UC头条:Linux——超超讲解SSH的原理与SSH的实现!建议收藏
创作不易,来了的客官点点关注,收藏,订阅一键三连
目录
SSH原理
SSH基本概念
SSH算法
ssh配置文件(传递参数)
ssh_config与sshd_config
SSH的使用
ubuntu远程连接centos
禁用远程连接
这些问题你解决了吗?
sshd服务关闭之后,还能远程连接吗?
如何加固ssh服务?
练习
SSH原理
SSH基本概念
SSH为SecureShell的缩写,由IETF的网络小组(NetworkWorkingGroup)所制定;SSH为建立在应用层基础上的安全协议。
SSH是较可靠,专为远程登录会话和其他网络服务提供安全性的协议。利用SSH协议可以有效防止远程管理过程中的信息泄露问题。
运行的sshd进程会监听22号端口(tcp),提供远程登陆服务,服务的内容:远程操作服务器。
SSH最初是UNIX系统上的一个程序,后来又迅速扩展到其他操作平台。SSH在正确使用时可弥补网络中的漏洞。
SSH客户端适用于多种平台。几乎所有UNIX平台—包括HP-UX、Linux、AIX、Solaris、DigitalUNIX、Irix,以及其他平台,都可运行SSH。
注:早期的远程控制服务协议为talent,由于在网络上是明文的,不安全。
SSH算法
SSH基于公钥(pubey)加密(非对称加密)技术
[root@chaochao~]#cd/etc/ssh
[root@chaochaossh]#ls
modulissh_config.dssh_host_ecdsa_keyssh_host_ed25519_keyssh_host_rsa_key
ssh_configsshd_configssh_host_ecdsa_key.pubssh_host_ed25519_key.pubssh_host_rsa_key.pub
[root@chaochaossh]#catssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAhmtw87NC81AX+e4yFdIBQKuvvHNVVc5VQxv39+dVLFHWr/lZ27+VTfRAySXdgEwhodRrPCOQxZNTxb9RzhD3k=
公钥和私钥(privatekey)
点击加载图片
什么时候需要使用公钥和私钥?
1.数据加密
2.数字签名
加密算法(相当于一个函数)
base64,哈希算法(md5sum),RSA、Elgamal、背包算法、Rabin、D-H、ECC(椭圆曲线加密算法)、ECDSA
[root@chaochaossh]#echo123456|base64
MTIzNDU2Cg==
[root@chaochaossh]#echo123456|md5sum
f447b20a7fcbf53a5d5be013ea0b15af
ssh配置文件(传递参数)
[root@chaochao~]#cd/etc/ssh
[root@chaochaossh]#ls
modulissh_config.dssh_host_ecdsa_keyssh_host_ed25519_keyssh_host_rsa_key
ssh_configsshd_configssh_host_ecdsa_key.pubssh_host_ed25519_key.pubssh_host_rsa_key.pub
ssh_config与sshd_config
ssh_config:客户机的
sshd_config:服务器的
SSH的使用
命令1:rpm-qa|grepssh
[root@chaochao~]#rpm-qa|grepssh
openssh-clients-8.0p1-5.el8.x86_64
libssh-config-0.9.4-2.el8.noarch
libssh-0.9.4-2.el8.x86_64
openssh-askpass-8.0p1-5.el8.x86_64
openssh-server-8.0p1-5.el8.x86_64
qemu-kvm-block-ssh-4.2.0-34.module_el8.3.0+555+a55c8938.x86_64
openssh-8.0p1-5.el8.x86_64
命令2(查看进程):psaux|grepssh
[root@chaochao~]#psaux|grepsshd#d-->demonssh的守护进程
root17690.01.316370410452?Ss10:210:00sshd:root[priv]
root17730.00.61637045568?S10:210:00sshd:root@pts/0
root17740.01.316370410484?Ss10:210:00sshd:root[priv]
root17910.00.61637045576?S10:210:00sshd:root@notty
root18020.00.6472205024?Ss10:210:00/usr/libexec/openssh/sftp-server
root18920.00.112324992pts/0S+10:290:00grep--color=autossh
(2)netstat-anplut|grepssh
(3)lsof-i:22
[root@chaochao~]#ss-anplut|grepssh
tcpLISTEN01280.0.0.0:220.0.0.0:*users:(('sshd',pid=1022,fd=5))
tcpLISTEN0128127.0.0.1:60100.0.0.0:*users:(('sshd',pid=1773,fd=15))
tcpLISTEN0128[::]:22[::]:*users:(('sshd',pid=1022,fd=7))
tcpLISTEN0128[::1]:6010[::]:*users:(('sshd',pid=1773,fd=14))
[root@chaochao~]#netstat-anplut|grepssh
tcp000.0.0.0:220.0.0.0:*LISTEN1022/sshd
tcp00127.0.0.1:60100.0.0.0:*LISTEN1773/sshd:root@pts
tcp00192.168.2.7:22192.168.2.6:62500ESTABLISHED1774/sshd:root[pr
tcp036192.168.2.7:22192.168.2.6:62499ESTABLISHED1769/sshd:root[pr
tcp600:::22:::*LISTEN1022/sshd
tcp600::1:6010:::*LISTEN1773/sshd:root@pts
[root@chaochao~]#lsof-i:22
COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAME
sshd1022root5uIPv4310170t0TCP*:ssh(LISTEN)
sshd1022root7uIPv6310190t0TCP*:ssh(LISTEN)
sshd1769root5uIPv4371440t0TCPchaochao:ssh->192.168.2.6:62499(ESTABLISHED)
sshd1773root5uIPv4371440t0TCPchaochao:ssh->192.168.2.6:62499(ESTABLISHED)
sshd1774root5uIPv4372970t0TCPchaochao:ssh->192.168.2.6:62500(ESTABLISHED)
sshd1791root5uIPv4372970t0TCPchaochao:ssh->192.168.2.6:62500(ESTABLISHED)
命令:w
ubuntu远程连接centos
Ubuntu命令:
Theauthenticityofhost'192.168.2.7(192.168.2.7)'can'tbeestablished.
