利用yum源安装sshd服务客户端安装:openssh-clients.x86_64
服务端安装:openssh-server.x86_64Openssh和sshd有区别吗?
两个是不同的概念,软件包名称叫openshh 开机的服务叫sshd[root@server1 ~]# rpm -ql openssh ###查看安装的相关信息
/etc/ssh ###安装的主目录
/etc/ssh/moduli
/usr/bin/ssh-keygen
/usr/libexec/openssh
/usr/libexec/openssh/ctr-cavstest
/usr/libexec/openssh/ssh-keysign[root@server1 kiosk]# cd /etc/ssh/
[root@server1 ssh]# ll
total 276
-rw-r--r--. 1 root root 242153 9月 7 2016 moduli
-rw-r--r--. 1 root root 2208 9月 7 2016 ssh_config ##客户端的配置文件
-rw-------. 1 root root 4361 9月 7 2016 sshd_config ##服务端的配置文件[root@server1 ssh]# systemctl start sshd ##开启服务
[root@server1 ssh]# systemctl enable sshd ##一定设置成开机自启动
注意:在搭建开源服务的时候,一定要把服务设置成开机自启[root@server1ssh]# systemctl status sshd ###查看服务状态
● sshd.service - OpenSSH server daemonLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)Active: active (running) since 四 2019-10-24 11:20:35 CST; 1h 20min agoDocs: man:sshd(8)man:sshd_config(5)Linux 7 系统下查看各服务的状态。[root@server1 ~]# systemctl list-unit-files | grep sshd
sshd-keygen.service static
sshd.service enabled ##开机自启动
sshd@.service static
sshd.socket disabled附加: 在6的系统下,查看服务的状态命令是chkconfig --list实战操作:
环境:server1 (172.25.2.1)为服务端 server2(172.25.2.2)为客户端[root@server2 ~]# ssh root@172.25.2.1
The authenticity of host '172.25.2.1 (172.25.2.1)' can't be established.
ECDSA key fingerprint is 0a:e9:f9:09:98:14:7c:73:5c:7c:f2:1b:cf:f5:d7:8b.
Are you sure you want to continue connecting (yes/no)? ##第一次在连接的时候会进行一个密钥指纹的认证,在今后的连接中就不会载此显示了输入yes然后提示输入密码
root@172.25.2.1's password: Last login: Thu Oct 24 12:28:36 2019 from foundation60.ilt.exmaple.com
[root@server1 ~]#
输入密码之后发现已经成功的登陆server1主机重点:sshd服务的调优和防暴力破解在配置文件中,发现很多行开头有#号
但是#开头可配置项中间没有空格的表示默认值 生效
但是#开头可配置项中间有空格的表示注释 不生效[root@server1 ~]# vim /etc/ssh/sshd_config ##查看服务器端的配置文件17 #Port 22 ##ssd服务默认22端口[root@server1 ~]# netstat -antlp | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 882/sshd
tcp6 0 0 :::22 :::* LISTEN 882/sshd 在线上的服务中,通常情况下都要修改端口17 Port 3389 ##修改为陌生端口3389
[root@server1 ~]# netstat -antlp | grep sshd
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN 2598/sshd
tcp6 0 0 :::3389 :::* 此时在可客户端,如果你不知道端口,就无法进行远程连接了,需要使用-p参数指定端口进行连接
[root@server2 ~]# ssh root@172.25.2.1
ssh: connect to host 172.25.2.1 port 22: Connection refused
[root@server2 ~]# ssh root@172.25.2.1 -p 3389
root@172.25.2.1's password:
Last login: Thu Oct 24 13:05:19 2019 from foundation60.ilt.exmaple.com
[root@server1 ~]# #ListenAddress 0.0.0.0ListenAddress 0.0.0.0
设置sshd服务器绑定的IP 地址,0.0.0.0 表示侦听所有地址
一般公司的服务器至少有两张网卡,一张外网的,一张内网的
如果我只想让内网的服务器通过sshd服务连接者太服务器,那么我就见该网段指定成内网网段这些都是密钥存储的文件,不要进行修改
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key#LoginGraceTime 2m ##最长等待登陆时间,默认2分钟
[root@server2 ~]# ssh root@172.25.2.1
