SSH 登录管理
Summary: Author: 张亚飞 | Read Time: 5 minute read | Published: 2014-08-08
Filed under
—
Categories:
DevOps
—
Tags:
Linux,
Server,
Software,
DevOps,
Putty 通过 SSH 无密码登陆 Ubuntu14.04
- 注意: 服务器标准
.ssh参考目录权限
Sat Jun 16 22:44:00 coam@m.us.0:~/.ssh$ ll
total 28
drwx------ 2 coam coam 4096 Jun 11 17:04 ./
drwxr-xr-x 34 coam coam 4096 May 8 15:30 ../
-rw------- 1 coam coam 1595 Apr 14 20:50 authorized_keys
-rw------- 1 coam coam 57 Feb 8 23:19 config
-rw------- 1 coam coam 1675 Jan 7 10:52 id_rsa
-rw-r--r-- 1 coam coam 391 Jan 7 10:52 id_rsa.pub
-rw-r--r-- 1 coam coam 888 Feb 8 23:19 known_hosts
- 一. 生成公钥/私钥对
47.90.15.40$ ssh-keygen -t rsa
ssh-keygen -t rsa -C “zyf@lonal.com” -b 4096 ssh-keygen -t rsa -b 4096
- 以下一条命令将当前主机 id_rsa.pub 添加到远程主机 coam@43.241.222.110:.ssh/authorized_keys 中
47.90.15.40$ ssh-copy-id coam@43.241.222.110 -p222 ###用 *ssh-copy-id* 将公钥复制到远程机器中
47.90.15.40$ ssh coam@43.241.222.110 -p222 ### 测试无需密码登陆
完成后会在当前用户目录下的 .ssh 目录下生成 id_rsa, id_rsa.pub 这两个文件.
特别强调:
id_rsa 是私钥,是需要原封不动的放到主登陆方电脑的 .ssh 目录下,
id_rsa.pub 是公钥,是需要添加到需要登录目标主机的 .ssh/authorized_keys 授权登陆列表里才可以在实现 主登陆机器里无密码 ssh 登陆
- 获取
id_rsa指纹信息
ssh-keygen -lf ~/.ssh/id_rsa.pub
- To get the GitHub (MD5) fingerprint format with newer versions of ssh-keygen, run:
$ ssh-keygen -E md5 -lf .ssh/id_rsa.pub
2048 MD5:40:23:c6:be:30:29:d1:81:57:33:f7:59:e1:2e:a3:bc no comment (RSA)
三. 对于 Linux 复制的 id_rsa.pub.mos.coam 添加到 .ssh/authorzied_keys 文件里
$ cat id_rsa.pub.git >> .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys
- 五. 修改
SSHD的配置文件/etc/ssh/sshd_config
#AuthorizedKeysFile %h/.ssh/authorized_keys
这句,然后去掉注释.然后重启SSH服务
$ sudo /etc/init.d/ssh restart
ssh 问题分析
- 远程主机访问拒绝
在 47.90.15.40 电脑里远程连接 43.241.222.110 出现如下错误
Mon May 09 21:43:49 coam@coam:~$ ssh -p 22 coam@43.241.222.110
ssh: connect to host 43.241.222.110 port 22: Connection refused
使用其他的电脑终端可以使用ssh登陆
在 43.241.222.110 查看防火墙结果如下
coam@coamn:/var/log$ sudo iptables -L -n --line-numbers //--line-number可以显示规则序号,在删除的时候比较方便
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
**2 DROP all -- 47.90.15.40 anywhere**
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain fail2ban-ssh (1 references)
num target prot opt source destination
1 REJECT all -- 185.40.4.41 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all -- 47.90.15.40 0.0.0.0/0 reject-with icmp-port-unreachable
3 RETURN all -- 0.0.0.0/0 0.0.0.0/0
貌似 是 fail2ban 把 47.90.15.40 的访问阻止了
# // sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -D INPUT 2 // 删除 Chain 为 INPUT 规则序号为 2 的记录
coam@coamn:/var/log$ sudo iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain fail2ban-ssh (1 references)
num target prot opt source destination
1 REJECT all -- 185.40.4.41 0.0.0.0/0 reject-with icmp-port-unreachable
**2 REJECT all -- 47.90.15.40 0.0.0.0/0 reject-with icmp-port-unreachable**
3 RETURN all -- 0.0.0.0/0 0.0.0.0/0
coam@coamn:/var/log$ sudo iptables -D fail2ban-ssh 2 // 删除 Chain 为 INPUT 规则序号为 2 的记录
coam@coamn:/var/log$ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain fail2ban-ssh (1 references)
num target prot opt source destination
1 REJECT all -- hosted-by.hostgrad.ru anywhere reject-with icmp-port-unreachable
2 RETURN all -- anywhere anywhere
于是便可以在 47.90.15.40 的主机登陆 本主机 (43.241.222.110) 了
ssh 写进了新的服务器(Ubuntu16.04–103.37.147.250) 但是使用 ssh coam@103.37.147.250 还是要提示使用密码登陆
百思不得其解,于是查看了 /var/log/auth.log 再次ssh登陆时出现如下错误:
sudo tail -f /var/log/auth.log
* [preauth]
Jul 6 20:19:07 coamer sshd[1914]: Authentication refused: bad ownership or modes for directory /data/home/coam
修改 /data/home/coam 权限从 777 到 755 问题解决
- 记录参照服务器主机客户端 .ssh 权限配置列表
源客户端 [47.90.15.40]
Wed Nov 16 19:30:52 coam@coam:/data/home$ ls -al
drwxrwxrwx 4 root root 4096 Jul 6 09:10 .
