UC头条:Linux——超超讲解SSH的原理与SSH的实现!建议收藏

创作不易,来了的客官点点关注,收藏,订阅一键三连

目录

SSH原理

SSH基本概念

SSH算法

ssh配置文件(传递参数)

ssh_config与sshd_config

SSH的使用

ubuntu远程连接centos

禁用远程连接

这些问题你解决了吗?

sshd服务关闭之后,还能远程连接吗?

如何加固ssh服务?

练习

SSH原理

SSH基本概念

SSH为SecureShell的缩写,由IETF的网络小组(NetworkWorkingGroup)所制定;SSH为建立在应用层基础上的安全协议。

SSH是较可靠,专为远程登录会话和其他网络服务提供安全性的协议。利用SSH协议可以有效防止远程管理过程中的信息泄露问题。

运行的sshd进程会监听22号端口(tcp),提供远程登陆服务,服务的内容:远程操作服务器。

SSH最初是UNIX系统上的一个程序,后来又迅速扩展到其他操作平台。SSH在正确使用时可弥补网络中的漏洞。

SSH客户端适用于多种平台。几乎所有UNIX平台—包括HP-UX、Linux、AIX、Solaris、DigitalUNIX、Irix,以及其他平台,都可运行SSH。

注:早期的远程控制服务协议为talent,由于在网络上是明文的,不安全。

SSH算法

SSH基于公钥(pubey)加密(非对称加密)技术

[root@chaochao~]#cd/etc/ssh

[root@chaochaossh]#ls

modulissh_config.dssh_host_ecdsa_keyssh_host_ed25519_keyssh_host_rsa_key

ssh_configsshd_configssh_host_ecdsa_key.pubssh_host_ed25519_key.pubssh_host_rsa_key.pub

[root@chaochaossh]#catssh_host_ecdsa_key.pub

ecdsa-sha2-nistp256AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAhmtw87NC81AX+e4yFdIBQKuvvHNVVc5VQxv39+dVLFHWr/lZ27+VTfRAySXdgEwhodRrPCOQxZNTxb9RzhD3k=

公钥和私钥(privatekey)

点击加载图片

什么时候需要使用公钥和私钥?

1.数据加密

2.数字签名

加密算法(相当于一个函数)

base64,哈希算法(md5sum),RSA、Elgamal、背包算法、Rabin、D-H、ECC(椭圆曲线加密算法)、ECDSA

[root@chaochaossh]#echo123456|base64

MTIzNDU2Cg==

[root@chaochaossh]#echo123456|md5sum

f447b20a7fcbf53a5d5be013ea0b15af

ssh配置文件(传递参数)

[root@chaochao~]#cd/etc/ssh

[root@chaochaossh]#ls

modulissh_config.dssh_host_ecdsa_keyssh_host_ed25519_keyssh_host_rsa_key

ssh_configsshd_configssh_host_ecdsa_key.pubssh_host_ed25519_key.pubssh_host_rsa_key.pub

ssh_config与sshd_config

ssh_config:客户机的

sshd_config:服务器的

SSH的使用

命令1:rpm-qa|grepssh

[root@chaochao~]#rpm-qa|grepssh

openssh-clients-8.0p1-5.el8.x86_64

libssh-config-0.9.4-2.el8.noarch

libssh-0.9.4-2.el8.x86_64

openssh-askpass-8.0p1-5.el8.x86_64

openssh-server-8.0p1-5.el8.x86_64

qemu-kvm-block-ssh-4.2.0-34.module_el8.3.0+555+a55c8938.x86_64

openssh-8.0p1-5.el8.x86_64

命令2(查看进程):psaux|grepssh

[root@chaochao~]#psaux|grepsshd#d-->demonssh的守护进程

root17690.01.316370410452?Ss10:210:00sshd:root[priv]

root17730.00.61637045568?S10:210:00sshd:root@pts/0

root17740.01.316370410484?Ss10:210:00sshd:root[priv]

root17910.00.61637045576?S10:210:00sshd:root@notty

root18020.00.6472205024?Ss10:210:00/usr/libexec/openssh/sftp-server

root18920.00.112324992pts/0S+10:290:00grep--color=autossh

(2)netstat-anplut|grepssh

(3)lsof-i:22

[root@chaochao~]#ss-anplut|grepssh

tcpLISTEN01280.0.0.0:220.0.0.0:*users:(('sshd',pid=1022,fd=5))

tcpLISTEN0128127.0.0.1:60100.0.0.0:*users:(('sshd',pid=1773,fd=15))

tcpLISTEN0128[::]:22[::]:*users:(('sshd',pid=1022,fd=7))

tcpLISTEN0128[::1]:6010[::]:*users:(('sshd',pid=1773,fd=14))

[root@chaochao~]#netstat-anplut|grepssh

tcp000.0.0.0:220.0.0.0:*LISTEN1022/sshd

tcp00127.0.0.1:60100.0.0.0:*LISTEN1773/sshd:root@pts

tcp00192.168.2.7:22192.168.2.6:62500ESTABLISHED1774/sshd:root[pr

tcp036192.168.2.7:22192.168.2.6:62499ESTABLISHED1769/sshd:root[pr

tcp600:::22:::*LISTEN1022/sshd

tcp600::1:6010:::*LISTEN1773/sshd:root@pts

[root@chaochao~]#lsof-i:22

COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAME

sshd1022root5uIPv4310170t0TCP*:ssh(LISTEN)

sshd1022root7uIPv6310190t0TCP*:ssh(LISTEN)

sshd1769root5uIPv4371440t0TCPchaochao:ssh->192.168.2.6:62499(ESTABLISHED)

sshd1773root5uIPv4371440t0TCPchaochao:ssh->192.168.2.6:62499(ESTABLISHED)

sshd1774root5uIPv4372970t0TCPchaochao:ssh->192.168.2.6:62500(ESTABLISHED)

sshd1791root5uIPv4372970t0TCPchaochao:ssh->192.168.2.6:62500(ESTABLISHED)

命令:w

ubuntu远程连接centos

Ubuntu命令:

Theauthenticityofhost'192.168.2.7(192.168.2.7)'can'tbeestablished.

