接PART 1
4、SSH端口转发:SSH会自动加密和解密所有SSH客户端与服务端之间的网络数据。但是,SSH还能够将其它TCP端口的网络数据通过SSH链接来转发,并且自动提供了相应的加密及解密服务,这一过程也被叫做“隧道(tunneling)”。telnet,SMTP,LDAP这些TCP应用均能够从中得益,避免了用户名、密码以及隐私信息的明文传输。同时,如果工作环境中的防火墙限制了一些网络端口的使用,但是允许SSH的连接,也可以通过将TCP端口转发来使用SSH进行通信。
端口转发功能:加密SSH Client端至SSH Server端之间的通信数据;突破防火墙的限制完成一些之前无法建立的TCP连接。
两种方式:本地转发和远程转发:
以A为操作机:ssh -L localport:host:hostport sshserver
选项:-f 后台启用
-N 不开远程shell
-g 启用网关功能
此处以telnet服务为测试:关闭防火墙;
[root@localhost ~]# ssh -L 9527:10.1.54.250:23 10.1.252.134 root@10.1.252.134's password: Last login: Thu Sep 22 11:31:17 2016 from 10.1.252.66 [root@centos68 ~]# netstat -nta Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 :::9527 :::* LISTEN
链接A机本机端口
[root@centos68 tmp]# telnet 127.0.0.1 9527 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. ^] telnet>
远程转发:ssh -R 9527:server:23 -N server
使用B主机作为操作机:让-N后的A主机侦听9527端口,若有访问,就加密后转发请求B机ssh服务,再由本机解密后转发到-R后的C主机的23端口。
[root@centos68 tmp]# ssh -R 9527:10.1.54.250:23 -N 10.1.252.28
##ssh动态端口转发:当用Firefox访问internet时,本机的1080端口作为代理服务器,Firefox的访问请求被转发到sshserver上,由sshserver代替访问internet。
在本机Firefox设置代理:图形界面更改配置proxy:127.0.0.1:1080
ssh -D 1080 root@sshserver
5、配置文件:常用参数:Port;ListenAddress ip;PermitRootLogin yes;ClientAliveInterval 0;UseDNS yes。
限制可登陆用户的方法:AllowUsers user1 user2 user3
DenyUsers;AllowGroups;DenyGroups:没写入的就是允许的。
ssh服务的最佳实践:
不要使用默认端口;
禁止使用protocol version 1
限制可登陆用户;
设定空闲会话超时时长;
利用防火墙设置ssh访问策略;
仅监听特定的IP地址;更改配置文件,将0.0.0.0给为特定地址。
基于口令认证时,使用强密码策略;
生成随机数:tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 | xargs
使用基于密钥的认证;
禁止使用空密码;
禁止root用户直接登录;
限制ssh的访问频度和并发在线数;
做好日志分析。
一、课后练习
1、创建私有CA和申请证书:openssl的配置文件:/etc/pki/tls/openssl.cnf
步骤一:生成私钥:
[root@centos68 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ............................................................................................+++ ................+++ e is 65537 (0x10001)
生成自签证书:openssl
-new 生成新证书签署请求
-x509 生成自签格式证书,专用于创建私有CA时
-key 生成请求时用到的私钥路径
-out 生成的请求文件路径;如果自签操作将直接生成签署过的证书
-days指定证书的有效时长;
[root@centos68 private]# openssl req -new -x509 -key cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:m20 Organizational Unit Name (eg, section) []:magedu Common Name (eg, your name or your server's hostname) []:ge Email Address []:915954814@qq.com
为CA提供所需的目录及文件:
[root@centos68 CA]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts} [root@centos68 CA]# touch /etc/pki/CA/{serial,index.txt} [root@centos68 CA]# echo 01 > /etc/pki/CA/serial
要用到证书进行安全通信的服务器,需要向CA请求签署证书:
步骤:以httpd为例:
用到证书的主机生成证书签署请求:
[root@localhost ~]# mkdir /etc/httpd/ssl [root@localhost ~]# cd /etc/httpd/ssl [root@localhost ssl]# ls [root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus ...............................................................+++ ...............................................................................................+++ e is 65537 (0x10001) [root@localhost ssl]# ls httpd.key
生成证书签署请求,国家和省和公司名称必须和CA一致:
[root@localhost httpd]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:m20 Organizational Unit Name (eg, section) []:magedu Common Name (eg, your name or your server's hostname) []:ge Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123654 An optional company name []:magedu
将请求通过可靠方式发给CA主机:
