标签:bee could clean prompt mit etc rem wrap start
服务的访问控制列表
[root@localhost ~]# cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See ‘man 5 hosts_options‘ and ‘man 5 hosts_access‘ # for information on rule syntax. # See ‘man tcpd‘ for information on tcp_wrappers # [root@localhost ~]# ll /etc/hosts.deny -rw-r--r--. 1 root root 460 Jun 7 2013 /etc/hosts.deny
配置 sshd 服务
[root@iscsi ~]# ssh 10.15.7.21 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:pltxR/1se5bbO1SOJQmu+9lf+l6cSpi88HW2wyK+4jk. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:2 ECDSA host key for 10.15.7.21 has changed and you have requested strict checking. Host key verification failed. [root@iscsi ~]# vim /root/.ssh/known_hosts [root@iscsi ~]# ssh 10.15.7.21 The authenticity of host ‘10.15.7.21 (10.15.7.21)‘ can‘t be established. ECDSA key fingerprint is SHA256:pltxR/1se5bbO1SOJQmu+9lf+l6cSpi88HW2wyK+4jk. ECDSA key fingerprint is MD5:8e:2e:f2:01:e7:9a:ea:60:5d:5a:34:6a:a6:f1:e3:fe. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘10.15.7.21‘ (ECDSA) to the list of known hosts. root@10.15.7.21‘s password: Last login: Wed Jul 8 13:57:35 2020 from 10.15.7.60 [root@localhost ~]# cat /etc/ssh/sshd_config |grep Permit #PermitRootLogin yes ##取消注释,禁止root用户远程登录 #PermitEmptyPasswords no
安全密钥验证
1 在客户端主机中生成“密钥对”
[root@iscsi ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:XbUEJ/QZbS4KCFm/KMZv7BRmJg1eQCiQhEbrh4YbYq0 root@iscsi The key‘s randomart image is: +---[RSA 2048]----+ |== ooo. .+.=. | |o.o . o. . * +o| |.. . ..... . +o | |o o o +.o.o . .| |+= o * S o. . . | |+oo . O . . | |.E = | | + | | . | +----[SHA256]-----+
2 把客户端主机中生成的公钥文件传送至远程主机
[root@iscsi ~]# ssh-copy-id 10.15.7.21 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@10.15.7.21‘s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh ‘10.15.7.21‘" and check to make sure that only the key(s) you wanted were added.
3 对服务器进行设置,使其只允许密钥验证,拒绝传统的口令验证方式。
[root@localhost ~]# cat /etc/ssh/sshd_config |grep Password #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes >>PasswordAuthentication no # systemctl restart sshd
4 在客户端尝试登录到服务器,不需要输入密码
[root@iscsi ~]# ssh 10.15.7.21 Last login: Wed Jul 8 15:34:52 2020 from 10.15.7.20 [root@localhost ~]#
远程传输命令
scp(secure copy)是一个基于 SSH 协议在网络之间进行安全传输的命令 参数 -v 显示详细的连接进度 -P 指定远程主机的 sshd 端口号 -r 用于传送文件夹 -6 使用 IPv6 协议 # scp /root/readme.txt 192.168.10.20:/home #把文件/root/readme.txt传送到远程主机的home目录 # scp 192.168.10.20:/etc/redhat-release /root #把远程主机的文件redhat-release传送到本机的root目录
不间断会话服务
screen 是一款能够实现多窗口远程控制的开源服务程序,简单来说就是为了解决网络异 常中断或为了同时控制多个远程终端窗口而设计的程序。 [root@iscsi ~]# yum install screen -y [root@iscsi ~]# screen -S backup aby [root@iscsi ~]# screen -ls There is a screen on: 19326.backup (Attached) 1 Socket in /var/run/screen/S-root. [root@iscsi ~]# screen vim /tmp/t1.txt 关闭ssh窗口,重新连接服务器 Connecting to 10.15.7.20:22... Connection established. To escape to local shell, press ‘Ctrl+Alt+]‘. Last login: Wed Jul 8 15:21:39 2020 from 10.15.7.60 [root@iscsi ~]# screen -ls There is a screen on: 19326.backup (Detached) #刚的会话窗口 1 Socket in /var/run/screen/S-root. [root@iscsi ~]# screen -r backup [root@iscsi ~]# screen -ls There is a screen on: 19326.backup (Attached) 1 Socket in /var/run/screen/S-root. [root@iscsi ~]# screen vim /tmp/t1.txt [root@iscsi ~]# screen vim /tmp/t1.txt [root@iscsi ~]# tail -f /var/log/messages Jul 8 16:03:58 iscsi named[1652]: network unreachable resolving ‘ns-1326.awsdns-37.org/AAAA/IN‘: 2600:9000:5306:6500::1#53 Jul 8 16:03:58 iscsi named[1652]: network unreachable resolving ‘ns-1716.awsdns-22.co.uk/AAAA/IN‘: 2600:9000:5307:1a00::1#53 Jul 8 16:03:58 iscsi named[1652]: network unreachable resolving ‘netdna-cdn.com/DS/IN‘: 2001:502:8cc::30#53 Jul 8 16:03:58 iscsi named[1652]: network unreachable resolving ‘netdna-cdn.com/DS/IN‘: 2001:500:856e::30#53 Jul 8 16:03:58 iscsi named[1652]: network unreachable