root@172.25.2.1's password: ##没有输入密码,此时就算等待登陆了时间,超过两分钟没有输入密码,则会退出 49 #PermitRootLogin yes ###是否使用运行root帐户进行登陆
PermitRootLogin no 此时表示不允许root帐户进行登陆59 AuthorizedKeysFile .ssh/authorized_keys ##认证的key文件78 PasswordAuthentication yes ###是否运用密码进行认证
登陆分为两种:密码登陆 密钥登陆
注意:一定要在做完密钥认证之后才能改为no,否则机器就失联了,无法连接上了。118 #PrintMotd yes ##打印一个登陆信息
[root@server1 ~]# vim /etc/motd ###编辑文件
[root@server1 ~]# cat /etc/motd
WELCOME 此时在客户端进行远程连接时:
[root@server2 ~]# ssh root@172.25.2.1
root@172.25.2.1's password:
Last login: Thu Oct 24 19:17:41 2019 from foundation60.ilt.exmaple.com
WELCOME ###登陆提示信息
[root@server1 ~]# 119 #PrintLastLog yes ##打印最后一次登陆的日志
Last login: Thu Oct 24 13:14:08 2019 from server2 ##最后一次登陆来自server2主机
在真实的生产环境下,有一天,在远程通过ssh远程登陆服务器的时候,发现最后一次登陆显示的ip来自你不认识的ip地址,一查发现是来自非洲的 美国的等等,那么有可能你的服务器就被黑了使用密钥进行登陆
实验环境:server2免密登陆server11:在客户端使用ssh-keygen生成密钥[root@server2 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ###密钥保存的路径,一般默认不进行修改
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa. ###认证私钥存放的文件
Your public key has been saved in /root/.ssh/id_rsa.pub. ###认证公钥存放的文件
The key fingerprint is:
51:26:29:6e:88:b6:9f:0d:21:86:e7:7c:7b:c5:a9:10 root@server2
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| . .+ |
| . . o .. |
|. * E o . |
| * o + .S. |
| + + + |
| o * o |
| + + |
| . |
+-----------------+[root@server2 ~]# cd /root/.ssh/
id_rsa id_rsa.pub known_hosts 注意:在今后的生产环境中,设计到密钥的文件,尽量都设置称隐藏文件2:将公钥传到服务器端
[root@server2 .ssh]# ssh-copy-id -i 172.25.2.1
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.2.1's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh '172.25.2.1'"
and check to make sure that only the key(s) you wanted were added.3:服务起端进行查看
[root@server1 ~]# cd /root/.ssh/
[root@server1 .ssh]# ls
authorized_keys ###该文件下的内容就是id_rsa.pub的内容,如果不使用ssh-copy-id -i 172.25.2.1命令,那么就直接将id_rsa.pub的内容复制粘贴到服务器端的authorized_keys文件下
注意:拷贝过来时一定要注意authorized_keys文件的权限,只能为600或700
[root@server1 .ssh]# ll
total 4
-rw------- 1 root root 394 10月 24 19:44 authorized_keys4:此时发现可以进行免密登陆
[root@server2 ~]# ssh root@172.25.2.1
Last login: Thu Oct 24 19:24:37 2019 from server2
WELCOME 使用开源防护软件(fail2ban)保护sshd服务官网地址:www.fail2ban.org
也可以直接使用yum源进行安装1:取官网获取软件包
[root@server1 ~]# ls
docker fail2ban-0.8.14.tar.gz2:解压压缩包到/usr/local/目录下
[root@server1 ~]# tar zxf fail2ban-0.8.14.tar.gz -C /usr/local/
[root@server1 ~]# cd /usr/local/
[root@server1 local]# ls
bin fail2ban-0.8.14 include lib64 sbin src
etc games lib libexec share3:查看README.md文件 ,一般的开源软件都会有相关的说明文件
[root@server1 fail2ban-0.8.14]# vim README.md To install, just do:tar xvfj fail2ban-0.8.12.tar.bz2cd fail2ban-0.8.12
python setup.py install4:安装(基于python语言开发,要求python版本高于2.4)[root@server1 fail2ban-0.8.14]# python -V ###查看python版本
Python 2.7.5
[root@server1 fail2ban-0.8.14]# python setup.py install