[root@localhost etc]# scp /etc/httpd.csr root@10.1.252.134:/tmp root@10.1.252.134's password: httpd.csr 100% 1054 1.0KB/s 00:00
在CA主机上签署请求:
[root@centos68 tmp]# mkdir -p /etc/pki/CA/serts [root@centos68 tmp]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/serts/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 18 16:11:12 2016 GMT Not After : Sep 18 16:11:12 2017 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = m20 organizationalUnitName = magedu commonName = ge X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 02:80:06:15:91:23:D9:A3:43:9F:0A:C9:D2:9B:AB:CF:6F:69:48:57 X509v3 Authority Key Identifier: keyid:BC:2A:27:17:D6:D2:84:8F:1B:92:4D:71:E8:FA:CD:47:12:51:2F:A5 Certificate is to be certified until Sep 18 16:11:12 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
查看证书信息,将证书发送给客户端:
[root@centos68 serts]# openssl x509 -in httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=beijing/O=m20/OU=magedu/CN=ge [root@centos68 serts]# scp httpd.crt root@10.1.252.28:/etc/pki/CA/ The authenticity of host '10.1.252.28 (10.1.252.28)' can't be established. RSA key fingerprint is e4:17:b3:40:d1:75:78:27:2b:d5:51:eb:2a:5a:f4:0e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.1.252.28' (RSA) to the list of known hosts. root@10.1.252.28's password: httpd.crt 100% 4474 4.4KB/s 00:00
吊销证书:
客户端获取要吊销的证书的serial序列号:
[root@localhost CA]# openssl x509 -in httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=beijing/O=m20/OU=magedu/CN=ge
CA端主机吊销证书:根据客户端提交的serial和subject信息,对比本机数据库index.txt中存储的是否一致。吊销:
[root@centos68 serts]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated
生成吊销证书的吊销编号(第一次吊销证书时执行)
[root@centos68 serts]# echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表:
[root@centos68 serts]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl Using configuration from /etc/pki/tls/openssl.cnf
查看crl文件:
[root@centos68 serts]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=CN/ST=beijing/L=beijing/O=m20/OU=magedu/CN=ge/emailAddress=915954814@qq.com Last Update: Sep 18 16:29:55 2016 GMT Next Update: Oct 18 16:29:55 2016 GMT CRL extensions: X509v3 CRL Number: 1 Revoked Certificates: Serial Number: 01 Revocation Date: Sep 18 16:23:26 2016 GMT Signature Algorithm: sha1WithRSAEncryption 5e:d5:ea:90:79:bd:f3:ac:a0:bf:bc:d6:00:87:b3:b8:56:2f: 26:fb:d2:d1:10:0f:af:30:67:8b:b9:21:5c:ab:69:c3:86:db: ee:3e:13:e9:7d:cd:d9:04:fd:f8:dc:cf:f2:04:a8:84:34:24: e0:08:13:60:5c:2e:f3:46:e7:fe:c6:63:86:79:18:df:66:9a: c6:a6:b3:bc:47:29:af:38:50:a0:24:42:ef:6c:71:73:2f:f3: 53:1c:df:f5:f3:6d:af:45:ee:81:0b:c4:db:7d:64:51:f4:6b: cf:91:f8:f3:27:eb:ad:35:d2:f9:dd:51:63:e4:ad:d5:a7:77: 1d:2d:24:e0:2c:43:b1:fa:41:d9:53:a0:67:25:95:b5:40:fe: fb:78:89:2c:59:38:ef:fd:58:51:e6:0b:1c:08:71:67:52:98: 1e:45:d3:49:38:8c:39:c3:00:8b:75:41:9e:64:aa:35:f1:a5: 5c:9a:2d:69:be:4e:f3:d2:2f:d9:3a:8d:e6:f7:52:f7:a8:2e: 6b:fe:05:f2:10:6b:e4:f1:6a:e7:45:c6:f8:c6:d2:2c:eb:50: ba:a6:cb:c3:4c:ff:61:86:85:db:4a:91:ad:d3:76:3e:9a:99: dd:ad:83:1c:c6:91:de:3b:07:9d:b8:ae:27:c5:49:1e:56:25: 9a:b2:7f:27
2、ssh的两种认证方式:password和key
基于密钥(key)的认证:在linux客户端上:
步骤一:在客户端生成密钥对:
[root@localhost tmp]# ssh-keygen -t rsa
默认生成至家目录的.ssh/中。可以使用-P ‘’指定不添加密钥管理口令,设置私钥口令命令为ssh-keygen -p。
