Linux Centos7 —sshd远程登录,密钥对登录,TCPWrappers访问控制

本章环境:VM虚拟机,一台服务器作为服务端,一台服务器作为客户端

本章目的:了解sshd远程登录管理,密钥对验证,Tcp wappers访问控制

一.sshd远程登录

1.查看sshd服务

 [[email protected] ~]# netstat -ntap | grep 22
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      3252/dnsm
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      968/sshd       //默认我们的SSHD是开启的
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      16227/[email protected]
tcp        0      0 192.168.17.128:49342    180.97.251.226:80       TIME_WAIT   -
tcp        0      0 192.168.17.128:42522    202.141.176.110:80

2.了解SSHD服务端配置文件

[[email protected] ~]# vim /etc/ssh/sshd_config //服务端的SSHD配置文件

17 #Port 22 //端口
18 #AddressFamily any
19 #ListenAddress 0.0.0.0 //监听地址
20 #ListenAddress :: //IPV6地址

37#LoginGraceTime 2m  //2分钟会话时间
 38 #PermitRootLogin yes  //允许ROOT登录
 39 #StrictModes yes    //验证你的访问权限
 40 #MaxAuthTries 6   //验证次数
 41 #MaxSessions 10   // 访问最大连接数10个

#PubkeyAuthentication yes  //公钥验证开启

3.使用客户端去远程登录服务端的ROOT用户

[[email protected] ~]# ssh [email protected]
The authenticity of host ‘192.168.17.128 (192.168.17.128)‘ can‘t be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.17.128‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
Last login: Mon Sep 16 12:07:36 2019

4.把服务端的远程登录ROOT用户关掉

37 #LoginGraceTime 2m
 38 #PermitRootLogin no  //禁止远程用户用ROOT登录
 39 #StrictModes yes
 40 #MaxAuthTries 6
 41 #MaxSessions 10

5.去服务端验证是否能登录ROOT用户

[[email protected] ~]# ssh [email protected]
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:

6.客户端切换到普通用户lisi,再切到ROOT用户也行(不安全)

[[email protected] ~]# ssh [email protected]
[email protected]‘s password:
[[email protected] ~]$ su - root
密码:
上一次登录:一 9月 16 12:17:31 CST 2019pts/2 上
最后一次失败的登录:一 9月 16 12:25:59 CST 2019pts/2 上
最有一次成功登录后有 1 次失败的登录尝试。
[[email protected] ~]#

7.把服务端开启PAM认证

vim /etc/pam.d/su
//把“#”号去掉auth            required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin

8.再去客户端去验证一下

[[email protected] ~]$ su - root
密码:
su: 拒绝权限

9.在客户端尝试输错三次密码,发现就退出来了,我们原本服务端设置的是验证次数是6次

[[email protected] ~]# ssh [email protected]
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Permission denied, please try again.
[[email protected] ~]#

10.在客户端切到ROOT用户,设置验证次数为8次

[[email protected] ~]# ssh -o NumberOfPasswordPrompts=8 [email protected]
The authenticity of host ‘192.168.17.128 (192.168.17.128)‘ can‘t be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.17.128‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Received disconnect from 192.168.17.128 port 22:2: Too many authentication failures
Authentication failed.
[[email protected] ~]#

11.设置SSH远程登录的黑白名单

37 #LoginGraceTime 2m
 38 #PermitRootLogin no
 39 #StrictModes yes
 40 #MaxAuthTries 6
 41 #MaxSessions 10
 42 Allow Users [email protected]
//只允许chen这个用户用192.168.17.130地址登录
[[email protected] ~]# systemctl restart sshd

12.了解三种远程管理

scp 远程复制
sftp  get 远程下载文件
sftp put  远程上传文件

二.密钥对验证登录

1.服务端开启公私钥验证登录

[[email protected] ~]# vim /etc/ssh/sshd_config //服务端的SSHD配置文件

43 PubkeyAuthentication yes  把“#”去掉开启公私钥验证登录
 44
 45 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys    2
 46 # but this is overridden so installations will only check .ssh/authorized_ke    ys
 47 AuthorizedKeysFile      .ssh/authorized_keys
                                           //生成的公私密钥会在这个目录底下

2.客户端,给chen用户生成密钥

[[email protected] ~]# ls /home/
chen
[[email protected] ~]# ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:HqV9MQWYPqLHSodJciQEDpGhsbQheF3gVqXLMD6mhTo [email protected]
The key‘s randomart image is:
+---[ECDSA 256]---+
|B*.+ooo..  o...  |
|*=+.o...  o  .   |
|oo. =o.  .. o    |
|   +.+o..+o  o   |
|  . =+o=S....    |
| . + .=.+. .     |
|E .  . +.        |
| .    .          |
|                 |
+----[SHA256]-----+

