首先确保机器挂在好光盘镜像,然后查看软件包信息
[root@xuegod63 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 16G 4.9G 9.9G 34% /
tmpfs 996M 224K 996M 1% /dev/shm
/dev/sda1 194M 34M 151M 19% /boot
/dev/sr0 3.6G 3.6G 0 100% /mnt/cdrom
.host:/ 466G 427G 40G 92% /mnt/hgfs
[root@xuegod63 ~]# rpm -qi /mnt/cdrom/Packages/openssh-
openssh-5.3p1-94.el6.x86_64.rpm #服务端和客户端需要的核心文件
openssh-askpass-5.3p1-94.el6.x86_64.rpm #用于图形界面下输入口令的,一般不需要
openssh-clients-5.3p1-94.el6.x86_64.rpm #客户端软件包
openssh-server-5.3p1-94.el6.x86_64.rpm #服务端软件包
查看软件包的具体版本信息使用
[root@xuegod63 ~]# rpm -pqi /mnt/cdrom/Packages/openssh-server-5.3p1-94.el6.x86_64.rpm
或者使用
[root@xuegod63 ~]# yum info openssh #前提配置好YUM源
查看机器是否已安装
[root@xuegod63 ~]# rpm -qi /mnt/cdrom/Packages/openssh-server-5.3p1-94.el6.x86_64.rpm
package /mnt/cdrom/Packages/openssh-server-5.3p1-94.el6.x86_64.rpm is not installed
如果没有安装,直接YUM安装或者使用rpm逐个安装
[root@xuegod63 ~]# yum install openssh
ssh命令格式
ssh [远程主机用户名]@[远程主机IP或者主机名]
[root@xuegod63 ~]# ssh xuegod64
ssh: Could not resolve hostname xuegod64: Temporary failure in name resolution
出现这种提示,我们应该编辑本机的/etc/hosts文件并添加如下内容
192.168.186.163 xuegod63 #接下来会用到
192.168.186.164 xuegod64
192.168.186.165 xuegod65 #接下来会用到
开始连接
[root@xuegod63 ~]# ssh xuegod64 #在没有指定远程主机用户名时,默认使用命令提示符中的用户名
The authenticity of host 'xuegod64 (192.168.186.164)' can't be established.
RSA key fingerprint is a5:c4:4e:54:ea:2d:72:3f:9e:65:a2:ac:cd:41:ce:ca.
Are you sure you want to continue connecting (yes/no)? yes #首次连接需要输入
Warning: Permanently added 'xuegod64,192.168.186.164' (RSA) to the list of known hosts.
root@xuegod64's password: #输入密码
Last login: Thu Mar 9 08:05:40 2017 from 192.168.186.163
[root@xuegod64 ~]# hostname #连接成功
xuegod64
[root@xuegod64 ~]# exit
logout
Connection to xuegod64 closed
使用指定用户名登陆
[root@xuegod63 ~]# ssh sishen@xuegod64 #使用指定用户登录,前提是该远程主机用户存在并且可以登录系统
sishen@xuegod64's password: 输入用户sishen的密码
[root@xuegod63 ~]# ssh -l sishen xuegod64 使用 -l参数来指定用户名
sishen@xuegod64's password:
Last login: Thu Mar 9 08:47:37 2017 from 192.168.186.163
远程主机图像回传 –X 参数
[root@xuegod63 ~]# ssh -X -l root xuegod64
root@xuegod64's password:
Last login: Thu Mar 9 08:46:38 2017 from 192.168.186.163
[root@xuegod64 ~]# firefox
如果远程主机的SSH端口不是22,修改远程主机的端口号并使用指定端口号登录
修改xuegod64上的/etc/ssh/sshd_config文件
Port 2220 #增加此行
#Port 22 #默认端口号
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
保存退出,重启sshd服务
[root@xuegod64 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
使用指定端口号登录
[root@xuegod63 ~]# ssh -l sishen xuegod64 -p 2220
sishen@xuegod64's password:
Last login: Thu Mar 9 08:50:14 2017 from 192.168.186.163
设置监听端口和IP
server端:xuegod64
client端: xuegod63
在xuegod64上编辑/etc/ssh/sshd_config
Port 2220 #修改此行,默认值:Port 22
#AddressFamily any
ListenAddress 192.168.186.164 #默认值:0.0.0.0
#ListenAddress ::
[root@xuegod64 ~]# service sshd restart
[root@xuegod63 ~]# ssh root@xuegod64 -p 2220
root@xuegod64's password:
Last login: Thu Mar 9 09:05:53 2017
[root@xuegod64 ~]# hostname
xuegod64
[root@xuegod64 ~]# exit
logout
Connection to xuegod64 closed.