步骤二:把公钥文件传输至远程服务器对应用户的家目录;
两种传输方式:scp传输,用cat命令和管道追加家目录.ssh/authorized_keys文件中;
可以使用如下命令,自动追加:
[root@localhost ~]# ssh-copy-id -i .ssh/id_rsa.pub root@10.1.252.134:/root
注意:家目录.ssh目录中的authorized_keys存放的连接的主机的登录用户对应的公钥,而know_hosts文件存放的是连接的主机的公钥。
步骤三:测试:
[root@localhost ~]# ssh 10.1.252.134 Last login: Mon Sep 19 00:59:38 2016
在windows客户端使用密钥验证登录:
步骤一:使用工具生成密钥对,导出公钥文件,并传输公钥到登录主机上:(使用xshell连接不需要转化格式,secureCRT连接需要转化格式),注意权限必须为600:
##使用secureCRT的转化命令:ssh-keygen -i -f Identity.pub >> .ssh/authorized_keys
传输,追加公钥:
[root@centos68 ~]# cat id_rsa_1024\ \(2\).pub >> .ssh/authorized_keys
步骤二:测试登录:
Connecting to 10.1.252.134:22…
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Thu Sep 22 11:21:24 2016 from 10.1.54.250
[root@centos68 ~]#
当设置了密钥的密码后,每次登录都需要验证。执行代理后口令就可以只输入一次:
运行ssh-agent bash;
钥匙通过命令添加给代理:ssh-add。
3、编译安装dropbear;安装包README有详细开启过程。INSTALL中有安装详情。
./configure报错:依赖包zlib-devel。
make PROGRAMS=”dropbear dbclient dropbearkey dropbearconvert scp”
make PROGRAMS=”dropbear dbclient dropbearkey dropbearconvert scp” install
启用ssh服务:
/usr/local/sbin/dropbear –help
mkdir /etc/dropbear
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s 2048
dropbearkey -t dss -f /etc/dropbear/dropbear_dsa_host_key
dropbear -p :2222 -F -E (前台运行);dropbear -p :2222(后台运行)
[root@localhost dropbear-2013.58]# dropbear -p :22222 -F -E [7744] Sep 22 17:28:08 Failed reading '/etc/dropbear/dropbear_dss_host_key', disabling DSS [7744] Sep 22 17:28:08 Not backgrounding [7782] Sep 22 17:31:35 Child connection from 127.0.0.1:33668 [7782] Sep 22 17:31:40 Bad password attempt for 'root' from 127.0.0.1:33668 [7782] Sep 22 17:31:43 Password auth succeeded for 'root' from 127.0.0.1:33668 [7782] Sep 22 17:31:47 Exit (root): Disconnect received ^C[7744] Sep 22 17:32:30 Premature exit: Terminated by signal
使用客户端访问:
ssh -p 2222 root@127.0.0.1(使用ssh连接)
[root@localhost ~]# ssh -p 22222 root@127.0.0.1 The authenticity of host '[127.0.0.1]:22222 ([127.0.0.1]:22222)' can't be established. RSA key fingerprint is 3b:f0:f0:12:3c:c4:05:c4:03:25:a8:74:00:ed:06:7c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[127.0.0.1]:22222' (RSA) to the list of known hosts. root@127.0.0.1's password: Permission denied, please try again. root@127.0.0.1's password: -bash: /bin/bash:: No such file or directory [root@localhost ~]# exit logout
dbclient -p 2222 root@127.0.0.1(使用自带工具连接)
2、AIDE:免费商业软件:高级入侵检测环境:
AIDE能构造一个指定文件的数据库,aide.conf作为其配置文件。这个数据库不应该保存哪些经常变动的文件信息,例如:日志文件、邮件、/proc文件系统,用户其实目录及临时目录等。
修改配置文件:vim /etc/aide.conf:指定对哪些文件进行检测
!/etc/mtab:叹号表示忽略这个文件的检查。
NORMAL=R+rmd60+sha256
初始化默认的AIDE的库:
[root@centos68 tmp]# aide --init /etc/resolv.conf atime in future /etc/gai.conf atime in future /etc/host.conf atime in future /etc/localtime atime in future /etc/ld.so.cache atime in future /etc/hosts atime in future /etc/nsswitch.conf atime in future
…
生成检查数据库(建议初始数据备份)
将新生成的库改名字,去掉new:
[root@centos68 local]# cd /var/lib/aide/ [root@centos68 aide]# ls aide.db.new.gz [root@centos68 aide]# mv aide.db.new.gz aide.db.gz
检测数据库,会显示更新和改变了的文件:
[root@centos68 aide]# aide --check
更新数据库,更改配置文件之后可以进行更新,生成的新文件再改名才可以使用:
[root@centos68 aide]# aide --update
原创文章,作者:SilencePavilion,如若转载,请注明出处:http://www.178linux.com/49814