2. it技术
  3. 远程访问及控制

远程访问及控制

it2023-04-04  128

什么是ssh

SSH服务名为sshd,负责实时监听远程SSH客户端的远程连接请求,并进行处理,一般包括公共密钥认证、密钥交换、对称密钥加密和非安全连接等。 SSH由 IETF 网络工作小组制定;在进行数据传输之前,SSH先对联机数据包通过加密技术进行加密处理,加密后在进行数据传输。确保了传递的数据安全。 SSH是专为远程登录会话和其他网络服务提供的安全性协议。利用 SSH 协议可以有效的防止远程管理过程中的信息泄露问题,在当前的生产环境运维工作中,绝大多数企业普遍采用SSH协议服务来代替传统的不安全的远程联机服务软件

ssh远程登陆控制实验

[root@localhost ~]# vim /etc/ssh/sshd_config 开启以下功能进行安全加固 Port 22 ##开启22端口 ListenAddress 192.168.10.10 ##监听192.168.10.10 Protocol 2 ##协议版本2 UseDNS no ##禁用反向解析 下面设置用户登录限制 LoginGraceTime 1m ##限制登录验证时间 PermitRootLogin no ##限制root用户登录 MaxAuthTries 6 ##最大重试次数 PermitEmptyPasswords no ##禁止空密码用户登入 AllowUsers root@20.0.0.80 ##允许lzy用户从20.0.0.80接口远程进入 DenyUsers root@20.0.0.60 ##禁止lzy用户从20.0.0.60接口远程进入

连接测试:

[root@localhost ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:e9:42:76 brd ff:ff:ff:ff:ff:ff inet 20.0.0.80/24 brd 20.0.0.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::68ca:fe8:7cbc:64bc/64 scope link noprefixroute valid_lft forever preferred_lft forever [root@localhost ~]# ssh root@20.0.0.70 The authenticity of host '20.0.0.70 (20.0.0.70)' can't be established. ECDSA key fingerprint is SHA256:A8CX75ER78qgcMlGQ5lqYasF9pd5dyrHKqR09McqBhA. ECDSA key fingerprint is MD5:86:0f:6e:3c:ff:98:cc:ef:0f:0e:cd:fd:da:1a:d5:04. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '20.0.0.70' (ECDSA) to the list of known hosts. root@20.0.0.70's password: Last login: Mon Oct 19 21:35:59 2020 from 20.0.0.1 [root@localhost ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:5f:ce:05 brd ff:ff:ff:ff:ff:ff inet 20.0.0.70/24 brd 20.0.0.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::56f2:854f:7bdc:bd22/64 scope link noprefixroute valid_lft forever preferred_lft forever [root@localhost ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:48:bb:ad brd ff:ff:ff:ff:ff:ff inet 20.0.0.60/24 brd 20.0.0.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::bcc4:68a9:a8b9:70d5/64 scope link noprefixroute valid_lft forever preferred_lft forever [root@localhost ~]# ssh root@20.0.0.70 root@20.0.0.70's password: Permission denied, please try again. //提示权限被拒绝

设置密钥对免密登入

[root@localhost ~]# ssh-keygen -t rsa ##创建密钥对 Enter file in which to save the key (/root/.ssh/id_rsa): ##创建保存密钥目录(直接确认使用自动生成的目录) Created directory ‘/root/.ssh’. Enter passphrase (empty for no passphrase): ##设置密钥语(可以直接确认忽略) Enter same passphrase again: ##再次输入密钥语(可以直接确认忽略) Your identification has been saved in /root/.ssh/id_rsa. ##/root/.ssh/id_rsa私钥保存目录 Your public key has been saved in /root/.ssh/id_rsa.pub. ##/root/.ssh/id_rsa.pub公钥保存目录 The key fingerprint is: SHA256:OhnVkXfvsLk9KnD8p4sf8aqV4GA397b5gPYMUzAYqkQ root@localhost.localdomain The key’s randomart image is: [root@localhost ~]# scp ~/.ssh/id_rsa.pub root@20.0.0.70:/tmp [root@localhost ~]# ssh-copy-id root@20.0.0.70 ##验证一下密码,再登录就不用密码了

TCP访问策略

/etc/hosts.allow 白名单存放列表 /etc/hosts.deny 黑名单存放列表##白名单的权限高于黑名单 例:vim /etc/hosts.deny ##在最后一行加上sshd:ALL //意味着不允许所有服务或网络访问

最新回复(0)