centos7下安全访问远程服务器
生活随笔
收集整理的這篇文章主要介紹了
centos7下安全访问远程服务器
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
1. 添加普通賬號
眾所周知,linux下的root擁有最高權限,可以執行任何命令。在使用root身份操作時,有時的一個不注意就可能將非常重要的刪除(最可怕的是 rm -rf /)。而linux不像windows有可以撤銷的回收箱,。所以建議建立普通用戶賬號,在平時的時候以普通用戶身份登錄,只在需要root權限時才通過sudo 臨時提高普通用戶的權限或是通過su - 切換到root用戶,執行完任務后立刻exit。
新建普通用戶,用戶名以example_user 為例
useradd example_user && passwd example_user # 將對應的用戶加入wheel組,wheel組用于sudo權限 usermod -aG wheel example_user?
2. 創建ssh登錄時進行身份驗證的密鑰對
假設有以下情景,有3臺主機:
- node3? ? ip: 192.168.35.120
- node4? ? ip:? 192.168.35.130
- node5? ? ip: 192.168.35.140
node3上的用戶root 想通過私鑰 有密碼登錄node4,無密碼登錄node5
# 配置密碼登錄 node4 # 產生4096位的rsa密鑰對 [root@node3 .ssh]# ssh-keygen -b 4096 Generating public/private rsa key pair. # 指定存儲路徑 Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/node4_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/node4_id_rsa. Your public key has been saved in /root/.ssh/node4_id_rsa.pub.# 將公鑰發給node4主機,追加在 root用戶的~/.ssh/authorized_keys文件末尾 [root@node3 .ssh]# ssh-copy-id -i /root/.ssh/node4_id_rsa.pub root@node4 The authenticity of host 'node4 (192.168.35.130)' can't be established. ECDSA key fingerprint is a7:13:be:25:f5:b5:28:1f:ce:42:ea:6d:df:e2:1a:83. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@node4's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh 'root@node4'" and check to make sure that only the key(s) you wanted were added.# 遠程登錄 [root@node3 .ssh]# ssh -i ~/.ssh/node4_id_rsa root@node4 Enter passphrase for key '/root/.ssh/node4_id_rsa': Last login: Fri Sep 14 23:21:48 2017 from 192.168.35.1# 配置無密碼登錄node5 [root@node3 .ssh]# ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/node5_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/node5_id_rsa. Your public key has been saved in /root/.ssh/node5_id_rsa.pub. The key fingerprint is: 05:ef:46:a2:21:f1:26:28:af:bf:81:36:a7:7d:ed:2b root@node3[root@node3 .ssh]# ssh-copy-id -i ~/.ssh/node5_id_rsa.pub root@node5 The authenticity of host 'node5 (192.168.35.140)' can't be established. ECDSA key fingerprint is a7:13:be:25:f5:b5:28:1f:ce:42:ea:6d:df:e2:1a:83. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@node5's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh 'root@node5'" and check to make sure that only the key(s) you wanted were added.[root@node3 .ssh]# ssh -i ~/.ssh/node5_id_rsa root@node5 Last login: Fri Sep 14 22:45:22 2017 from 192.168.35.1 View Code?
除了ssh-copy-id,還可以通過下面的方法進行公鑰的上傳
Step1:?通過ssh遠程登錄
ssh 用戶名@ip地址遠程登錄Step 2:??通過文件上傳工具如filezilla,或是直接通過命令rz(通過yum install lrzsz安裝)上傳公鑰 xxx.pub
Step 3:? 將公鑰以追加的形式寫入authorized_keys文件中(該文件可以記錄多個公鑰信息)
cat xxx.pub >> ~/.ssh/authorized_keysStep4 : 文件權設置
# chmod 700 ~/.ssh # chdmo 600 ~/.ssh/authorized_keys?
注意,此時仍能通過密碼進行登錄
[root@node3 .ssh]# ssh root@node4 root@node4's password: Last login: Fri Sep 14 23:30:26 2017 from node3 [root@node4 ~]#?
3. 修改配置文件,禁止密碼登錄
修改配置文件 /etc/ssh/sshd_config
# 禁止使用root身份進行遠程登錄,建議使用普通用戶身份登錄[可根據實際情況] PermitRootLogin no # 取消密碼驗證登錄 PasswordAuthentication no然后重啟服務即可
sudo service sshd restart?
測試效果如下:
# 普通用戶可以通過私鑰登錄 [alex@node3 ~]$ ssh alex@node4 Permission denied (publickey,gssapi-keyex,gssapi-with-mic). [alex@node3 ~]$ ssh -i ~/.ssh/node4_id_rsa alex@node4 Last login: Sat Sep 15 00:38:53 2017 [alex@node4 ~]$ exit logout Connection to node4 closed.[alex@node3 ~]$ su - Password: Last login: Sat Sep 15 00:33:16 CST 2017 on pts/0 # root無法登錄 [root@node3 ~]# ssh root@node4 Permission denied (publickey,gssapi-keyex,gssapi-with-mic). [root@node3 ~]# ssh -i ~/.ssh/node4_id_rsa root@node4 Enter passphrase for key '/root/.ssh/node4_id_rsa': Permission denied (publickey,gssapi-keyex,gssapi-with-mic).?
參考:
- https://www.linode.com/docs/security/securing-your-server/
?
轉載于:https://www.cnblogs.com/hupeng1234/p/9649261.html
總結
以上是生活随笔為你收集整理的centos7下安全访问远程服务器的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 3Sum探讨(Java)
- 下一篇: angularjs的一点总结