目录
1. 关闭防火墙和selinux
2. 配置网络yum源
3. 软件安装
安装openssh和openssh-server
安装openssh服务端和客户端,默认装机时都已安装
安装openssh服务,提供远程sshd服务,因为都可以使用ssh登录到服务器
yum可以进行安装,也可以进行升级操作
[root@master-61 ~]# rpm -qa openssh*
openssh-clients-7.4p1-21.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
[root@master-61 ~]# yum -y install openssh-server openssh
[root@master-61 ~]# rpm -qa openssh*
openssh-7.4p1-23.el7_9.x86_64
openssh-server-7.4p1-23.el7_9.x86_64
openssh-clients-7.4p1-23.el7_9.x86_64
4. ssh基本安全配置
为了提升ssh安全性,会通过修改配置文件中的参数(例如:端口号、禁止root登录等)
1.禁用root用户登录、降低权限(只能通过普通用户登录,提前创建好可登录的普通普通户)
修改
#PermitRootLogin yes
PermitRootLogin no
[root@master-61 ~]# sed -rin 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
[root@master-61 ~]# grep -Ei '^Per' /etc/ssh/sshd_config
PermitRootLogin no
#下载随机密码生成工具pwgen,生成安全(-s)加数字(-n)形式的密码
[root@master-61 ~]# yum -y install pwgen
[root@master-61 ~]# pwgen -sn | head -1
mCkYUp6t
[root@master-61 ~]# pwgen -sn | head -1 > xiaopi.passwd
[root@master-61 ~]# cat xiaopi.passwd
74cDizTS
[root@master-61 ~]# useradd xiaopi
[root@master-61 ~]# cat xiaopi.passwd | passwd --stdin xiaopi
Changing password for user xiaopi.
passwd: all authentication tokens updated successfully.
#此刻重启sshd服务重新连接就会出现root无法登陆,使用普通用户正常登录,
但是可以普通用户连接后通过su命令切换用户
2.修改端口,22999
[root@master-61 ~]# grep -Ei '^(per|port)' /etc/ssh/sshd_config
PermitRootLogin no
[root@master-61 ~]# sed -rin 's/^#Port 22/Port 22999/' /etc/ssh/sshd_config
[root@master-61 ~]# grep -Ei '^(per|port)' /etc/ssh/sshd_config
Port 22999
PermitRootLogin no
[root@master-61 ~]# systemctl restart sshd
[root@master-61 ~]# netstat -tnlp | grep sshd
tcp 0 0 0.0.0.0:22999 0.0.0.0:* LISTEN 1461/sshd
tcp6 0 0 :::22999 :::* LISTEN 1461/sshd
3.测试登录
使用其他服务器尝试登录,无法正常登录,修改端口后添加公钥和root密码,但是权限仍是拒绝
由于添加了禁止root远程登录的原因,使用普通用户加修改后的端口即可登录
测试完成后恢复默认设置
[root@master-61 ~]# sed -rin 's/^Port 22999/#Port 22/' /etc/ssh/sshd_config
[root@master-61 ~]# sed -rin 's/^PermitRootLogin no/#PermitRootLogin yes/' /etc/ssh/sshd_config
[root@master-61 ~]# grep -Ei '^#(per|port)' /etc/ssh/sshd_config
#Port 22
#PermitRootLogin yes
[root@master-61 ~]# systemctl restart sshd
看到该参数
I参数是忽略大小写,然后再进行p打印
sed -e '/^permitRootLogin/Ip' -e '/^port/Ip' /etc/ssh/sshd_config -n
Port 22
PermitRootLogin yes
替换参数
将原文件备份,并将匹配到的整行内容替换,写入文件内容
方法1:
sed -i.ori -e '/^permitRootLogin/Ic PermitRootLogin yes' -e '/^port/Ic Port 22' /etc/ssh/sshd_config
方法2:
sed -i.bak -e 's#PermitRootLogin no#PermitRootLogin yes#' -e 's#Port 22999#Port 22#' /etc/ssh/sshd_config 设置ssh免密登录
- 在客户机上利用ssh-keygen生成公私钥
- 将公钥发送到目标机器上,首次连接时需要进行输入指纹验证以及目标机器的用户密码;ssh-copy-id [email protected]
- 密码验证完成后,目标机器会将客户机的公钥写入到被信任的主机~/.ssh/authorized_keys文件中
- 以后如果再通过客户机去登录目标机器的话,只需要使用ssh [email protected],用于认证的信息是客户机器上的私钥
- 原理是通过ssh [email protected]登录目标机器时,目标机器接收到客户端发过来的请求,回去扫描被信任的主机文件,查询到有客户端61这台主机公钥,则会随机生成一个字符串通过客户端61的公钥进行加密发送到客户端
- 由于是使用客户端61主机公钥进行加密,所以也只能通过该机器的私钥进行解密,其他机器解不开
- 待客户端61解开后将结果发送回目标主机后,目标主机进行比对,如果对得上就可以直接登录,这就实现了免密的原理
注:与直接通过命令连接不同点在于如果直接连接的话是目标主机发送公钥到客户端,客户端输入密码进行公钥加密返回目标主机达到登录的效果;而免密是目标主机直接利用公钥加密返回随机口令,让客户端进行解密返回结果
实战
1.客户端61生成公私钥
敲回车即可
[root@master-61 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:7pWaFJgDSIDmZw2mD/742hA1UA/ac248GTOc+pAdnr0 root@master-61
The key's randomart image is:
+---[RSA 2048]----+
|oooo |
|.o+++ . |
|o.+=+X |
| +.o@oOo |
|..=+ X+.S |
| ...+ .o.. . |
| .o . Eo o |
| .o. o + |
| .oo + |
+----[SHA256]-----+
2.将公钥发送到目标主机
[root@master-61 ~]# ssh-copy-id [email protected]
-bash: ssh-copy-id: command not found
#由于未安装openssh-clients导致,进行安装即可使用
[root@master-61 ~]# yum -y install openssh-clients
[root@master-61 ~]# ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.0.0.7 (10.0.0.7)' can't be established.
