配置SSH服务器配置文件 /etc/ssh/sshd_config
[root@CentOS7 ~]# cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #默认监听端口,建议修改 #AddressFamily any #支持IP协议,默认v4、v6都支持 #ListenAddress 0.0.0.0 #默认监听的IP地址,建议修改为内网地址 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key #密钥文件名 #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #日志的配置,默认存放在/var/log/secure #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #是否允许root直接登陆,建议no #StrictModes yes #是否检查密钥文件的权限 #MaxAuthTries 6 #最大尝试登录次数,实际为二分之一 #MaxSessions 10 #相同会话最多同时连接次数 #PubkeyAuthentication yes #是否允许基于Key验证连接 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #公钥文件存放路径 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes #是否允许通过用户口令进行连接 # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication no #是否使用此类验证,建议no GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #客户端连接活动间隔,单位是秒 #ClientAliveCountMax 3 #客户端活动间隔探测次数,超出即断开连接 #ShowPatchLevel no UseDNS no #是否使用DNS反向解析,建议no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #支持最大的未验证连接数,10个未验证连接:超过后,断开30%未验证连接:超过100个时断开所有未验证连接
#PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none #提示信息 # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server
添加 AllowUsers 用户... 可以限制远程主机允许通过那些用户登陆 ssh 服务器,不再此列表中的用户,远程主机皆不能访问,包括 root 用户;
添加 DenyUsers 用户... 可以限制远程主机不能通过那些用户登陆 ssh 服务器。
当一个用户同时出现在 AllowUsers 与 DenyUsers 列表中时,ssh 会拒绝远程主机通过此用户访问 ssh 服务器。
sftp命令类似与传统的 ftp 工具,但是在链接基于在 SSH 协议,可以安全的传输数据。
[root@CentOS6 ~]# sftp root@192.168.30.74 #sftp是交互式命令 Connecting to 192.168.30.74... sftp> ls 11 Desktop Documents Downloads Music Pictures Public Templates Videos aa anaconda-ks.cfg app bin initial-setup-ks.cfg user.txt useradd sftp> pwd Remote working directory: /root sftp> get /etc/fstab /data Fetching /etc/fstab to /data/fstab /etc/fstab 100% 595 0.6KB/s 00:00 sftp> exit
pssh命令用于在多台主机上通过 SSH 连接并发执行命令。
语法:pssh 目标主机 [选项] 动作
[root@CentOS6 ~]# pssh -H 192.168.30.74 -H 192.168.30.75 -A -i pwd Warning: do not enter your password if anyone else has superuser privileges or access to your account. Password: [1] 13:50:51 [SUCCESS] 192.168.30.74 /root [2] 13:50:57 [SUCCESS] 192.168.30.75 /root [root@CentOS6 ~]# pssh -H 192.168.30.74 -H 192.168.30.75 -i pwd [1] 13:52:55 [SUCCESS] 192.168.30.74 /root [2] 13:52:56 [SUCCESS] 192.168.30.75 /root
选项:
-h:主机文件列表,内容格式每行为”[user@]host[:port]”
-H:主机字符串
-l:登录使用的用户名
-p:并发的线程数
-o:输出的文件目录,输出时会覆盖原文件内容
-e:错误输入文件
-t:TIMEOUT 超时时间设置,0无限制
-O:SSH的选项
-v:详细模式
-A:手动输入密码模式,不使用 -A 选项需要两台主机已完成基于Key验证
-x:额外的命令行参数使用空白符号,引号,反斜线处理
-X:额外的命令行参数,单个参数模式,同-x
-i:每个服务器内部处理信息输出
-P:打印出服务器返回信息
[root@CentOS7 err.log]#⮀ssh root@192.168.30.74 'echo $PATH' /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin [root@CentOS7 err.log]#⮀ssh root@192.168.30.75 'echo $PATH' /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin [root@CentOS7 err.log]#⮀ssh root@192.168.30.69 'echo $PATH' /app/bin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
由此可见,在当需要执行的命令或者脚本不再上述 PATH变量 中,则需要使用绝对路径。
pscp.pssh命令用于向多台主机推送文件。
语法:pscp.pssh 目标主机 [选项] 本地文件 远程目录
[root@CentOS7 data]# pscp.pssh -H 192.168.30.75 -H 192.168.30.69 host.sh /root/bin [1] 14:32:29 [SUCCESS] 192.168.30.69 [2] 14:32:30 [SUCCESS] 192.168.30.75
选项:与 pssh 差别不大,多了 -r 递归复制
-r:递归复制
-h:主机文件列表,内容格式每行为”[user@]host[:port]”