ECDSAkeyfingerprintisSHA256:kdKkg7NGrG4s4W+MUvM2ZSHsdUfXPwQ6arugFv/LV3Y.
Areyousureyouwanttocontinueconnecting(yes/no/[fingerprint])?yes
Warning:Permanentlyadded'192.168.2.7'(ECDSA)tothelistofknownhosts.
Activatethewebconsolewith:systemctlenable--nowcockpit.socket
centos查看:
[root@chaochaohome]#w
15:19:49up3:05,4users,loadaverage:0.26,0.08,0.02
USERTTYFROMLOGIN@IDLEJCPUPCPUWHAT
roottty1-10:214:58m0.04s0.04s-bash
rootpts/0192.168.2.610:213:43m0.09s0.09s-bash
rootpts/1192.168.2.614:320.00s0.05s0.02sw
sc1pts/2192.168.2.615:193.00s0.04s0.04s-bash
禁用远程连接
方式一:编辑/etc/shadow,在对应的用户前加2个!
[root@chaochaohome]#vim/etc/shadow
!!sc1:$6$WU/6hsay8JRFzaO1$CPgtheULosKacnRw/8FWnNdhWu5KMey18mpXFuvECCp2TwTilxrxumFoky2ZJpxKKsR5lEPknwLF8pfCQHVeE1:18844:0:99999:7:::
方式二
使用命令:kill-9进程号
centos上:
[root@chaochao~]#psaux|grepbash#查看进程号
root9450.00.2262962264?S12:140:00/bin/bash/usr/sbin/ksmtuned
root38120.00.6277365348pts/0Ss15:300:00-bash
sc138860.00.7285245820pts/1Ss+15:300:00-bash
root39800.00.112324972pts/0R+15:330:00grep--color=autobash
[root@chaochao~]#kill-93886
[root@chaochao~]#kill-93886
-bash:kill:(3886)-没有那个进程
查看是否关闭成功
[sc1@chaochao~]$Connectionto192.168.2.7closed.
lizhichao@chaochao:~$
这些问题你解决了吗?
sshd服务关闭之后,还能远程连接吗?
关闭ssh服务之后,已经连接的远程ssh可以继续使用。
[root@chaochao~]#psaux|grepsshd
root17690.01.316370410444?Ss12:140:00sshd:root[priv]
root17730.00.61637045568?S12:140:00sshd:root@pts/0
root17740.01.316370410476?Ss12:140:00sshd:root[priv]
root17910.00.61637045576?S12:140:00sshd:root@notty
root38070.01.216370410376?Ss15:300:00sshd:root[priv]
root38110.00.61637045592?S15:300:00sshd:root@pts/0
root38130.01.316370410584?Ss15:300:00sshd:root[priv]
root38290.00.61637045536?S15:300:00sshd:root@notty
root40170.01.316370410656?Ss15:360:00sshd:sc1[priv]
sc140430.00.71637045792?S15:360:00sshd:sc1@pts/1
[root@chaochao~]#systemctlstopsshd
[root@chaochao~]#pstree-p
├─sshd(1769)───sshd(1773)
├─sshd(1774)───sshd(1791)───sftp-server(1802)
├─sshd(3807)───sshd(3811)───bash(3812)───pstree(4160)
├─sshd(3813)───sshd(3829)───sftp-server(3840)
├─sshd(4017)───sshd(4043)───bash(4044)
├─sssd(919)─┬─sssd_be(961)
│└─sssd_nss(989)
命令:cat/var/log/secure|grep'Failedpassword'
[root@kafka01home]#cat/var/log/secure|grep'Failedpassword'
Aug1321:09:38kafka01sshd[24916]:Failedpasswordforrootfrom121.43.177.113port56516ssh2
Aug1323:15:55kafka01sshd[25040]:Failedpasswordformysqlfrom182.254.156.93port36918ssh2
Aug1405:08:25kafka01sshd[25518]:Failedpasswordforftpfrom182.254.156.93port46560ssh2
Aug1415:11:22kafka01sshd[26315]:Failedpasswordforrootfrom113.246.77.152port21697ssh2
Aug1415:11:30kafka01sshd[26315]:Failedpasswordforrootfrom113.246.77.152port21697ssh2
Aug1415:11:35kafka01sshd[26315]:Failedpasswordforrootfrom113.246.77.152port21697ssh2
如何加固ssh服务?
方法一:禁止root用户远程登陆,进入/etc/shadow,在root前面加!!
方法二:设置复杂的密码
方法三:修改端口号
[root@firewallssh]#vim/etc/ssh/sshd_config
Port2299修改sshd监听的端口号为2299
练习
1.修改端口号,具体自定义
2.禁用root用户登录,新建一个普通的用户sc,并且设置密码
3.ssh远程登录,在其他的linux系统上或者windows上
4.查看日志
5.查看kown_hosts文件的内容
创作不易,客官点个赞吧!评论一下!一起加油