亚洲激情专区-91九色丨porny丨老师-久久久久久久女国产乱让韩-国产精品午夜小视频观看

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Linux Centos7 —sshd遠程登錄,密鑰對登錄,TCPWrappers訪問控制

發布時間:2020-06-10 15:26:53 來源:網絡 閱讀:876 作者:23trl 欄目:云計算

Linux Centos7 —sshd遠程登錄,密鑰對登錄,TCPWrappers訪問控制

本章環境:VM虛擬機,一臺服務器作為服務端,一臺服務器作為客戶端

本章目的:了解sshd遠程登錄管理,密鑰對驗證,Tcp wappers訪問控制

一.sshd遠程登錄

1.查看sshd服務

 [root@localhost ~]# netstat -ntap | grep 22
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      3252/dnsm      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      968/sshd       //默認我們的SSHD是開啟的
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      16227/sshot@pt 
tcp        0      0 192.168.17.128:49342    180.97.251.226:80       TIME_WAIT   -              
tcp        0      0 192.168.17.128:42522    202.141.176.110:80   

2.了解SSHD服務端配置文件

[root@localhost ~]# vim /etc/ssh/sshd_config //服務端的SSHD配置文件

17 #Port 22 //端口
18 #AddressFamily any
19 #ListenAddress 0.0.0.0 //監聽地址
20 #ListenAddress :: //IPV6地址

37#LoginGraceTime 2m  //2分鐘會話時間 
 38 #PermitRootLogin yes  //允許ROOT登錄
 39 #StrictModes yes    //驗證你的訪問權限
 40 #MaxAuthTries 6   //驗證次數
 41 #MaxSessions 10   // 訪問最大連接數10個

#PubkeyAuthentication yes  //公鑰驗證開啟

3.使用客戶端去遠程登錄服務端的ROOT用戶

[root@test02 ~]# ssh root@192.168.17.128
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.
root@192.168.17.128's password: 
Last login: Mon Sep 16 12:07:36 2019

4.把服務端的遠程登錄ROOT用戶關掉

37 #LoginGraceTime 2m
 38 #PermitRootLogin no  //禁止遠程用戶用ROOT登錄
 39 #StrictModes yes
 40 #MaxAuthTries 6
 41 #MaxSessions 10

5.去服務端驗證是否能登錄ROOT用戶

[root@test02 ~]# ssh root@192.168.17.128
root@192.168.17.128's password: 
Permission denied, please try again.
root@192.168.17.128's password: 

6.客戶端切換到普通用戶lisi,再切到ROOT用戶也行(不安全)

[root@test02 ~]# ssh lisi@192.168.17.128
lisi@192.168.17.128's password: 
[lisi@test01 ~]$ su - root
密碼:
上一次登錄:一 9月 16 12:17:31 CST 2019pts/2 上
最后一次失敗的登錄:一 9月 16 12:25:59 CST 2019pts/2 上
最有一次成功登錄后有 1 次失敗的登錄嘗試。
[root@test01 ~]# 

7.把服務端開啟PAM認證

vim /etc/pam.d/su
//把“#”號去掉auth            required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin

8.再去客戶端去驗證一下

[lisi@test01 ~]$ su - root
密碼:
su: 拒絕權限

9.在客戶端嘗試輸錯三次密碼,發現就退出來了,我們原本服務端設置的是驗證次數是6次

[root@test02 ~]# ssh chen@192.168.17.128
chen@192.168.17.128's password: 
Permission denied, please try again.
chen@192.168.17.128's password: 
Permission denied, please try again.
chen@192.168.17.128's password: 
Permission denied, please try again.
[root@test02 ~]# 

10.在客戶端切到ROOT用戶,設置驗證次數為8次

[root@test01 ~]# ssh -o NumberOfPasswordPrompts=8 chen@192.168.17.128
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.
chen@192.168.17.128's password: 
Permission denied, please try again.
chen@192.168.17.128's password: 
Permission denied, please try again.
chen@192.168.17.128's password: 
Permission denied, please try again.
chen@192.168.17.128's password: 
Permission denied, please try again.
chen@192.168.17.128's password: 
Permission denied, please try again.
chen@192.168.17.128's password: 
Received disconnect from 192.168.17.128 port 22:2: Too many authentication failures
Authentication failed.
[root@test01 ~]# 

11.設置SSH遠程登錄的黑白名單

37 #LoginGraceTime 2m
 38 #PermitRootLogin no
 39 #StrictModes yes
 40 #MaxAuthTries 6
 41 #MaxSessions 10
 42 Allow Users chen@192.168.17.130
//只允許chen這個用戶用192.168.17.130地址登錄
[root@test01 ~]# systemctl restart sshd

12.了解三種遠程管理

scp 遠程復制
sftp  get 遠程下載文件
sftp put  遠程上傳文件

二.密鑰對驗證登錄

1.服務端開啟公私鑰驗證登錄

[root@localhost ~]# vim /etc/ssh/sshd_config //服務端的SSHD配置文件

43 PubkeyAuthentication yes  把“#”去掉開啟公私鑰驗證登錄
 44 
 45 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys    2
 46 # but this is overridden so installations will only check .ssh/authorized_ke    ys
 47 AuthorizedKeysFile      .ssh/authorized_keys
                                           //生成的公私密鑰會在這個目錄底下