drwxrwxrwx 3 root root 4096 Jul 5 16:14 ..
drwxrwxrwx 28 coam coam 4096 Nov 16 16:44 coam
Wed Nov 16 19:29:55 coam@coam:~$ ls -al
drwxrwxrwx 28 coam coam 4096 Nov 16 16:44 .
drwxrwxrwx 4 root root 4096 Jul 6 09:10 ..
drwxr-xr-x 2 coam coam 4096 Nov 16 15:14 .ssh
Wed Nov 16 19:34:50 coam@coam:~/.ssh$ ls -al
drwxr-xr-x 2 coam coam 4096 Nov 16 15:14 .
drwxrwxrwx 28 coam coam 4096 Nov 16 16:44 ..
-rwxr-xr-x 1 coam coam 1592 Nov 16 15:14 authorized_keys
-r-------- 1 coam coam 1675 Jul 6 10:37 id_rsa
-rwxr-xr-x 1 coam coam 393 Jul 6 10:37 id_rsa.pub
-rwxr-xr-x 1 coam coam 1110 Nov 15 14:33 known_hosts
目标服务器主机权限 [103.37.147.250]
Wed Nov 16 19:32:46 coam@coamer:/data/home$ ls -al
drwxr-xr-x 4 root root 4096 Jul 5 19:19 .
drwxr-xr-x 4 root root 4096 Jul 5 17:32 ..
drwxr-xr-x 25 coam coam 4096 Nov 16 16:43 coam
Wed Nov 16 19:33:46 coam@coamer:~$ ls -al
drwxr-xr-x 25 coam coam 4096 Nov 16 16:43 .
drwxr-xr-x 4 root root 4096 Jul 5 19:19 ..
drwxr-xr-x 2 coam coam 4096 Aug 4 17:22 .ssh
Wed Nov 16 19:35:14 coam@coamer:~/.ssh$ ls -al
drwxr-xr-x 2 coam coam 4096 Aug 4 17:22 .
drwxr-xr-x 25 coam coam 4096 Nov 16 16:43 ..
-rwxr-xr-x 1 coam coam 2773 Sep 26 14:49 authorized_keys
-rwxr-xr-x 1 coam coam 1679 Jul 6 10:37 id_rsa
-rwxr-xr-x 1 coam coam 395 Jul 6 10:37 id_rsa.pub
-rwxr-xr-x 1 coam coam 888 Nov 16 10:59 known_hosts
- 重置系统 43.241.222.110 后,使用本地电脑重新登陆,出现如下错误
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
會出現這訊息是因為,第一次SSH連現時,會生成一個認證,儲存在客戶端(也就是用SSH連線其他電腦的那個,自己操作的那個)中的known_hosts, 但是如果伺服器端重灌過了,認證資訊當然也會更改,伺服器端與客戶端不同時,就會跳出錯誤啦~因此,只要把電腦中的認證資訊刪除,連線時重新生成,就一切完美啦~要刪除很簡單,只要在客戶端輸入一個指令
因此执行如下命令,并重新 使用 ssh 登陆即可
ssh-keygen -R 43.241.222.110
# Host 43.241.222.110 found: line 3 type ECDSA
/data/home/coam/.ssh/known_hosts updated.
Original contents retained as /data/home/coam/.ssh/known_hosts.old
修改SSH端口+禁止ROOT登陆
其实本身Linux已经很安全了,但是如果密码设置的不够复杂,如果说小写+数字共12位以下,你的SSH还用的默认端口,那强力一点的黑客用不上半小时,就能暴力破解你的密码.所以,最好的方法就是修改掉SSH的端口.