SSH服务的位置
[root@xuegod64 ~]# tailf /var/log/secure
Mar 9 09:18:18 xuegod64 sshd[4281]: fatal: Cannot bind any address.
Mar 9 09:18:57 xuegod64 sshd[4302]: Server listening on 192.168.186.164 port 2220.
Mar 9 09:18:59 xuegod64 sshd[4302]: Received signal 15; terminating.
Mar 9 09:18:59 xuegod64 sshd[4321]: Server listening on 192.168.186.164 port 2220.
……..
因为secure存放了很多服务器的日志,对日志分析很不方便,我们可以修改日志文件存放的位置
在xuegod64上编辑/etc/ssh/sshd_config
SyslogFacility local1 #修改此行,默认值为AUTHPRIV
编辑/etc/rsyslog.conf
末尾添加一行
local1.* /var/log/sshd.log
保存退出,重启服务
[root@xuegod64 ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@xuegod64 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
测试查看
[root@xuegod64 ~]# tailf /var/log/sshd.log
Mar 9 09:30:01 xuegod64 sshd[4860]: Server listening on 192.168.186.164 port 2220.
Mar 9 09:30:46 xuegod64 sshd[4865]: Accepted password for root from 192.168.186.163 port 44221 ssh2
如果有时候遇到SSH登录很慢可以尝试使用如下方法
[root@xuegod64 ~]# vim /etc/ssh/sshd_config
UseDNS no #默认值为yes,改为no
GSSAPIAuthentication no #默认值为yes,改为no
重启sshd服务
[root@xuegod64 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
配置免密码登录
[root@xuegod63 ~]# ssh-keygen #客户端生成公私钥
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): #直接回车
Enter same passphrase again: #直接回车
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:#直接回车
92:d7:89:4f:ad:0b:59:33:f1:59:94:8a:cf:52:e5:89 root@xuegod63
The key's randomart image is:
+--[ RSA 2048]----+
| .. |
| .o |
| .. =.. |
| . o.=Eoo |
| o S B++ |
| o =.+o |
| o o. |
| . . |
| . |
+-----------------+
[root@xuegod63 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub xuegod64 #将公钥发布到服务器上
root@xuegod64's password: #输入密码
Now try logging into the machine, with "ssh 'xuegod64'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@xuegod63 ~]# ssh xuegod64 #不必输入密码,直接登录到了xuegod64上
Last login: Thu Mar 9 09:38:42 2017 from 192.168.186.163
普通用户的免密码登录
[root@xuegod63 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub sishen@xuegod64
sishen@xuegod64's password:
Now try logging into the machine, with "ssh 'sishen@xuegod64'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@xuegod63 ~]# ssh -l sishen xuegod64
Last login: Thu Mar 9 08:58:00 2017 from 192.168.186.163
[sishen@xuegod64 ~]$
SSH变量传递
定义变量
[root@xuegod63 ~]# declare -x myenv=`/bin/cat /etc/yum.conf`
[root@xuegod63 ~]# echo $myenv
[main] cachedir=/var/cache/yum/$basearch/$releasever keepcache=0 debuglevel=2 logfile=/var/log/yum.log exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 installonly_limit=3 # This is the default, if you make this bigger yum won't see if the metadata # is newer on the remote and so you'll "gain" the bandwidth of not having to # download the new metadata and "pay" for it by yum not having correct # information. # It is esp. important, to have correct metadata, for distributions like # Fedora which don't keep old packages around. If you don't like this checking # interupting your command line usage, it's much better to have something # manually check the metadata once an hour (yum-updatesd will do this). # metadata_expire=90m # PUT YOUR REPOS HERE OR IN separate files named file.repo # in /etc/yum.repos.d
