远程访问及控制
一、配置OpenSSH服务端
1、服务监听选项
[root@localhost ~]# vim /etc/ssh/sshd_config
Port 2345 //监听端口为2345
#AddressFamily any
ListenAddress 192.168.1.10 //监听地址为192.168.1.10
#ListenAddress ::
# The default requires explicit activation of protocol 1
Protocol 2 //使用SSH V2协议
......
UseDNS no //禁用DNS反向解析
2、用户登录控制
LoginGraceTime 2m //登录验证时间为2分钟
PermitRootLogin yes //禁止root用户登录
#StrictModes yes
MaxAuthTries 6 //最大重试次数为6
PermitEmptyPasswords no //禁止空密码用户登录
AllowUsers zhangsan tom [email protected] //使用AllowUsers或DenyUsers可以配置只允许或禁止某些用户登录
3、登录验证方式
密码验证:对服务器中本地系统用户的登录名称、密码进行验证。这种方式使用最为简便, 但从客户端角度来看,正在连接的服务器有可能被假冒;从服务器角度来看,当遭遇密码穷举(暴力破解)攻击时防御能力比较弱。
密钥对验证:要求提供相匹配的密钥信息才能通过验证。通常先在客户端中创建一对密钥文件(公钥、私钥),然后将公钥文件放到服务器中的指定位置。远程登录时,系统将使用公钥、私钥进行加密/解密关联验证,大大增强了远程管理的安全性。该方式不易被假冒, 且可以免交互登录,在Shell中被广泛使用。
PubkeyAuthentication yes //启用密钥对验证
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys //指定公钥库文件
PasswordAuthentication yes //启用密码验证
[root@localhost ~]# systemctl restart sshd //如果报错请检查SELinux和防火墙是否关闭
二、使用SSH客户端程序
1、命令程序 ssh、scp、sftp
1、ssh远程登录
如果sshd服务器使用了默认的端口号(22),则在登录时可以省略"-p"选项及端口号
[root@client ~]# ssh -p 2345 [email protected]
The authenticity of host '[192.168.1.10]:2345 ([192.168.1.10]:2345)' can't be established.
ECDSA key fingerprint is 46:cf:d2:fe:6d:ee:54:f7:2d:f6:c8:15:ec:3b:b6:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.10]:2345' (ECDSA) to the list of known hosts.
[email protected]'s password:
[zhangsan@localhost ~]$ whoami //确认当前用户和当前主机地址
zhangsan
[zhangsan@localhost ~]$ /sbin/ifconfig ens33 | grep "inet"
inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::1749:6c57:bf18:59fb prefixlen 64 scopeid 0x20<link>
2、scp远程复制
[root@localhost ~]# vim /etc/ssh/sshd_config //更改配置文件
PermitRootLogin yes
AllowUsers zhangsan tom root [email protected]
[root@localhost ~]# systemctl restart sshd
下行复制(下载)
[root@client ~]# scp -P 2345 [email protected]:/etc/passwd /root/pwd234.txt
[email protected]'s password:
passwd 100% 2316 2.3KB/s 00:00
上行复制(上传)
[root@client ~]# scp -P 2345 -r /etc/vsftpd/ [email protected]:/opt
[email protected]'s password:
ftpusers 100% 125 0.1KB/s 00:00
user_list 100% 361 0.4KB/s 00:00
vsftpd.conf 100% 5116 5.0KB/s 00:00
vsftpd_conf_migrate.sh 100% 338 0.3KB/s 00:00
3、sftp安全FTP
[root@client ~]# sftp -P 2345 [email protected]
[email protected]'s password:
Connected to 192.168.1.10.
sftp> ls
sftp> put /boot/config-3.10.0-514.el7.x86_64
Uploading /boot/config-3.10.0-514.el7.x86_64 to /home/zhangsan/config-3.10.0-514.el7.x86_64
/boot/config-3.10.0-514.el7.x86_64 100% 134KB 134.5KB/s 00:00
sftp> ls
config-3.10.0-514.el7.x86_64
sftp> bye
2、图形工具Xshell
上传:rz
下载:sz 文件名
三、构建密钥对验证的SSH体系
1、在客户端创建密钥对(这步做完可直接到第4点)
以zhangsan用户登录客户端,并生成基于ECDSA算法的SSH密钥对文件
[root@client ~]# ssh -p 2345 [email protected]
[email protected]'s password:
Last login: Fri Jun 19 08:59:33 2020 from 192.168.1.20
[zhangsan@localhost ~]$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/zhangsan/.ssh/id_ecdsa): //指定私钥位置(默认Enter)
Created directory '/home/zhangsan/.ssh'.
Enter passphrase (empty for no passphrase): //设置私钥短语
Enter same passphrase again:
Your identification has been saved in /home/zhangsan/.ssh/id_ecdsa.
Your public key has been saved in /home/zhangsan/.ssh/id_ecdsa.pub.