-H:主机字符串
-O:SSH的选项
-o:输出的文件目录,输出时会覆盖原文件内容
-e:错误输入文件
-t:TIMEOUT 超时时间设置,0无限制
-x:额外的命令行参数使用空白符号,引号,反斜线处理
-X:额外的命令行参数,单个参数模式,同-x
pslurp命令用于从多台主机拉取文件。
语法:pslurp.pssh 目标主机 [选项] -L 本地目录 远程文件 [输出文件名]
[root@CentOS7 err.log]#⮀pslurp -H root@192.168.30.75 -H 192.168.30.69 -L /data/ /var/log/messages maa [1] 16:02:27 [SUCCESS] 192.168.30.69 [2] 16:02:28 [SUCCESS] root@192.168.30.75
搭建实验环境
1、创建iptables,拒绝 192.168.30.69 连接 192.168.30.75
[root@CentOS7 ~]# iptables -A INPUT -s 192.168.30.69 -j REJECT
[root@CentOS7 ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 92 packets, 15050 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 192.168.30.69 0.0.0.0/0 reject-with icmp-port-unreachable
2、启用 192.168.30.75 上的 telnet 服务端口
[root@CentOS7 ~]# systemctl status telnet.socket
● telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
Active: active (listening) since Fri 2018-05-25 00:19:27 CST; 8min ago
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0
May 25 00:19:27 CentOS7.Miriam systemd[1]: Listening on Telnet Server Activation Socket.
May 25 00:19:27 CentOS7.Miriam systemd[1]: Starting Telnet Server Activation Socket.
本地端口转发
本地主机是192.168.30.69
语法:ssh -L 本地端口:目标主机地址:目标端口 SSH服务器地址
[root@CentOS6 ~]# ssh -L 1024:192.168.30.75:23 192.168.30.74 #建立192.168.30.69与192.168.30.74的ssh端口转发连接 Last login: Thu May 24 13:51:17 2018 from 192.168.30.69 [root@CentOS7 ~]#
[root@CentOS6 ~]# telnet 127.0.0.1 1024 #使用本地1024端口连接telnet服务 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Kernel 3.10.0-862.el7.x86_64 on an x86_64 CentOS7 login: jiangbowen Password: [jiangbowen@CentOS7 ~]$ #连接成功
[root@CentOS7 ~]# ss -nt #查看192.168.30.74的端口状态 State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.30.74:22 192.168.30.69:55416 ESTAB 0 0 192.168.30.74:54308 192.168.30.75:23 ESTAB 0 52 192.168.30.74:22 192.168.30.1:1799
选项:
-f 后台启用
-N 不打开远程shell,处于等待状态
-g 启用网关功能
转发过程:data<->localhost:1024<->localhost:XXXXX<->sshsrv:22 <->sshsrv:YYYYY<->telnetsrv:23
远程端口转发
本地主机是192.168.30.74
语法:ssh -R 远程端口:目标主机地址:目标端口 SSH服务器地址
[root@CentOS7 ~]# ssh -R 1024:192.168.30.75:23 192.168.30.69 #建立192.168.30.74与192.168.30.69的ssh端口转发连接 Last login: Thu May 24 17:14:38 2018 from 192.168.30.74 [root@CentOS6 ~]#
[root@CentOS6 ~]# ss -nt #192.168.30.69上的端口状态 State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.30.69:22 192.168.30.1:1796 ESTAB 0 0 192.168.30.69:22 192.168.30.74:50658 [root@CentOS6 ~]# ss -ntl #本地1024端口已经处于监听状态 State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:1024 *:* LISTEN 0 128 ::1:1024 :::* LISTEN 0 128 :::33959 :::* LISTEN 0 128 :::111 :::* LISTEN 0 128 *:111 *:* LISTEN 0 128 :::22 :::* LISTEN 0 128 *:22 *:* LISTEN 0 128 127.0.0.1:631 *:* LISTEN 0 128 ::1:631 :::* LISTEN 0 100 ::1:25 :::* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 *:44351 *:* [root@CentOS6 ~]# telnet 127.0.0.1 1024 #使用telney访问本地的1024端口 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Kernel 3.10.0-862.el7.x86_64 on an x86_64 CentOS7 login: jiangbowen Password: Last login: Fri May 25 00:54:56 from ::ffff:192.168.30.74 [jiangbowen@CentOS7 ~]$ #连接成功
转发过程:data<->sshsrv:1024<->sshsrv:22<->localhost:XXXXX<->localhost:YYYYY<->telnetsrv:23
京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有