3.查看chen用户当中的公私钥目录

[[email protected] ~]# ls -a
.                    .bash_logout   .dbus                 .mozilla     模板
..                   .bash_profile  .esd_auth             .ssh         视频
.1234.txt.swp        .bashrc        .ICEauthority         .tcshrc      图片
abc                  .cache         initial-setup-ks.cfg  test         文档
abc.txt              chen           is                    this         下载
anaconda-ks.cfg      chenchen       .lesshst              .viminfo     音乐
.anacond-ks.cfg.swp  .config        .local                .Xauthority  桌面
.bash_history        .cshrc         lshelp1.txt           公共
[[email protected] ~]# cd .ssh/
[[email protected] .ssh]# ls
id_ecdsa  id_ecdsa.pub  known_hosts

4.把chen公钥发送给服务端的公钥目录中

[[email protected] .ssh]# ssh-copy-id -i id_ecdsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"
The authenticity of host ‘192.168.17.128 (192.168.17.128)‘ can‘t be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh ‘[email protected]‘"
and check to make sure that only the key(s) you wanted were added.

5.去服务端查看有没有chen用户的公钥

[[email protected] chen]# cd .ssh/
[[email protected] .ssh]# ls
authorized_keys
[[email protected] .ssh]# cat authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3jJu7k3skpOWd5azNtHhohBCyQvcE5vMQblIICOn48GGL3h1tQ9d7m34liu7YdXcdY+oLyQvgl23xiP9Au8ug= [email protected]

6.客户端远程密钥对登录验证

[[email protected] .ssh]# ssh [email protected]
Enter passphrase for key ‘/root/.ssh/id_ecdsa‘:
Last login: Sat Aug 10 00:32:52 2019

7.免交互,免去密钥对登录验证

[[email protected] ~]$ exit
登出
Connection to 192.168.17.128 closed.
[[email protected] .ssh]# ssh-agent bash  //代理bash环境
[[email protected] .ssh]# ssh-add             //添加我们密钥对的密码
Enter passphrase for /root/.ssh/id_ecdsa:
Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
[[email protected] .ssh]# ssh [email protected]
Last login: Mon Sep 16 13:09:06 2019 from 192.168.17.134
[[email protected] ~]$

三.Tcp wappers 访问控制

访问控制策略:
先检查hosts.allow,找到匹配则允许访问
?否则再检查hosts.deny,找到则拒绝访问
?若两个文件中均无匹配策略,则默认允许
访问

1.到服务端设置访问控制

[[email protected] ~]# vim /etc/hosts.allow


 hosts.allow   This file contains access rules which are used to
               allow or deny connections to network services that
               either use the tcp_wrappers library or that have been
               started through a tcp_wrappers-enabled xinetd.

               See ‘man 5 hosts_options‘ and ‘man 5 hosts_access‘
               for information on rule syntax.
              See ‘man tcpd‘ for information on tcp_wrappers

sshd:192.168.17.130   //添加只允许访问的地址
~

[[email protected] ~]# vim /etc/hosts.deny

hosts.deny    This file contains access rules which are used to
               deny connections to network services that either use
               the tcp_wrappers library or that have been
               started through a tcp_wrappers-enabled xinetd.

               The rules in this file can also be set up in
               /etc/hosts.allow with a ‘deny‘ option instead.

               See ‘man 5 hosts_options‘ and ‘man 5 hosts_access‘
               for information on rule syntax.
               See ‘man tcpd‘ for information on tcp_wrappers

sshd:192.168.17.128
~
~
~

以上就是我们的所有内容了

原文地址:https://blog.51cto.com/14449524/2438217

时间: 2024-08-03 19:39:51

Linux Centos7 —sshd远程登录,密钥对登录,TCPWrappers访问控制的相关文章

linux下配置远程免密登录

linux下各种集群搭建往往需要配置远程免密登录,本文主要描述了CentOs6.3系统下配置免密登录的详细过程. ssh远程登录,两种身份验证: 用户名+密码 密钥验证 机器1生成密钥对并将公钥发给机器2,机器2将公钥保存. 机器1要登录机器2时,机器2生成随机字符串并用机器1的公钥加密后,发给机器1. 机器1用私钥将其解密后发回给机器2,验证成功后登录 1.用户名+密码 如上图所示,机器1要登录到机器2 ssh 机器2的ip(默认使用root用户登录,也可指定,如:ssh [email pro