在xuegod63上编辑/etc/ssh/ssh_config
SendEnv myenv #末未添加此行
保存退出,重启sshd服务
在xuegod64上编辑/etc/ssh/sshd_config
AcceptEnv XMODIFIERS #此行原有,在此行下面添加下面一行内容
AcceptEnv myenv
重启sshd服务
登录查看myenv
[root@xuegod63 ~]# ssh xuegod64
Last login: Thu Mar 9 09:46:00 2017 from 192.168.186.163
[root@xuegod64 ~]# echo $myenv
[main] cachedir=/var/cache/yum/$basearch/$releasever keepcache=0 debuglevel=2 logfile=/var/log/yum.log exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 installonly_limit=3 # This is the default, if you make this bigger yum won't see if the metadata # is newer on the remote and so you'll "gain" the bandwidth of not having to # download the new metadata and "pay" for it by yum not having correct # information. # It is esp. important, to have correct metadata, for distributions like # Fedora which don't keep old packages around. If you don't like this checking # interupting your command line usage, it's much better to have something # manually check the metadata once an hour (yum-updatesd will do this). # metadata_expire=90m # PUT YOUR REPOS HERE OR IN separate files named file.repo # in /etc/yum.repos.d
SSH防暴力破解
方法一:设置足够复杂的密码字母数字特殊符号,歌词诗句的英语汉语混编等
方法二:安装fail2ban软件
fail2ban官网:http://www.fail2ban.org/
安装fail2ban
[root@xuegod64 ~]# tar -xf fail2ban-0.8.14.tar.gz -C /usr/local/src/
[root@xuegod64 ~]# cd /usr/local/src/fail2ban-0.8.14/
[root@xuegod64 fail2ban-0.8.14]# ls
ChangeLog DEVELOP fail2ban-testcases man setup.cfg
client doc fail2ban-testcases-all MANIFEST setup.py
common fail2ban-client files README.md testcases
config fail2ban-regex FILTERS README.Solaris THANKS
COPYING fail2ban-server kill-server server TODO
[root@xuegod64 fail2ban-0.8.14]# less README.md #查看安装方法
……..
To install, just do: #找到这里
tar xvfj fail2ban-0.8.12.tar.bz2
cd fail2ban-0.8.12
python setup.py install
[root@xuegod64 fail2ban-0.8.14]# python setup.py install #执行安装脚本
[root@xuegod64 fail2ban-0.8.14]# grep -ir chkconfig * #查看fail2ban启动脚本
files/redhat-initd:# chkconfig: - 92 08
[root@xuegod64 fail2ban-0.8.14]# cp files/redhat-initd /etc/init.d/fail2ban #添加service可控
[root@xuegod64 fail2ban-0.8.14]# chkconfig fail2ban on
[root@xuegod64 fail2ban-0.8.14]# ls /etc/fail2ban/
action.d #动作文件夹,包含默认文件,iptables以及mail等动作配置
fail2ban.conf #定义fail2ban的日志级别、日志位置和sock文件位置
fail2ban.d
filter.d #条件文件夹,过滤日志关键内容设置
jail.conf #主配置文件,模块化操作,设置启动ban动作的服务及动作阀值
jail.d
[root@xuegod64 ~]# /etc/init.d/fail2ban restart
Stopping fail2ban: ERROR Unable to contact server. Is it running?