ECDSAkeyfingerprintisSHA256:kdKkg7NGrG4s4W+MUvM2ZSHsdUfXPwQ6arugFv/LV3Y.

Areyousureyouwanttocontinueconnecting(yes/no/[fingerprint])?yes

Warning:Permanentlyadded'192.168.2.7'(ECDSA)tothelistofknownhosts.

Activatethewebconsolewith:systemctlenable--nowcockpit.socket

centos查看:

[root@chaochaohome]#w

15:19:49up3:05,4users,loadaverage:0.26,0.08,0.02

USERTTYFROMLOGIN@IDLEJCPUPCPUWHAT

roottty1-10:214:58m0.04s0.04s-bash

rootpts/0192.168.2.610:213:43m0.09s0.09s-bash

rootpts/1192.168.2.614:320.00s0.05s0.02sw

sc1pts/2192.168.2.615:193.00s0.04s0.04s-bash

禁用远程连接

方式一:编辑/etc/shadow,在对应的用户前加2个!

[root@chaochaohome]#vim/etc/shadow

!!sc1:$6$WU/6hsay8JRFzaO1$CPgtheULosKacnRw/8FWnNdhWu5KMey18mpXFuvECCp2TwTilxrxumFoky2ZJpxKKsR5lEPknwLF8pfCQHVeE1:18844:0:99999:7:::

方式二

使用命令:kill-9进程号

centos上:

[root@chaochao~]#psaux|grepbash#查看进程号

root9450.00.2262962264?S12:140:00/bin/bash/usr/sbin/ksmtuned

root38120.00.6277365348pts/0Ss15:300:00-bash

sc138860.00.7285245820pts/1Ss+15:300:00-bash

root39800.00.112324972pts/0R+15:330:00grep--color=autobash

[root@chaochao~]#kill-93886

[root@chaochao~]#kill-93886

-bash:kill:(3886)-没有那个进程

查看是否关闭成功

[sc1@chaochao~]$Connectionto192.168.2.7closed.

lizhichao@chaochao:~$

这些问题你解决了吗?

sshd服务关闭之后,还能远程连接吗?

关闭ssh服务之后,已经连接的远程ssh可以继续使用。

[root@chaochao~]#psaux|grepsshd

root17690.01.316370410444?Ss12:140:00sshd:root[priv]

root17730.00.61637045568?S12:140:00sshd:root@pts/0

root17740.01.316370410476?Ss12:140:00sshd:root[priv]

root17910.00.61637045576?S12:140:00sshd:root@notty

root38070.01.216370410376?Ss15:300:00sshd:root[priv]

root38110.00.61637045592?S15:300:00sshd:root@pts/0

root38130.01.316370410584?Ss15:300:00sshd:root[priv]

root38290.00.61637045536?S15:300:00sshd:root@notty

root40170.01.316370410656?Ss15:360:00sshd:sc1[priv]

sc140430.00.71637045792?S15:360:00sshd:sc1@pts/1

[root@chaochao~]#systemctlstopsshd

[root@chaochao~]#pstree-p

├─sshd(1769)───sshd(1773)

├─sshd(1774)───sshd(1791)───sftp-server(1802)

├─sshd(3807)───sshd(3811)───bash(3812)───pstree(4160)

├─sshd(3813)───sshd(3829)───sftp-server(3840)

├─sshd(4017)───sshd(4043)───bash(4044)

├─sssd(919)─┬─sssd_be(961)

│└─sssd_nss(989)

命令:cat/var/log/secure|grep'Failedpassword'

[root@kafka01home]#cat/var/log/secure|grep'Failedpassword'

Aug1321:09:38kafka01sshd[24916]:Failedpasswordforrootfrom121.43.177.113port56516ssh2

Aug1323:15:55kafka01sshd[25040]:Failedpasswordformysqlfrom182.254.156.93port36918ssh2

Aug1405:08:25kafka01sshd[25518]:Failedpasswordforftpfrom182.254.156.93port46560ssh2

Aug1415:11:22kafka01sshd[26315]:Failedpasswordforrootfrom113.246.77.152port21697ssh2

Aug1415:11:30kafka01sshd[26315]:Failedpasswordforrootfrom113.246.77.152port21697ssh2

Aug1415:11:35kafka01sshd[26315]:Failedpasswordforrootfrom113.246.77.152port21697ssh2

如何加固ssh服务?

方法一:禁止root用户远程登陆,进入/etc/shadow,在root前面加!!

方法二:设置复杂的密码

方法三:修改端口号

[root@firewallssh]#vim/etc/ssh/sshd_config

Port2299修改sshd监听的端口号为2299

练习

1.修改端口号,具体自定义

2.禁用root用户登录,新建一个普通的用户sc,并且设置密码

3.ssh远程登录,在其他的linux系统上或者windows上

4.查看日志

5.查看kown_hosts文件的内容

创作不易,客官点个赞吧!评论一下!一起加油

(0)

相关推荐