SSH 登录管理

Summary: Author: 张亚飞 | 阅读时间: 5 minute read | Published: 2014-08-08
Filed under Categories: DevOpsTags: Linux, Server, Software, DevOps,

Putty 通过 SSH 无密码登陆 Ubuntu14.04

  • 注意: 服务器标准 .ssh 参考目录权限
Sat Jun 16 22:44:00 coam@m.us.0:~/.ssh$ ll
total 28
drwx------  2 coam coam 4096 Jun 11 17:04 ./
drwxr-xr-x 34 coam coam 4096 May  8 15:30 ../
-rw-------  1 coam coam 1595 Apr 14 20:50 authorized_keys
-rw-------  1 coam coam   57 Feb  8 23:19 config
-rw-------  1 coam coam 1675 Jan  7 10:52 id_rsa
-rw-r--r--  1 coam coam  391 Jan  7 10:52 id_rsa.pub
-rw-r--r--  1 coam coam  888 Feb  8 23:19 known_hosts

  • 一. 生成公钥/私钥对
47.90.15.40$ ssh-keygen -t rsa

ssh-keygen -t rsa -C “zyf@lonal.com” -b 4096 ssh-keygen -t rsa -b 4096

  • 以下一条命令将当前主机 id_rsa.pub 添加到远程主机 coam@43.241.222.110:.ssh/authorized_keys
47.90.15.40$ ssh-copy-id coam@43.241.222.110 -p222  ###用 *ssh-copy-id* 将公钥复制到远程机器中
47.90.15.40$ ssh coam@43.241.222.110 -p222  ### 测试无需密码登陆

完成后会在当前用户目录下的 .ssh 目录下生成 id_rsa, id_rsa.pub 这两个文件.

特别强调:

id_rsa 是私钥,是需要原封不动的放到主登陆方电脑的 .ssh 目录下, id_rsa.pub 是公钥,是需要添加到需要登录目标主机的 .ssh/authorized_keys 授权登陆列表里才可以在实现 主登陆机器里无密码ssh登陆

  • 多台主机也可以使用同一套 id_rsa, id_rsa.pub 密钥,这是需要在本电脑将自己的 公钥 id_rsa.pub cat 到自己的授权列表 .ssh/authorized_keys 中,将私钥 id_rsa 拷贝到目标需要登录这台主机的 ./ssh/ 目录下, 过程原理相同,不过不推荐这样

  • 当使用 Win10 本地主机登陆 Ubuntu 服务器时,便可以采用上面这种形式:在服务器端生成 id_rsa, id_rsa.pub,将 私钥下载到 本地主机 Win10 ,id_rsa.pub cat 到 Ubuntu .ssh/authorized_keys. 但需要注意的是 Win10 不能直接用下载下来的 id_rsa,需要用 puttygen.exe 转化成本地 putty 可用的私钥

  • To get the GitHub (MD5) fingerprint format with newer versions of ssh-keygen, run:

$ ssh-keygen -E md5 -lf .ssh/id_rsa.pub
2048 MD5:40:23:c6:be:30:29:d1:81:57:33:f7:59:e1:2e:a3:bc no comment (RSA)
$cat id_rsa.pub.git >> .ssh/authorized_keys
$chmod 600 .ssh/authorized_keys
  • 五. 修改 SSHD 的配置文件 /etc/ssh/sshd_config
#AuthorizedKeysFile %h/.ssh/authorized_keys

这句,然后去掉注释.然后重启SSH服务

$ sudo /etc/init.d/ssh restart

ssh 问题分析

  • 远程主机访问拒绝

在 47.90.15.40 电脑里远程连接 43.241.222.110 出现如下错误

Mon May 09 21:43:49 coam@coam:~$ ssh -p 22 coam@43.241.222.110
ssh: connect to host 43.241.222.110 port 22: Connection refused

使用其他的电脑终端可以使用ssh登陆

在 43.241.222.110 查看防火墙结果如下

coam@coamn:/var/log$ sudo iptables -L -n --line-numbers //--line-number可以显示规则序号,在删除的时候比较方便
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22
**2    DROP       all  --  47.90.15.40         anywhere**

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination
1    REJECT     all  --  185.40.4.41          0.0.0.0/0            reject-with icmp-port-unreachable
2    REJECT     all  --  47.90.15.40         0.0.0.0/0            reject-with icmp-port-unreachable
3    RETURN     all  --  0.0.0.0/0            0.0.0.0/0