Linux系统ssh远程免密登录

在Linux运行过程中,有些特殊情况需要让不同Linux主机之间进行SSH免密登录,直观来看是免密登录,确切的说是通过秘钥验证登录. 一.实现原理 如A主机需要远程免密登录到B主机,那么需要在A主机上面通过工具生成秘钥对,即公钥和私钥.私钥用来解密,放置在A主机本地,公钥用来加密,放置在远端B主机. 二.示例 1.生成秘钥对 在A主机执行命令ssh-keygen -b 1024 -t rsa,无需更改参数,直接按几次回车即可. [[email protected] ~]# ssh-keygen

Linux CentOS7 两台机器之间免输入密码相互登录(密钥对认证)

Linux CentOS7 两台机器之间免输入密码相互登录(密钥对认证) 两台机器为: 主机名:fxq-1,IP:192.168.42.181 主机名:fxq-2, IP:192.168.42.182 w命令可以查看当前登录用户的信息 [[email protected] ~]# w  23:59:42 up 12 min,  1 user,  load average: 0.00, 0.07, 0.11USER     TTY      FROM             [email prot

云服务器 ECS Linux SSH 无法远程登录问题Permission denied

云服务器 ECS Linux SSH 无法远程登录问题,SSH 登录时出现如下错误:Permission denied, please try again 使用以下命令编辑配置 su - vi /etc/ssh/sshd_config 在文件中找到 #PermitRootLogin without-password 注意有的linux系统这条语句可能有微小的差别 将之改为 PermitRootLogin yes 注意要将前面的#去掉 ![](https://s1.51cto.com/images

Linux服务器安全之用户密钥认证登录

转自:http://blog.sina.com.cn/s/blog_6561ca8c0102vb0d.html 一. 密钥简介 在Linux下,远程登录系统有两种认证方式:密码认证和密钥认证.密码认证方式是一种传统的安全策略.设置一个相对复杂的密码,对系统安全能起到一定的防护作用,但是也面临一些其他问题,例如密码暴力破解.密码泄露.密码丢失等,同时过于复杂的密码也会对运维工作造成一定的负担. 密钥认证是一种新型的认证方式,公用密钥存储在远程服务器上,专用密钥保存在本地,当需要登录系统时,通过本地

Linux服务器安全之用户密钥认证登录(基于CentOS 7.0系统)

一. 密钥简介: 在Linux下,远程登录系统有两种认证方式:密码认证和密钥认证.密码认证方式是一种传统的安全策略.设置一个相对复杂的密码,对系统安全能起到一定的防护作用,但是也面临一些其他问题,例如密码暴力破解.密码泄露.密码丢失等,同时过于复杂的密码也会对运维工作造成一定的负担.密钥认证是一种新型的认证方式,公用密钥存储在远程服务器上,专用密钥保存在本地,当需要登录系统时,通过本地专用密钥和远程服务器的公用密钥进行配对认证,如果认证成功,就可以成功登录系统.这种认证方式避免了被暴力破解的危险

linux ssh 使用深度解析(key登录详解)

SSH全称Secure SHell,顾名思义就是非常安全的shell的意思,SSH协议是IETF(Internet Engineering Task Force)的Network Working Group所制定的一种协议.SSH的主要目的是用来取代传统的telnet和R系列命令(rlogin,rsh,rexec等)远程登陆和远程执行命令的工具,实现对远程登陆和远程执行命令加密.防止由于网络监听而出现的密码泄漏,对系统构成威胁. ssh协议目前有SSH1和SSH2,SSH2协议兼容SSH1.目前

Linux ssh下实现免密码登录

1.Linux 生成密钥 ssh-keygen -t rsa 进入".ssh"会生成以下几个文件 id_rsa : 生成的私钥文件 id_rsa.pub : 生成的公钥文件 know_hosts : 已知的主机公钥清单 2.远程免密登录(现在我们就需要把key文件复制到其它几台服务器了,) 常用以下几种方法: a.通过ssh-copy-id的方式  命令: ssh-copy-id (服务器IP) 常见错误: [root@test ~]# ssh-copy-id -i ~/.ssh/id

Linux CentOS 7 克隆虚拟机+互相登录

有时候我们需要两台虚拟机做实验,这时候当然可以再次安装一台新的虚拟机,但是为了节省时间我不建议这样做,因为Vmware软件本来就为我们提供了此项功能干嘛不用呢?首先打开克隆如下: 下一步.下一步到此界面我们选择第一项,第二项不建议选择,因为此项所花费的时间和你重新安装一台没有多大区别了! 输入一个新的虚拟机名称,下一步即可!关闭,完成! 切换到新虚拟机界面并开机启动到系统! 首先进入系统后我们需要修改IP地址,不然另外被克隆的主机只要打开,两台机器就会冲突! 如下图:修改一个新的IP 地址,并删