- 修改文件:/etc/ssh/sshd_config
Port 222 #在第三行或第四行,如果前面有井号,请删除,修改为65534以下即可
可在远程连接中用vi命令,或sftp下载到本地修改,修改后使用以下命令重启ssh服务
/etc/init.d/sshd restart #CentOS系统,重启ssh服务命令
/etc/init.d/ssh restart #debian/ubuntu系统,重启ssh服务命令
- 更加安全的设置,禁止ROOT登陆,采用小号登陆再切换ROOT(此方法不能用SFTP上传文件)
useradd vpsmm #新建一个小号
passwd vpsmm #给小号设置密码,需要输入完全相同的二次,注意提示
vi /etc/ssh/sshd_config #修改的文件还是这个
PermitRootLogin no #把yes,改成no,保存退出,并重启SSH服务(上面有重启命令)
切记,如果没有新建小号,或小号密码设置错误,你又禁了ROOT,那你只能重启系统或回滚快照,再也登陆不了.
如果不是极度需要安全环境,并且,还需要使用SFTP管理文件,那改掉端口就行了.
ssh ip 被禁用
突然有一次 发现 服务器 [47.90.15.40] lsyncd 不能正常同步到 [103.37.147.250], 尝试在服务器 [47.90.15.40] 使用ssh手动登陆 [103.37.147.250] 失败
ssh -p22312 coam@103.37.147.250
ssh_exchange_identification: read: Connection reset by peer
- 添加 -v 参数,打印日志
ssh -v -p22312 coam@103.37.147.250
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 10.1.101.35 [10.1.101.35] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
ssh_exchange_identification: read: Connection reset by peer
但是 [47.90.15.40] 可以登录 [45.32.80.56],并且通过 [45.32.80.56] 也可以登陆 [103.37.147.250] . 通过详细分析,猜测 IP [47.90.15.40] 被 [103.37.147.250] 服务器禁用
- 在 [103.37.147.250] 检查
sudo iptables -L # 查看ip过滤表
* [sudo] password for coam:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 47.90.15.40 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
sudo iptables -F # 查看清除所有过滤规则
重启 sshd 仍然无效,查看ssh禁止目录 [/etc/hosts.all] 和 [/etc/hosts.deny] 查看限定的ip
sudo vi /etc/hosts.deny
# DenyHosts: Tue Jul 5 17:15:52 2016 | sshd: 111.74.150.206
sshd: 111.74.150.206
# DenyHosts: Tue Jul 5 17:15:52 2016 | sshd: 222.186.3.172
sshd: 222.186.3.172
# DenyHosts: Tue Jul 5 18:19:44 2016 | sshd: 91.224.160.131
sshd: 91.224.160.131
# DenyHosts: Wed Jul 6 00:55:49 2016 | sshd: 91.224.161.103
sshd: 91.224.161.103
# DenyHosts: Wed Jul 6 01:26:20 2016 | sshd: 103.207.36.165
sshd: 103.207.36.165
# DenyHosts: Wed Jul 6 04:07:26 2016 | sshd: 91.224.160.108
sshd: 91.224.160.108
# DenyHosts: Wed Jul 6 13:11:37 2016 | sshd: 91.224.160.184
sshd: 91.224.160.184
# DenyHosts: Wed Jul 6 15:41:41 2016 | sshd: 222.186.21.205
sshd: 222.186.21.205
# DenyHosts: Sat Jul 9 11:18:05 2016 | sshd: 47.90.15.40
sshd: 47.90.15.40
发现 [47.90.15.40] 果然被添加到禁止目录,可能是 [47.90.15.40] 频繁使用 lsyncd ssh 连接,被 fail2ban 禁用,于是这里取消注释并重启 [sudo service sshd restart] 在服务器 [47.90.15.40] 便可以登陆
sudo iptables -L
sudo iptables -F
- 最后发现是 /etc/init.d/denyhosts 读取 /var/log/auth.log 导致不断添加 47.90.15.40 到过滤列表导致,删除 /var/log/auth.log 并重启 denyhosts 问题解决
vi /etc/hosts.deny
sudo iptables -L
sudo iptables -F
rm /var/log/auth.log
/etc/init.d/denyhosts restart
- 将目标IP加入到白名单中
白名单文件为 /var/lib/denyhosts/allowed-hosts ,如果文件不存在的话可以新建一个.使用echo命令将IP加入白名单:
# echo 'XX.XX.XX.XX' >> /var/lib/denyhosts/allowed-hosts
- 启动denyhosts服务
最后一步,别忘了重启denyhosts的服务:
# /etc/init.d/denyhosts start
Comments