一、telnet
telnet是一种远程连接协议,它为用户提供了在本地计算机上登录远程主机工作的能力。它采用明文传送报文,因此安全性不好,现已基本被ssh取代
telnet工具是telnet协议的开源实现,基于C/S架构:
server:telnet-server,23/tcp,其服务进程为telnetd,为瞬时守护进程,由超级守护进程xinetd管理。
telnet服务端默认禁止以管理员身份直接登录,但可以普通用户身份登录后再 su 到管理员
client:telnet
telnet客户端程序的用法为:
telnet remote_host [port] 例如 telnet 192.168.30.20
telnet命令除了用来登录远程主机,还可确定远程主机的某个端口是否能访问
例 telnet 192.168.30.20 80
二、ssh
ssh(secure shell,安全外壳协议),为建立在应用层和传输层基础上的安全协议,是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议
22/tcp
ssh版本:
sshv1:基于CRC-32做MAC,不安全
sshv2:加密机制及MAC机制由双方协商选定;
基于DH实现密钥交换,基于RSA或DSA实现身份认证;
客户端通过检查服务器端的主机密钥来判断是否能够继续通信;
三、openssh
OpenSSH是ssh的开源实现,是一组用于安全地访问远程计算机的连接工具。 它可以作为 rlogin、 rsh rcp 以及 telnet 的直接替代品使用。更进一步,其他任何 TCP/IP 连接都可以通过 SSH 安全地进行隧道/转发。OpenSSH 对所有的传输进行加密,从而有效地阻止了窃听、连接劫持,以及其他网络级的攻击。OpenSSH 由 OpenBSD project 维护。
登录过程和使用 rlogin 或 telnet 建立的会话非常类似。在连接时,SSH 会利用一个密钥指纹系统来验证服务器的真实性。只有在第一次连接时,用户会被提示输入 yes。之后的连接将会验证预先保存下来的密钥指纹。如果保存的指纹与登录时接收到的不符,则将会给出警告。指纹保存在~/.ssh/known_hosts 中,对于 SSH v2 指纹,则是 ~/.ssh/known_hosts2。
默认情况下,较新版本的 OpenSSH 只接受 SSH v2 连接。如果能用版本 2 则客户程序会自动使用, 否则它会返回使用版本 1 的模式。此外,也可以通过命令行参数 -1 或 -2 来相应地强制使用版本 1 或 2。保持客户端的版本 1 能力是为了考虑较早版本的兼容性。
[root@node2 ~]# rm -f .ssh/* [root@node2 ~]# ssh 192.168.30.10 The authenticity of host ‘192.168.30.10 (192.168.30.10)‘ can‘t be established. RSA key fingerprint is a3:d3:a0:9d:f0:3b:3e:53:4e:ee:61:87:b9:3a:1c:8c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘192.168.30.10‘ (RSA) to the list of known hosts. root@192.168.30.10‘s password: Last login: Tue Nov 24 17:33:25 2015 from node2 [root@node1 ~]# logout Connection to 192.168.30.10 closed. [root@node2 ~]# cat .ssh/known_hosts 192.168.30.10 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzanDCNAhPaTOyvmOF3zWM0LaxPTTZnYqNeRAdtiEj5F4SS3f0JRbCt9vDNELLOtOMpPwehqmvxDtfjQ4l/3nQkMlt7FXJuLCuLSjORTEK3T5GDLXh7S8ZoiNy8TQqg+XqfI+7GTkMpgsQ+ITbvSVXlhyOXKKCgrVQmPnIkzRSuutfJH/PdoCz/cK3txgk8uWUdE+OahoFcxpjZH7qk/ly98QfgEZz36U1adH1upvd6NQzLJtFNAJapBgUmnCWriOytj2Nyu8QAHFvef9ZATUxI6vup99wfXKHBzeszWNeC9ttvKmn/qlDf2M37H3YcKJ1FJ6YM+t77lIIh41zMdagw== [root@node2 ~]# ssh -2 192.168.30.10
1、openssh采用C/S架构:
server:openssh-server,sshd,22/tcp
client:openssh-clients(软件包),ssh
windows上常用的ssh客户端工具:xshell,putty,securecrt,sshshellclient
2、openssh的服务器端:
服务脚本:/etc/rc.d/init.d/sshd
脚本配置文件:/etc/sysconfig/sshd
配置文件:/etc/ssh/sshd_config
配置参数:(man sshd_config)
Port:修改默认监听的端口
ListenAddress
/var/log/secure(只有管理员才有权限访问) 生成防火墙规则加入黑名单
[root@node2 ~]# vim /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #默认监听22号端口 port 7796 #修改监听的端口 #AddressFamily any #监听的地址家族(ipv4还是ipv6) #ListenAddress 0.0.0.0 #默认监听在本机所有地址(ipv4)上 #ListenAddress :: #默认监听在本机所有地址(ipv6)上 # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 #优先使用ssh v2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key #ssh v1所用的密钥指纹 # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #对称密钥每隔一小时换一次 #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #等待客户端执行登录操作的时长 #PermitRootLogin yes #是否允许以管理员身份直接登录;建议改为no,以普通用户登录后再su到管理员 #StrictModes yes #MaxAuthTries 6 #最大尝试次数,避免暴力攻击 #MaxSessions 10 #最大ssh会话数 #RSAAuthentication yes #PubkeyAuthentication yes #是否支持公钥认证 #AuthorizedKeysFile .ssh/authorized_keys #认证密钥文件 #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don‘t trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don‘t read the user‘s ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to ‘yes‘ to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to ‘no‘. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server #默认启用sftp功能 # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server [root@node2 ~]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@node2 ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 :::111 :::* LISTEN 0 128 *:111 *:* LISTEN 0 128 :::49553 :::* LISTEN 0 128 :::7796 :::* LISTEN 0 128 *:7796 *:* LISTEN 0 128 127.0.0.1:631 *:* LISTEN 0 128 ::1:631 :::* LISTEN 0 128 127.0.0.1:6010 *:* LISTEN 0 128 ::1:6010 :::* LISTEN 0 128 127.0.0.1:6011 *:* LISTEN 0 128 ::1:6011 :::* LISTEN 0 128 *:49951 *:* [root@node2 ~]# iptables -R INPUT 4 -p tcp --dport 7796 -j ACCEPT [root@node2 ~]# logout ... [c:\~]$ ssh 192.168.30.20 7796 Connecting to 192.168.30.20:7796... Connection established. To escape to local shell, press ‘Ctrl+Alt+]‘. Last login: Tue Nov 24 19:46:16 2015 from 192.168.30.1 [root@node2 ~]#
3、sshd认证客户端的方式:
(1)基于口令的认证
(2)基于密钥的认证
①客户端生成密钥对
# ssh-keygen -t rsa
生成的默认密钥为id_rsa, id_rsa.pub
②将公钥信息导入到远程主机某个用户家目录下的.ssh/authorized_keys文件中
方式有两种:
㈠客户端:scp -P 7796 .ssh/id_rsa.pub 用户@192.168.30.20:用户的家目录
服务器端:cat id_rsa.pub >> .ssh/authorized_keys
㈡ ssh-copy-id -i .ssh/id_rsa.pub USERNAME@HOST
如果远程主机不是监听在默认的22号端口,则要指明端口:
ssh-copy-id -i .ssh/id_rsa.pub ‘-p PORT USERNAME@HOST‘
[root@node1 ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: ca:8c:ba:06:7a:33:58:73:54:fe:f1:f6:59:89:a7:d0 root@node1 The key‘s randomart image is: +--[ RSA 2048]----+ | | | . | | o | | . . . | | . .So . . . | |. o .+ .. + E + | |.+ o. + . o = | |o =. + | | oo+ | +-----------------+ [root@node1 ~]# ls .ssh id_rsa id_rsa.pub known_hosts [root@node1 ~]# ll .ssh total 12 -rw------- 1 root root 1675 Nov 24 21:23 id_rsa -rw-r--r-- 1 root root 392 Nov 24 21:23 id_rsa.pub -rw-r--r-- 1 root root 395 Nov 24 09:51 known_hosts [root@node1 ~]# chmod 600 .ssh/id_rsa.pub [root@node1 ~]# scp -P 7796 .ssh/id_rsa.pub 192.168.30.20:/root root@192.168.30.20‘s password: id_rsa.pub 100% 392 0.4KB/s 00:00 [root@node1 ~]# ssh-copy-id -i .ssh/id_rsa.pub ‘-p 7796 tesla@192.168.30.20‘ tesla@192.168.30.20‘s password: Now try logging into the machine, with "ssh ‘-p 7796 tesla@192.168.30.20‘", and check in: .ssh/authorized_keys to make sure we haven‘t added extra keys that you weren‘t expecting. [root@node1 ~]# ssh -p 7796 tesla@192.168.30.20 Last login: Fri Nov 27 03:30:38 2015 from 192.168.30.1 [tesla@node2 ~]$ logout Connection to 192.168.30.20 closed.