resolving ‘netdna-cdn.com/DS/IN‘: 2001:502:7094::30#53 Jul 8 16:03:58 iscsi named[1652]: network unreachable resolving ‘netdna-cdn.com/DS/IN‘: 2001:503:d2d::30#53 Jul 8 16:03:58 iscsi named[1652]: network unreachable resolving ‘netdna-cdn.com/DS/IN‘: 2001:503:39c1::30#53 Jul 8 16:03:58 iscsi named[1652]: network unreachable resolving ‘netdna-cdn.com/DS/IN‘: 2001:503:a83e::2:30#53 Jul 8 16:03:58 iscsi named[1652]: network unreachable resolving ‘netdna-cdn.com/DS/IN‘: 2001:501:b1f9::30#53 Jul 8 16:03:58 iscsi named[1652]: network unreachable resolving ‘netdna-cdn.com/DS/IN‘: 2001:503:d414::30#53 Jul 8 16:06:27 iscsi systemd: Started Session 218 of user root. Jul 8 16:06:27 iscsi systemd-logind: New session 218 of user root. Jul 8 16:06:27 iscsi systemd: Starting Session 218 of user root. Jul 8 16:06:27 iscsi gdm-launch-environment]: AccountsService: ActUserManager: user (null) has no username (object path: /org/freedesktop/Accounts/User0, uid: 0) Jul 8 16:06:27 iscsi journal: ActUserManager: user (null) has no username (object path: /org/freedesktop/Accounts/User0, uid: 0) Jul 8 16:06:28 iscsi dbus[603]: [system] Activating service name=‘org.freedesktop.problems‘ (using servicehelper) Jul 8 16:06:28 iscsi dbus-daemon: dbus[603]: [system] Activating service name=‘org.freedesktop.problems‘ (using servicehelper) Jul 8 16:06:28 iscsi dbus[603]: [system] Successfully activated service ‘org.freedesktop.problems‘ Jul 8 16:06:28 iscsi dbus-daemon: dbus[603]: [system] Successfully activated service ‘org.freedesktop.problems‘ Jul 8 16:06:28 iscsi journal: g_dbus_interface_skeleton_unexport: assertion ‘interface_->priv->connections != NULL‘ failed 退出screen模式 [root@iscsi ~]# exit [root@iscsi ~]# screen -r backup [screen is terminating] [root@iscsi ~]#
会话共享功能
screen 命令不仅可以确保用户在极端情况下也不丢失对系统的远程控制,保证了生产环
境中远程工作的不间断性,而且它还具有会话共享、分屏切割、会话锁定等实用的功能。
client A连接服务器10.15.7.20
[root@localhost ~]# ssh 10.15.7.20 The authenticity of host ‘10.15.7.20 (10.15.7.20)‘ can‘t be established. ECDSA key fingerprint is SHA256:e3ojzJkCJROOPDXuV1CTrzCr9PvDPeyC8LiN093Wl6w. ECDSA key fingerprint is MD5:0a:95:7f:a7:82:d9:40:cf:4d:72:30:c5:c6:7e:8e:cd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘10.15.7.20‘ (ECDSA) to the list of known hosts. root@10.15.7.20‘s password: Last login: Wed Jul 8 16:06:28 2020 from 10.15.7.60 [root@iscsi ~]# screen -S hong [root@iscsi ~]# cat /tmp/null_sta_coresh.log Fri Jul 3 09:50:21 CST 2020 : Logs cleand up Sat Jul 4 02:00:01 CST 2020 : Logs cleand up Sun Jul 5 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.123 is appoint on 20200705; Sun Jul 5 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.12234 is appoint on 20200705; Sun Jul 5 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.122234 is appoint on 20200705; Sun Jul 5 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.12212 is appoint on 20200705; Sun Jul 5 02:00:01 CST 2020 : Logs cleand up Mon Jul 6 02:00:01 CST 2020 : Logs cleand up Tue Jul 7 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.12234 is appoint on 20200707; Tue Jul 7 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.122234 is appoint on 20200707; Tue Jul 7 02:00:01 CST 2020: /opt/vision/StorageServer/bin/core.12212 is appoint on 20200707; Tue Jul 7 02:00:01 CST 2020 : Logs cleand up
client B连接服务器10.15.7.20
[root@localhost ~]# ssh 10.15.7.20 The authenticity of host ‘10.15.7.20 (10.15.7.20)‘ can‘t be established. RSA key fingerprint is f3:55:8c:b5:e7:c3:42:ae:1a:b7:fc:20:80:0e:62:67. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘10.15.7.20‘ (RSA) to the list of known hosts. root@10.15.7.20‘s password: Last login: Wed Jul 8 16:10:02 2020 from 10.15.7.21 [root@iscsi ~]# screen -x
这时候在A上面执行任何操作,B都会看得见
linux 简单记录9 --服务的访问控制列表(ssh,scp,screen)
标签:bee could clean prompt mit etc rem wrap start
原文地址:https://www.cnblogs.com/yhq1314/p/13294537.html