The key fingerprint is:
61:21:d0:64:d9:0a:36:da:c3:0c:f2:11:c9:c0:c7:2e [email protected]
The key's randomart image is:
+--[ECDSA 256]---+
|oooo.++o. |
|..=o+.o... |
| ooO o .o |
| Eo.= .. . |
| . . S |
| |
| |
| |
| |
+-----------------+
[zhangsan@localhost ~]$ ls -lh ~/.ssh/id_ecdsa* //确认生成的密钥文件
-rw-------. 1 zhangsan zhangsan 227 Jun 19 09:23 /home/zhangsan/.ssh/id_ecdsa //私钥文件,权限默认为600
-rw-r--r--. 1 zhangsan zhangsan 192 Jun 19 09:23 /home/zhangsan/.ssh/id_ecdsa.pub //公钥文件,用来提供给SSH服务器
2、将公钥文件上传至服务器*(可省略)
[zhangsan@localhost ~]$ scp -P 2345 ~/.ssh/id_ecdsa.pub [email protected]:/tmp/
The authenticity of host '[192.168.1.10]:2345 ([192.168.1.10]:2345)' can't be established.
ECDSA key fingerprint is 46:cf:d2:fe:6d:ee:54:f7:2d:f6:c8:15:ec:3b:b6:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.10]:2345' (ECDSA) to the list of known hosts.
[email protected]'s password:
id_ecdsa.pub 100% 192 0.2KB/s 00:00
3、在服务器中导入公钥文本*(可省略)
目标用户的公钥数据库位于~/.ssh目录,默认的文件名是"authorized-keys"。如果目录不存在,需要手动创建
[root@localhost ~]# mkdir /home/tom/.ssh
[root@localhost ~]# cat /tmp/id_ecdsa.pub >> /home/tom/.ssh/authorized_keys
[root@localhost ~]# tail -l /home/tom/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHik3IqFyyqCAGCXJy/U9ekAX+xfpr9e6A5KKhAYF7Of/g77uUgU4dzQZm82JM3Btm6hb701HTEoJX9J0G8UuaY= [email protected]
[root@localhost ~]# ls -l /home/tom/.ssh/authorized_keys //查看权限
-rw-r--r--. 1 root root 192 6月 19 09:30 /home/tom/.ssh/authorized-keys
[zhangsan@localhost ~]$ ssh -p 2345 [email protected] //登录成功
[tom@localhost ~]$ whoami
tom
4、在客户端使用密钥对验证
将公钥自动添加到目标主机user宿主目录下的.ssh/authorized_keys文件结尾
[zhangsan@localhost ~]$ ssh-copy-id -p 2345 -i ~/.ssh/id_ecdsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2345' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost ~]# ls -l /home/tom/.ssh/authorized_keys
-rw-------. 1 tom tom 192 6月 19 10:01 /home/tom/.ssh/authorized_keys
[root@localhost ~]# tail -l /home/tom/.ssh/authorized_keys //查看服务器中目标用户的公钥数据库
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHik3IqFyyqCAGCXJy/U9ekAX+xfpr9e6A5KKhAYF7Of/g77uUgU4dzQZm82JM3Btm6hb701HTEoJX9J0G8UuaY= [email protected]
在用户为zhangsan时,然后通过ssh命令以服务器端用户tom的身份进行远程登录
[zhangsan@localhost ~]$ ssh -p 2345 [email protected]
Last login: Fri Jun 19 09:49:10 2020 from 192.168.1.10
[tom@localhost ~]$ whoami
tom
四、TCP Wrappers访问控制
1、TCP Wrappers 的访问策略
1.、策略的配置格式
〈服务程序列表〉:〈客户端地址列表〉
服务程序列表
ALL:代表所有的服务。
单个服务程序:如"vsftpd"。
多个服务程序组成的列表:如"vsftpd,sshd”
客户端地址列表
ALL:代表任何客户端地址。
LOCAL:代表本机地址。
单个 IP 地址:如"192.168.4.4"。
网络段地址:如"192.168.4.0/255.255.255.0”
以".“开始的域名:如”.bdqn.com"匹配bdqn. com域中的所有主机。
以"…“结束的网络地址:如"192.168.4.”匹配整个192.168.4.0/24网段。
嵌入通配符”※","?":前者代表任意长度字符,后者仅代表一个字符,如"10.0.8.2*"匹 配以10.0.8.2开头的所有旧地址。不可与以开始或结束的模式混用。
多个客户端地址组成的列表:如"192.168.1., 172.16.16., .bdqn.com”。
2、访问控制的基本原则
首先检查/etc/hosts.allow文件,如果找到相匹配的策略,则允许访问;否则继续检查/etc/hosts.deny文件,如果找到相匹配的策略,则拒绝访问;如果检查上述两个文件都找不到相匹配的策略,则允许访问
3、TCP Wrappers 配置
[root@localhost ~]# vim /etc/hosts.allow
sshd:192.168.2.10,192.168.2.* //只从IP地址为192.168.2.10的主机或者位于192.168.2.0/24网段的主机访问sshd服务
[root@localhost ~]# vim /etc/hosts.deny
sshd:all //其他地址被拒绝
五、防止暴力破解ssh
脚本设置
[root@localhost ~]# vim SSHD.sh
#!/bin/bash
cat /var/log/secure | awk 'Failed/{print $(NF-3)}' |sort|uniq -c|awk '{print $2"="$1;}' > /root/satools/black.txt
DEFINE="10"
for i in `cat /root/satools/black.txt`
do
IP=`echo $i |awk -F='{print $1}'`
NUM=`echo $i|awk -F='{print $2}'`
if [ $NUM -gt $DEFINE ];then
grep $IP /etc/hosts.deny > dev/null
if [ $? -gt 0];then
echo "sshd$IP" >> /etc/hosts.deny
fi
fi
done