They are in /etc/fail2ban/. ###软件安装的主目录5:进入目录,查看服务启动文件
[root@server1 fail2ban]# cd -
/usr/local/fail2ban-0.8.14
[root@server1 fail2ban-0.8.14]# ls
build DEVELOP fail2ban-testcases-all README.md THANKS
ChangeLog doc files README.Solaris TODO
client fail2ban-client FILTERS server
common fail2ban-regex kill-server setup.cfg
config fail2ban-server man setup.py
COPYING fail2ban-testcases MANIFEST testcases
[root@server1 fail2ban-0.8.14]# cd files/
[root@server1 files]# ls
bash-completion gen_badbots nagios
cacti gentoo-confd redhat-initd
fail2ban-logrotate gentoo-initd solaris-fail2ban.xml
fail2ban.service ipmasq-ZZZzzz_fail2ban.rul solaris-svc-fail2ban
fail2ban-tmpfiles.conf macosx-initd suse-initd6:将启动脚本拷贝到系统启动的目录下面
[root@server1 files]# cp redhat-initd /etc/rc.d/init.d/fail2ban拓展:目录下那么多文件,我怎么就知道 redhat-initd就是启动脚本呢
[root@server1 fail2ban-0.8.14]# grep chkconfig ./* -R --color ###服务的启动文件下一般都含有chkconfig 启动级别定义这样一个字段
./files/redhat-initd:# chkconfig: - 92 087:设置成开机自启
[root@server1 files]# chkconfig --add fail2ban应用实例:ssh远程登陆5分钟内3次密码验证失败,禁止用户ip访问主机1小时,一小时后自动解除,用户可以重新登陆sshd服务的日志文件:/var/log/secure修改配置文件96 enabled = true ###启用模块修改为true97 filter = sshd98 action = iptables[name=SSH, port=ssh, protocol=tcp]99 sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@ex ample.com, sendername="Fail2Ban"]如果你想让服务器在被暴力破解时给你发邮件,就将这个改为自己的邮件dest=you@example.com,并且服务器上安装了sendmail服务,并且已经开启了。100 logpath = /var/log/secure ###指定sshd服务的日子,因为该服务也是通过检测日志来进行判断的
101 maxretry = 3 ##最多连接次数
findtime = 3600 ##要求5分钟之内
bantime = 3600 ##禁止1个小时8:重新启动服务
[root@server1 fail2ban]# systemctl restart fail2ban
[root@server1 fail2ban]# systemctl status fail2ban
● fail2ban.service - LSB: Start/Stop fail2banLoaded: loaded (/etc/rc.d/init.d/fail2ban; bad; vendor preset: disabled)Active: active (running) since 四 2019-10-24 20:28:34 CST; 26min agoDocs: man:systemd-sysv-generator(8)
[root@server1 fail2ban]# systemctl enable fail2ban
fail2ban.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig fail2ban on ###已经加入到开机自启动列表中了9:加了一个防火墙链
[root@server1 fail2ban]# iptables -nvL
Chain INPUT (policy ACCEPT 30 packets, 2100 bytes)pkts bytes target prot opt in out source destination 30 2100 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1482 bytes)pkts bytes target prot opt in out source destination Chain fail2ban-SSH (1 references)pkts bytes target prot opt in out source destination 30 2100 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 10:为了方便实验,我们删除服务端的免密认证文件
[root@server1 fail2ban]# cd /root/.ssh/
[root@server1 .ssh]# ls
authorized_keys
[root@server1 .ssh]# rm -rf authorized_keys 11:开始实验
[root@server2 ~]# ssh root@172.25.2.1 ###发现在输入三次密码错误之后,就没有机会在进行登陆了
root@172.25.2.1's password:
Permission denied, please try again.