貌似 是 fail2ban 把 47.90.15.40 的访问阻止了

# // sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -D INPUT 2 // 删除 Chain 为 INPUT 规则序号为 2 的记录
coam@coamn:/var/log$ sudo iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination
1    REJECT     all  --  185.40.4.41          0.0.0.0/0            reject-with icmp-port-unreachable
**2    REJECT     all  --  47.90.15.40         0.0.0.0/0            reject-with icmp-port-unreachable**
3    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
coam@coamn:/var/log$ sudo iptables -D fail2ban-ssh 2 // 删除 Chain 为 INPUT 规则序号为 2 的记录
coam@coamn:/var/log$ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination
1    REJECT     all  --  hosted-by.hostgrad.ru  anywhere             reject-with icmp-port-unreachable
2    RETURN     all  --  anywhere             anywhere

于是便可以在 47.90.15.40 的主机登陆 本主机 (43.241.222.110) 了


ssh 写进了新的服务器(Ubuntu16.04–103.37.147.250) 但是使用 ssh coam@103.37.147.250 还是要提示使用密码登陆

百思不得其解,于是查看了 /var/log/auth.log 再次ssh登陆时出现如下错误:

sudo tail -f /var/log/auth.log
* [preauth]
Jul  6 20:19:07 coamer sshd[1914]: Authentication refused: bad ownership or modes for directory /data/home/coam

修改 /data/home/coam 权限从 777 到 755 问题解决

  • 记录参照服务器主机客户端 .ssh 权限配置列表

源客户端 [47.90.15.40]

Wed Nov 16 19:30:52 coam@coam:/data/home$ ls -al
drwxrwxrwx  4 root   root   4096 Jul  6 09:10 .
drwxrwxrwx  3 root   root   4096 Jul  5 16:14 ..
drwxrwxrwx 28 coam coam 4096 Nov 16 16:44 coam

Wed Nov 16 19:29:55 coam@coam:~$ ls -al
drwxrwxrwx  28 coam coam      4096 Nov 16 16:44 .
drwxrwxrwx   4 root   root        4096 Jul  6 09:10 ..
drwxr-xr-x   2 coam coam      4096 Nov 16 15:14 .ssh

Wed Nov 16 19:34:50 coam@coam:~/.ssh$ ls -al
drwxr-xr-x  2 coam coam 4096 Nov 16 15:14 .
drwxrwxrwx 28 coam coam 4096 Nov 16 16:44 ..
-rwxr-xr-x  1 coam coam 1592 Nov 16 15:14 authorized_keys
-r--------  1 coam coam 1675 Jul  6 10:37 id_rsa
-rwxr-xr-x  1 coam coam  393 Jul  6 10:37 id_rsa.pub
-rwxr-xr-x  1 coam coam 1110 Nov 15 14:33 known_hosts

目标服务器主机权限 [103.37.147.250]

Wed Nov 16 19:32:46 coam@coamer:/data/home$ ls -al
drwxr-xr-x  4 root   root   4096 Jul  5 19:19 .
drwxr-xr-x  4 root   root   4096 Jul  5 17:32 ..
drwxr-xr-x 25 coam coam 4096 Nov 16 16:43 coam

Wed Nov 16 19:33:46 coam@coamer:~$ ls -al
drwxr-xr-x 25 coam coam      4096 Nov 16 16:43 .
drwxr-xr-x  4 root   root        4096 Jul  5 19:19 ..
drwxr-xr-x  2 coam coam      4096 Aug  4 17:22 .ssh

Wed Nov 16 19:35:14 coam@coamer:~/.ssh$ ls -al
drwxr-xr-x  2 coam coam 4096 Aug  4 17:22 .
drwxr-xr-x 25 coam coam 4096 Nov 16 16:43 ..
-rwxr-xr-x  1 coam coam 2773 Sep 26 14:49 authorized_keys
-rwxr-xr-x  1 coam coam 1679 Jul  6 10:37 id_rsa
-rwxr-xr-x  1 coam coam  395 Jul  6 10:37 id_rsa.pub
-rwxr-xr-x  1 coam coam  888 Nov 16 10:59 known_hosts

  • 重置系统 43.241.222.110 后,使用本地电脑重新登陆,出现如下错误
 WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

會出現這訊息是因為,第一次SSH連現時,會生成一個認證,儲存在客戶端(也就是用SSH連線其他電腦的那個,自己操作的那個)中的known_hosts, 但是如果伺服器端重灌過了,認證資訊當然也會更改,伺服器端與客戶端不同時,就會跳出錯誤啦~因此,只要把電腦中的認證資訊刪除,連線時重新生成,就一切完美啦~要刪除很簡單,只要在客戶端輸入一個指令

因此执行如下命令,并重新 使用 ssh 登陆即可

ssh-keygen -R 43.241.222.110

# Host 43.241.222.110 found: line 3 type ECDSA
/data/home/coam/.ssh/known_hosts updated.
Original contents retained as /data/home/coam/.ssh/known_hosts.old

修改SSH端口+禁止ROOT登陆

其实本身Linux已经很安全了,但是如果密码设置的不够复杂,如果说小写+数字共12位以下,你的SSH还用的默认端口,那强力一点的黑客用不上半小时,就能暴力破解你的密码.所以,最好的方法就是修改掉SSH的端口.