[FAILED]
Starting fail2ban: [ OK ]
[root@xuegod64 ~]# ls /etc/fail2ban/filter.d/sshd.conf
/etc/fail2ban/filter.d/sshd.conf
[root@xuegod64 ~]# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
ignoreip = 127.0.0.1/8 #忽略的 IP 列表,不受设置限制
bantime = 600 #屏蔽时间,单位:秒
findtime = 500 #这个时间段内超过规定次数会被 ban 掉
maxretry = 3 #最大尝试次数
backend = auto #自动处理
[ssh-iptables] #单个服务检查设置,如设置 bantime、findtime、maxretry 和全局冲突,服务优先级大于全局设置。
enabled = true #是否激活此项(true/false)修改成 true
filter = sshd #过滤规则 filter 的名字,对应 filter.d 目录下的 sshd.conf
action = iptables[name=SSH, port=ssh, protocol=tcp] # 动作的相关参数,对应action.d/iptables.conf 文件
sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] #触发报警的收件人
#如果修改了ssh的端口,这里的port也要做相应的修改
logpath = /var/log/secure #检测的系统的登陆日志文件。这里要写 sshd 服务日志文件。 默认为logpath = /var/log/sshd.log
#5 分钟内 3 次密码验证失败,禁止用户 IP 访问主机 1 小时。 配置如下
bantime = 3600 #禁止用户 IP 访问主机 1 小时
findtime = 300 #在 5 分钟内内出现规定次数就开始工作
maxretry = 3 #3 次密码验证失败
[root@xuegod64 ~]# service fail2ban restart
Stopping fail2ban: [ OK ]
Starting fail2ban:
[ OK ]
[root@xuegod64 ~]# less /var/log/sshd.log #查看日志,方便实验我们清空日志
[root@xuegod64 ~]# >/var/log/sshd.log #清空日志
[root@xuegod64 ~]# less /var/log/sshd.log #再次查看
[root@xuegod64 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@xuegod64 ~]# rm -rf .ssh/authorized_keys
[root@xuegod64 ~]# exit
logout
Connection to xuegod64 closed.
[root@xuegod63 ~]# ssh xuegod64
root@xuegod64's password:
Permission denied, please try again.
root@xuegod64's password:
Permission denied, please try again.
root@xuegod64's password:
Permission denied (publickey,password).
查看是否放进jail
[root@xuegod64 ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
查看具体信息
[root@xuegod64 ~]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/sshd.log
| |- Currently failed: 0
| `- Total failed: 4
`- action
|- Currently banned: 1
| `- IP list: 192.168.186.163
`- Total banned: 1
查看防火墙规则
[root@xuegod64 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
REJECT all -- 192.168.186.163 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
查看fail2ban日志
[root@xuegod64 ~]# tailf /var/log/sshd.log
Mar 9 10:38:29 xuegod64 sshd[6219]: Failed password for root from 192.168.186.163 port 44636 ssh2
Mar 9 10:38:29 xuegod64 sshd[6219]: Failed password for root from 192.168.186.163 port 44636 ssh2
Mar 9 10:38:29 xuegod64 sshd[6220]: Connection closed by 192.168.186.163
Mar 9 10:38:43 xuegod64 sshd[6222]: Accepted password for root from 192.168.186.163 port 44638 ssh2
Mar 9 10:41:54 xuegod64 sshd[6222]: Received disconnect from 192.168.186.163: 11: disconnected by user
Mar 9 10:42:15 xuegod64 sshd[6303]: Failed password for root from 192.168.186.163 port 44639 ssh2
Mar 9 10:42:16 xuegod64 sshd[6303]: Failed password for root from 192.168.186.163 port 44639 ssh2
Mar 9 10:42:16 xuegod64 sshd[6304]: Connection closed by 192.168.186.163
Mar 9 10:42:23 xuegod64 sshd[6305]: Accepted password for root from 192.168.186.163 port 44640 ssh2
Mar 9 10:43:41 xuegod64 sshd[4919]: Received disconnect from 192.168.186.163: 11: disconnected by user
deny_host软件防止暴力破解
[root@xuegod64 ~]# rpm -ivh denyhosts-2.6-20.el6.noarch.rpm
修改配置文件
13 SECURE_LOG = /var/log/sshd.log #13行附近
114 DENY_THRESHOLD_INVALID = 3 #114行附近
重启denyhost服务
[root@xuegod64 ~]# /etc/init.d/denyhosts restart
Stopping denyhosts: [ OK ]
Starting denyhosts: [ OK ]
连续三次输入错误密码
[root@xuegod63 ~]# ssh xuegod64
root@xuegod64's password:
Permission denied, please try again.
root@xuegod64's password:
Permission denied, please try again.
root@xuegod64's password:
Permission denied (publickey,password).
[root@xuegod63 ~]# ssh xuegod64
ssh_exchange_identification: Connection closed by remote host