root@172.25.2.1's password:
Permission denied, please try again.
root@172.25.2.1's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@server2 ~]# ssh root@172.25.2.1
ssh: connect to host 172.25.2.1 port 22: Connection refused
[root@server2 ~]# 12:服务端查看信息
[root@server1 .ssh]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/secure
| |- Currently failed: 0
| `- Total failed: 3
`- action|- Currently banned: 1| `- IP list: 172.25.2.2 `- Total banned: 1[root@server1 log]# cat /var/log/secure ###查看日志
Oct 24 21:01:10 server1 sshd[3491]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Oct 24 21:01:11 server1 sshd[3491]: Failed password for root from 172.25.2.2 port 35200 ssh2
Oct 24 21:01:14 server1 sshd[3491]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Oct 24 21:01:16 server1 sshd[3491]: Failed password for root from 172.25.2.2 port 35200 ssh2
Oct 24 21:01:18 server1 sshd[3491]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Oct 24 21:01:20 server1 sshd[3491]: Failed password for root from 172.25.2.2 port 35200 ssh2
Oct 24 21:01:20 server1 sshd[3491]: Connection closed by 172.25.2.2 [preauth]场景1:如果此时我想提前被ban的主机解除
因为该服务时通过检测/var/log/secure该日志来进行检测的,此时我们在只需要将该日志清空就可以了
[root@server1 log]# > /var/log/secure ###清空日志
[root@server1 log]# cat /var/log/secure
[root@server1 log]# systemctl restart fail2ban ##重起服务[root@server2 ~]# ssh root@172.25.2.1 ###此时被ban的主机就哟可以进行远程ssh连接了
root@172.25.2.1's password:
Last failed login: Thu Oct 24 21:01:20 CST 2019 from server2 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Thu Oct 24 19:55:36 2019 from server2
WELCOME 场景2:fail2ban默认的是22,如果我们在之前的实验中将sshdfuwu的端口修改了,应该怎么办?[root@server1 action.d]# cd /etc/fail2ban/
[root@server1 fail2ban]# vim jail.conf98 action = iptables[name=SSH, port=ssh, protocol=tcp]此处使用了服务代替默认的端口,如果我的服务为2222,那么我就指定port = 2222[root@server1 action.d]# cd /etc/fail2ban/action.d
[root@server1 action.d]# vim iptables.conf 61 port = ssh两处配置文件都要修改,新的端口才会生效denyhosts 软件:DenyHost是使用Python开发的,它通过监控系统日志文件(/var/log/secure),来分析是否存在对OpenSSH的暴力破解行为,如果发现暴力破解,则其从系统安全日志分析出来源IP地址,然后通过在/etc/hosts.deny文件中加入相应的条目来使TCP Warappers禁止该IP地址的后续连接尝试pam 模块: linux系统自带的防止暴力破解sshd服务的模块 ###防护的安全性不是特别高,毕竟是张读用户的
2、通过pam 模块来防止暴力破解ssh
[root@server1 ~]# vim /etc/pam.d/sshd
在第一行下面添加一行:
auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=1200说明:尝试登陆失败超过3次,普通用户600秒解锁,root用户1200秒解锁手动解除锁定:
查看某一用户错误登陆次数:
pam_tally –-user
例如,查看work用户的错误登陆次数:
pam_tally –-user work
清空某一用户错误登陆次数:
pam_tally –-user –-reset
例如,清空 work 用户的错误登陆次数,
pam_tally –-user work –-reset
sshd服务防暴力破解脚本
![The server selected protocol version TLS10 is not accepted by client preferences [TLS12]](https://img-blog.csdnimg.cn/20210428163637794.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NzE4MDgyNA==,size_16,color_FFFFFF,t_70)