[root@node2 ~]# ls anaconda-ks.cfg boot.iso digest Downloads httpd.crt id_rsa.pub install.log.syslog key2 messages.cipher Pictures Templates test.sh vmware-tools-distrib awk.txt Desktop Documents fstab httpd.csr install.log key1 messages Music Public test Videos [root@node2 ~]# cat id_rsa.pub >> .ssh/authorized_keys [root@node2 ~]# cat .ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzMvlCKm+I3UgisZAak3Os6MTcNaC2mtP8H31L+mf0m+hsrq1fXk+QTMPsel1NHkPF5k3p3aMzbar+xpw57Tv97/amnhFATDA+rFCwT6bHyoxV2z+UhlhAFPGzin9bbBsBAqnxtNxuCDdQPUpXgbmz7zF3Impy/386Xt03fO3nnbcVnF5n6kMQ1tMD7x0ldPaR6N5kc92FtFMPrEKBiponsck8duW+73zHk9alcK0Q8e7Y+KFcMJtJogQsWjzjBbcunDLpzmHN3qAFna9sHQ93Xxy2WRuqfcJT/kYBWTHWHm7i+xW+fKhbvvuKRARXH8nVCdumELE44xACoPbCKIThQ== root@node1 [root@node2 ~]# ll .ssh total 8 -rw-r--r-- 1 root root 392 Nov 27 22:59 authorized_keys -rw-r--r-- 1 root root 395 Nov 27 19:02 known_hosts [root@node2 ~]# chmod 600 .ssh/authorized_keys
-f /path/to/somefile: 密钥文件保存位置
-P ‘‘: 指定oldpassword
# ssh-copy-id -i .ssh/id_rsa.pub USERNAME@HOST
最佳实践:
1、不要使用默认的22号端口;
2、不要使用protocol 1;
3、限制可登录的用户
白名单:
AllowUsers user1 user2 ...
AllowGroups grp1 grp2...
黑名单:
DenyUsers
DenyGroups
4、设定空闲会话超时时长
ClientAliveInterval 300
ClientAliveCountMax 0
5、利用防火墙设置ssh访问策略;
6、仅监听在特定的IP地址,而非本机所有的IP地址;
7、使用强密码策略
# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 | xargs
8、使用基于密钥的认证;
9、禁止使用空密码;
10、禁止root用户直接登录;
11、限制ssh的访问频度
12、做好日志,经常分析;
■openssh客户端配置文件:/etc/ssh/ssh_config
■ssh命令的使用:
ssh [-p PORT] [username@]host [COMMAND]
后面若带上 COMMAND 则表示只是临时登录远程主机执行指定命令,取回结果后就立即断开,返回本地
ssh [-p PORT] -l username host [COMMAND]
为安全起见,在网络上提供ssh服务的主机应尽量不要使用众所周知的22号端口,容易被暴力攻击;使用 lastb 命令可查看最近登录系统失败的信息(该命令详见博客http://9124573.blog.51cto.com/9114573/1700512)
[root@node2 ~]# ssh wittgenstein@192.168.30.10 hostname wittgenstein@192.168.30.10‘s password: node1
■scp:利用ssh协议在主机之间实现文件安全传输的工具
用法:scp [option] SRC1... DEST
分两种情形:
①源文件在本机,目标为远程
# scp /path/to/somewhere... USERNAME@HOST:/path/to/somewhere
②源文件在远程,本地为目标
# scp USERNAME@HOST:/path/to/somewhere /path/to/somewhere
常用选项:
-r:复制目录
-p:保持源文件的元数据信息,包括mode和timestamp
-q:静默模式
-P PORT:指定远程主机端口号;如非默认的22号端口,则需使用该选项明确指定
[root@node2 ~]# scp anaconda-ks.cfg 192.168.30.10:/tmp root@192.168.30.10‘s password: anaconda-ks.cfg 100% 1282 1.3KB/s 00:00 [root@node2 ~]# scp -r 192.168.30.10:/root/test /tmp/ root@192.168.30.10‘s password: c.txt 100% 0 0.0KB/s 00:00 b.txt 100% 0 0.0KB/s 00:00 [root@node2 ~]# ls /tmp/test b.txt c.txt
sftp: 基于ssh的ftp服务
用法:sftp USERNAME@HOST
原文:http://9124573.blog.51cto.com/9114573/1718021