2.客戶端,給chen用戶生成密鑰

[root@client ~]# ls /home/
chen
[root@client ~]# ssh-keygen -t ecdsa 
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:HqV9MQWYPqLHSodJciQEDpGhsbQheF3gVqXLMD6mhTo root@client
The key's randomart image is:
+---[ECDSA 256]---+
|B*.+ooo..  o...  |
|*=+.o...  o  .   |
|oo. =o.  .. o    |
|   +.+o..+o  o   |
|  . =+o=S....    |
| . + .=.+. .     |
|E .  . +.        |
| .    .          |
|                 |
+----[SHA256]-----+

3.查看chen用戶當中的公私鑰目錄

[root@client ~]# ls -a
.                    .bash_logout   .dbus                 .mozilla     模板
..                   .bash_profile  .esd_auth             .ssh         視頻
.1234.txt.swp        .bashrc        .ICEauthority         .tcshrc      圖片
abc                  .cache         initial-setup-ks.cfg  test         文檔
abc.txt              chen           is                    this         下載
anaconda-ks.cfg      chenchen       .lesshst              .viminfo     音樂
.anacond-ks.cfg.swp  .config        .local                .Xauthority  桌面
.bash_history        .cshrc         lshelp1.txt           公共
[root@client ~]# cd .ssh/
[root@client .ssh]# ls
id_ecdsa  id_ecdsa.pub  known_hosts

4.把chen公鑰發送給服務端的公鑰目錄中

[root@client .ssh]# ssh-copy-id -i id_ecdsa.pub chen@192.168.17.128
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
chen@192.168.17.128's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'chen@192.168.17.128'"
and check to make sure that only the key(s) you wanted were added.

5.去服務端查看有沒有chen用戶的公鑰

[root@localhost chen]# cd .ssh/
[root@localhost .ssh]# ls
authorized_keys
[root@localhost .ssh]# cat authorized_keys 
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3jJu7k3skpOWd5azNtHhohBCyQvcE5vMQblIICOn48GGL3h2tQ9d7m34liu7YdXcdY+oLyQvgl23xiP9Au8ug= root@client

6.客戶端遠程密鑰對登錄驗證

[root@client .ssh]# ssh chen@192.168.17.128
Enter passphrase for key '/root/.ssh/id_ecdsa': 
Last login: Sat Aug 10 00:32:52 2019

7.免交互,免去密鑰對登錄驗證

[chen@localhost ~]$ exit
登出
Connection to 192.168.17.128 closed.
[root@client .ssh]# ssh-agent bash  //代理bash環境
[root@client .ssh]# ssh-add             //添加我們密鑰對的密碼
Enter passphrase for /root/.ssh/id_ecdsa: 
Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
[root@client .ssh]# ssh chen@192.168.17.128
Last login: Mon Sep 16 13:09:06 2019 from 192.168.17.134
[chen@localhost ~]$ 

三.Tcp wappers 訪問控制

訪問控制策略:
先檢查hosts.allow,找到匹配則允許訪問
?否則再檢查hosts.deny,找到則拒絕訪問
?若兩個文件中均無匹配策略,則默認允許
訪問

1.到服務端設置訪問控制

[root@localhost ~]# vim /etc/hosts.allow


 hosts.allow   This file contains access rules which are used to
               allow or deny connections to network services that
               either use the tcp_wrappers library or that have been
               started through a tcp_wrappers-enabled xinetd.

               See 'man 5 hosts_options' and 'man 5 hosts_access'
               for information on rule syntax.
              See 'man tcpd' for information on tcp_wrappers

sshd:192.168.17.130   //添加只允許訪問的地址
~              

[root@localhost ~]# vim /etc/hosts.deny

hosts.deny    This file contains access rules which are used to
               deny connections to network services that either use
               the tcp_wrappers library or that have been
               started through a tcp_wrappers-enabled xinetd.

               The rules in this file can also be set up in
               /etc/hosts.allow with a 'deny' option instead.

               See 'man 5 hosts_options' and 'man 5 hosts_access'
               for information on rule syntax.
               See 'man tcpd' for information on tcp_wrappers

sshd:192.168.17.128                                                                                     
~                                                                                       
~                                                                                       
~        

以上就是我們的所有內容了

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

虞城县| 望都县| 忻城县| 松阳县| 南丹县| 米易县| 兴化市| 维西| 南乐县| 德惠市| 阿勒泰市| 绥化市| 曲靖市| 上饶县| 凤庆县| 静乐县| 佛冈县| 宿松县| 公安县| 荔波县| 富宁县| 宕昌县| 探索| 杨浦区| 郯城县| 乌鲁木齐市| 珲春市| 永兴县| 西华县| 绩溪县| 太和县| 孝义市| 陆川县| 焦作市| 固阳县| 巴马| 郴州市| 杭锦旗| 名山县| 连平县| 浦东新区|