important, to have correct metadata, for distributions like # Fedora which don't keep old packages around. If you don't like this checking # interupting your command line usage, it's much better to have something # manually check the metadata once an hour (yum-updatesd will do this). # metadata_expire=90m # PUT YOUR REPOS HERE OR IN separate files named file.repo # in /etc/yum.repos.d
SSH防暴力破解
方法一:設置足夠復雜的密碼字母數字特殊符號,歌詞詩句的英語漢語混編等
方法二:安裝fail2ban軟件
fail2ban官網:http://www.fail2ban.org/
安裝fail2ban
[root@xuegod64 ~]# tar -xf fail2ban-0.8.14.tar.gz -C /usr/local/src/
[root@xuegod64 ~]# cd /usr/local/src/fail2ban-0.8.14/
[root@xuegod64 fail2ban-0.8.14]# ls
ChangeLog DEVELOP fail2ban-testcases man setup.cfg
client doc fail2ban-testcases-all MANIFEST setup.py
common fail2ban-client files README.md testcases
config fail2ban-regex FILTERS README.Solaris THANKS
COPYING fail2ban-server kill-server server TODO
[root@xuegod64 fail2ban-0.8.14]# less README.md #查看安裝方法
……..
To install, just do: #找到這里
tar xvfj fail2ban-0.8.12.tar.bz2
cd fail2ban-0.8.12
python setup.py install
[root@xuegod64 fail2ban-0.8.14]# python setup.py install #執行安裝腳本
[root@xuegod64 fail2ban-0.8.14]# grep -ir chkconfig * #查看fail2ban啟動腳本
files/redhat-initd:# chkconfig: - 92 08
[root@xuegod64 fail2ban-0.8.14]# cp files/redhat-initd /etc/init.d/fail2ban #添加service可控
[root@xuegod64 fail2ban-0.8.14]# chkconfig fail2ban on
[root@xuegod64 fail2ban-0.8.14]# ls /etc/fail2ban/
action.d #動作文件夾,包含默認文件,iptables以及mail等動作配置
fail2ban.conf #定義fail2ban的日志級別、日志位置和sock文件位置
fail2ban.d
filter.d #條件文件夾,過濾日志關鍵內容設置
jail.conf #主配置文件,模塊化操作,設置啟動ban動作的服務及動作閥值
jail.d
[root@xuegod64 ~]# /etc/init.d/fail2ban restart
Stopping fail2ban: ERROR Unable to contact server. Is it running?
[FAILED]
Starting fail2ban: [ OK ]
[root@xuegod64 ~]# ls /etc/fail2ban/filter.d/sshd.conf
/etc/fail2ban/filter.d/sshd.conf
[root@xuegod64 ~]# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
ignoreip = 127.0.0.1/8 #忽略的 IP 列表,不受設置限制
bantime = 600 #屏蔽時間,單位:秒
findtime = 500 #這個時間段內超過規定次數會被 ban 掉
maxretry = 3 #最大嘗試次數
backend = auto #自動處理
[ssh-iptables] #單個服務檢查設置,如設置 bantime、findtime、maxretry 和全局沖突,服務優先級大於全局設置。
enabled = true #是否激活此項(true/false)修改成 true
filter = sshd #過濾規則 filter 的名字,對應 filter.d 目錄下的 sshd.conf
action = iptables[name=SSH, port=ssh, protocol=tcp] # 動作的相關參數,對應action.d/iptables.conf 文件
sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] #觸發報警的收件人
#如果修改了ssh的端口,這里的port也要做相應的修改
logpath = /var/log/secure #檢測的系統的登陸日志文件。這里要寫 sshd 服務日志文件。 默認為logpath = /var/log/sshd.log
#5 分鍾內 3 次密碼驗證失敗,禁止用戶 IP 訪問主機 1 小時。 配置如下
bantime = 3600 #禁止用戶 IP 訪問主機 1 小時
findtime = 300 #在 5 分鍾內內出現規定次數就開始工作
maxretry = 3 #3 次密碼驗證失敗
[root@xuegod64 ~]# service fail2ban restart
Stopping fail2ban: [ OK ]
Starting fail2ban:
[ OK ]
[root@xuegod64 ~]# less /var/log/sshd.log #查看日志,方便實驗我們清空日志
[root@xuegod64 ~]# >/var/log/sshd.log #清空日志
[root@xuegod64 ~]# less /var/log/sshd.log #再次查看
[root@xuegod64 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@xuegod64 ~]# rm -rf .ssh/authorized_keys
[root@xuegod64 ~]# exit
logout
Connection to xuegod64 closed.
[root@xuegod63 ~]# ssh xuegod64
root@xuegod64's password:
Permission denied, please try again.
root@xuegod64's password:
Permission denied, please try again.
root@xuegod64's password:
Permission denied (publickey,password).
查看是否放進jail
[root@xuegod64 ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
查看具體信息
[root@xuegod64 ~]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/sshd.log
| |- Currently failed: 0
| `- Total failed: 4
`- action
|- Currently banned: 1
| `- IP list: 192.168.186.163
`- Total banned: 1
查看防火牆規則
[root@xuegod64 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
REJECT all -- 192.168.186.163 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
查看fail2ban日志
[root@xuegod64 ~]# tailf /var/log/sshd.log
Mar 9 10:38:29 xuegod64 sshd[6219]: Failed password for root from 192.168.186.163 port 44636 ssh2
Mar 9 10:38:29 xuegod64 sshd[6219]: Failed password for root from 192.168.186.163 port 44636 ssh2
Mar 9 10:38:29 xuegod64 sshd[6220]: Connection closed by 192.168.186.163
Mar 9 10:38:43 xuegod64 sshd[6222]: Accepted password for root from 192.168.186.163 port 44638 ssh2
Mar 9 10:41:54 xuegod64 sshd[6222]: Received disconnect from 192.168.186.163: 11: disconnected by user
Mar 9 10:42:15 xuegod64 sshd[6303]: Failed password for root from 192.168.186.163 port 44639 ssh2
Mar 9 10:42:16 xuegod64 sshd[6303]: Failed password for root from 192.168.186.163 port 44639 ssh2
Mar 9 10:42:16 xuegod64 sshd[6304]: Connection closed by 192.168.186.163
Mar 9 10:42:23 xuegod64 sshd[6305]: Accepted password for root from 192.168.186.163 port 44640 ssh2
Mar 9 10:43:41 xuegod64 sshd[4919]: Received disconnect from 192.168.186.163: 11: disconnected by user
deny_host軟件防止暴力破解
[root@xuegod64 ~]# rpm -ivh denyhosts-2.6-20.el6.noarch.rpm
修改配置文件
13 SECURE_LOG = /var/log/sshd.log #13行附近
114 DENY_THRESHOLD_INVALID = 3 #114行附近
重啟denyhost服務
[root@xuegod64 ~]# /etc/init.d/denyhosts restart
Stopping denyhosts: [ OK ]
Starting denyhosts: [ OK ]
連續三次輸入錯誤密碼
[root@xuegod63 ~]# ssh xuegod64
root@xuegod64's password:
Permission denied, please try again.
root@xuegod64's password:
Permission denied, please try again.
root@xuegod64's password:
Permission denied (publickey,password).
[root@xuegod63 ~]# ssh xuegod64
ssh_exchange_identification: Connection closed by remote host