  1. 修改文件:/etc/ssh/sshd_config
Port 222 #在第三行或第四行,如果前面有井号,请删除,修改为65534以下即可

可在远程连接中用vi命令,或sftp下载到本地修改,修改后使用以下命令重启ssh服务

/etc/init.d/sshd restart #CentOS系统,重启ssh服务命令
/etc/init.d/ssh restart #debian/ubuntu系统,重启ssh服务命令
  1. 更加安全的设置,禁止ROOT登陆,采用小号登陆再切换ROOT(此方法不能用SFTP上传文件)
useradd vpsmm #新建一个小号
passwd vpsmm #给小号设置密码,需要输入完全相同的二次,注意提示
vi /etc/ssh/sshd_config #修改的文件还是这个
PermitRootLogin no #把yes,改成no,保存退出,并重启SSH服务(上面有重启命令)

切记,如果没有新建小号,或小号密码设置错误,你又禁了ROOT,那你只能重启系统或回滚快照,再也登陆不了.

如果不是极度需要安全环境,并且,还需要使用SFTP管理文件,那改掉端口就行了.


ssh ip 被禁用

突然有一次 发现 服务器 [47.90.15.40] lsyncd 不能正常同步到 [103.37.147.250], 尝试在服务器 [47.90.15.40] 使用ssh手动登陆 [103.37.147.250] 失败

ssh -p22312 coam@103.37.147.250
ssh_exchange_identification: read: Connection reset by peer
  • 添加 -v 参数,打印日志
ssh -v -p22312 coam@103.37.147.250
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 10.1.101.35 [10.1.101.35] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
ssh_exchange_identification: read: Connection reset by peer

但是 [47.90.15.40] 可以登录 [45.32.80.56],并且通过 [45.32.80.56] 也可以登陆 [103.37.147.250] . 通过详细分析,猜测 IP [47.90.15.40] 被 [103.37.147.250] 服务器禁用

  • 在 [103.37.147.250] 检查
sudo iptables -L  # 查看ip过滤表
* [sudo] password for coam:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  47.90.15.40         anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

sudo iptables -F  # 查看清除所有过滤规则

重启 sshd 仍然无效,查看ssh禁止目录 [/etc/hosts.all] 和 [/etc/hosts.deny] 查看限定的ip

sudo vi /etc/hosts.deny

# DenyHosts: Tue Jul  5 17:15:52 2016 | sshd: 111.74.150.206
sshd: 111.74.150.206
# DenyHosts: Tue Jul  5 17:15:52 2016 | sshd: 222.186.3.172
sshd: 222.186.3.172
# DenyHosts: Tue Jul  5 18:19:44 2016 | sshd: 91.224.160.131
sshd: 91.224.160.131
# DenyHosts: Wed Jul  6 00:55:49 2016 | sshd: 91.224.161.103
sshd: 91.224.161.103
# DenyHosts: Wed Jul  6 01:26:20 2016 | sshd: 103.207.36.165
sshd: 103.207.36.165
# DenyHosts: Wed Jul  6 04:07:26 2016 | sshd: 91.224.160.108
sshd: 91.224.160.108
# DenyHosts: Wed Jul  6 13:11:37 2016 | sshd: 91.224.160.184
sshd: 91.224.160.184
# DenyHosts: Wed Jul  6 15:41:41 2016 | sshd: 222.186.21.205
sshd: 222.186.21.205
# DenyHosts: Sat Jul  9 11:18:05 2016 | sshd: 47.90.15.40
sshd: 47.90.15.40

发现 [47.90.15.40] 果然被添加到禁止目录,可能是 [47.90.15.40] 频繁使用 lsyncd ssh 连接,被 fail2ban 禁用,于是这里取消注释并重启 [sudo service sshd restart] 在服务器 [47.90.15.40] 便可以登陆

sudo iptables -L
sudo iptables -F
  • 最后发现是 /etc/init.d/denyhosts 读取 /var/log/auth.log 导致不断添加 47.90.15.40 到过滤列表导致,删除 /var/log/auth.log 并重启 denyhosts 问题解决
vi /etc/hosts.deny
sudo iptables -L
sudo iptables -F
rm /var/log/auth.log
/etc/init.d/denyhosts restart
  • 将目标IP加入到白名单中

白名单文件为 /var/lib/denyhosts/allowed-hosts ,如果文件不存在的话可以新建一个.使用echo命令将IP加入白名单:

# echo 'XX.XX.XX.XX' >> /var/lib/denyhosts/allowed-hosts
  • 启动denyhosts服务

最后一步,别忘了重启denyhosts的服务:

# /etc/init.d/denyhosts start

Comments

Cor-Ethan, the beverage → www.iirii.com