ECDSA key fingerprint is SHA256:n2plckensSskXuHp9+lbb/0AI0m94Entkenm36U6v38.
ECDSA key fingerprint is MD5:99:2a:9f:33:5b:c5:32:5a:46:d3:28:69:89:6f:3f:bd.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: #输入对应的密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
#完成发送,可以在10.0.0.7目标主机上进行查看公钥文件
3.比对客户端61机器上的公钥和目标主机上的被信任的主机key文件是否一致
客户端61
[root@master-61 ~]# ll ~/.ssh/
total 12
-rw------- 1 root root 1679 Sep 13 22:42 id_rsa
-rw-r--r-- 1 root root 396 Sep 13 22:42 id_rsa.pub
-rw-r--r-- 1 root root 170 Sep 13 22:50 known_hosts
[root@master-61 ~]# cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA67k2iUrYRUe8H8xSdWIRNJDSVP2n8W0pYjvdTURrpccQMDrEP+OwpucYlQMR+wR3aYyU3z7e2nZC1B8nSpedF+A080kvsgWeMTy0HCcnDujJEn1eUPXM7py+S+sE58iOTr6zvzfrvEKfJA+mX2gtht1kt2W9+ahLB/SdaCfu4nA0gpnvaLTR69d6+4iBX6wn1aqu+dAyy+YxFCMzVwAHpcdzxdAtvJEjuP3z5eLldh96Hz85bwe1xto4MSP3y2BNav59q+eFL/656IS7HGu0CYSxsm7utQPC5TdcnKBi4xrDCEtfR5Vc6eJFEtNC/N9xFKgSQ1zV6A+KVLddh1It root@master-61
目标主机
[root@web-7 ~]# ll ~/.ssh/authorized_keys
-rw------- 1 root root 396 Sep 13 22:50 /root/.ssh/authorized_keys
[root@web-7 ~]# cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA67k2iUrYRUe8H8xSdWIRNJDSVP2n8W0pYjvdTURrpccQMDrEP+OwpucYlQMR+wR3aYyU3z7e2nZC1B8nSpedF+A080kvsgWeMTy0HCcnDujJEn1eUPXM7py+S+sE58iOTr6zvzfrvEKfJA+mX2gtht1kt2W9+ahLB/SdaCfu4nA0gpnvaLTR69d6+4iBX6wn1aqu+dAyy+YxFCMzVwAHpcdzxdAtvJEjuP3z5eLldh96Hz85bwe1xto4MSP3y2BNav59q+eFL/656IS7HGu0CYSxsm7utQPC5TdcnKBi4xrDCEtfR5Vc6eJFEtNC/N9xFKgSQ1zV6A+KVLddh1It root@master-61
#文件内容是一致的
[root@master-61 ~]# ssh [email protected]
Last login: Fri Sep 13 22:41:56 2024 from 10.0.0.1
[root@web-7 ~]#
如果无法发送的话也可以自行创建对应的.ssh/authorized_keys文件
将客户端主机公钥粘贴进去也可以实现免密登录
ssh安全防御
隐患因素
1.ssh支持密码连接、秘钥连接两个方式,为了密码别泄露,你得关闭密码登录
2.默认端口号全世界都知道是22,你得改掉端口号
3.如果客户端私钥被窃取,root服务器也就危险了
优化方案
1.目标主机需要关闭密码登录,提前配置好公钥登录
禁止密码登录,只允许公钥登录
[root@web-7 ~]#grep -Ei '^(pub|password)' /etc/ssh/sshd_config
PubkeyAuthentication yes
PasswordAuthentication no
2.修改端口号为22999
[root@web-7 ~]#grep -Ei '^(pub|password|port)' /etc/ssh/sshd_config
Port 22999
PubkeyAuthentication yes
PasswordAuthentication no
[root@web-7 ~]#systemctl restart sshd
[root@master-61 ~]# ssh [email protected]
Last login: Fri Sep 13 22:59:56 2024 from 10.0.0.1
[root@web-7 ~]#
3.添加防火墙iptables规则,使得目标主机只能通过跳板机登录
针对web-7限定只允许 master-61访问
限制主机登录条件、设定iptables规则,只允许跳板机的流量(172.16.1.61)登录
其他机器的流量全部禁止。(只限定ssh的服务,限制22999的流量,由于还提供有网页服务和nfs等服务运行)
[root@web-7 ~]#iptables -A INPUT ! -s 172.16.1.61 -p tcp --dport 22999 -j DROP
iptables -A添加,input是服务器流入的流量
-s source源ip地址,这个流量从哪来
! 排除这个地址以外的所有ip
! -s 172.16.1.61排除172.16.1.61机器以外的流量
p tcp指定tcp协议
dport 目标端口这个流量想访问当前机器的么端口22999
-j 指定防火墙的动作drop拒绝,丢弃
[root@web-7 ~]#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- !172.16.1.61 anywhere tcp dpt:22999
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination