SSH

部分参数

-oBatchMode=yes的作用是设置[[../Linux/Linux命令/ssh命令|SSH命令]]以批处理模式运行,它会禁用交互式操作,例如当需要输入密码时,SSH命令会自动退出而不会等待用户的输入。

-oStrictHostKeyChecking=no的作用是关闭SSH命令中对主机公钥的验证,这意味着当首次连接到一个新主机时,SSH命令会自动接受主机公钥而不会询问用户是否接受该公钥。这在批处理或自动化脚本中很有用,因为它避免了需要人工确认每个新主机的公钥。但是在某些情况下,关闭主机公钥验证可能会导致安全问题,例如中间人攻击。 -o ConnectTimeout=<seconds>:指定连接的超时时间,单位是秒。 -o User=<username>:指定连接使用的用户名。等于“-U” -o Port=<port>:指定连接使用的端口号,默认是22。等于“-P” -o IdentityFile=<filename>:指定使用的私钥文件路径。等于 "-i" -o LogLevel=<level>:指定输出日志的详细程度。常见的级别包括 QUIET、FATAL、ERROR、INFO、VERBOSE 和 DEBUG。 -o ForwardAgent=yes:允许通过 SSH 连接链路进行身份验证代理转发。 -o TCPKeepAlive=yes:启用 TCP keepalive 以保持 SSH 连接的稳定性。 -o Compression=yes:启用压缩以减少传输的数据量,提高传输速度。

.ssh目录下有多个密钥,对应不同主机,如何让不同主机使用不同密钥

在.ssh目录下创建config文件,按下面的例子填写即可

	Host 1.1.1.1
		IdentityFile ~/.ssh/1_id_rsa
	Host ser.domain.com
		IdentityFile ~/.ssh/ser_id_rsa

手动指定私钥

ssh -i /path/id_rsa_test-04 user@test-04

# 首次连接时不检查公钥,即不弹出Are you sure you want to continue connecting (yes/no/[fingerprint])?
ssh -i /path/id_rsa_test-04 -oStrictHostKeyChecking=no user@test-04

发送公钥到目标服务器

通过ssh-copy-id命令可以直接将指定密钥的公钥文件复制到对应服务器用户的.ssh/authorized_keys中,省去了手动复制的过程

ssh-copy-id -i id_rsa [email protected]

使用rsa密钥登录失败

[[../Linux/Ubuntu/Ubuntu22.04使用rsa密钥登录失败|Ubuntu22.04使用rsa密钥登录失败]]

屏蔽尝试SSH登录服务器的IP

	DENY_IP_LIST=`cat /var/log/secure* | grep "Invalid user" | awk -F ' ' '{print $10}'| sort | uniq -cd | sort -n | awk -F ' ' '{if ($1 >= 10) print $2}'| grep '^[0-9]'`
	for a in $DENY_IP_LIST
	do
		grep $a /etc/hosts.deny > /dev/null 2>&1
		if [ $? -gt 0 ]; then
			echo "sshd:$a:deny # "`date +%F` >> /etc/hosts.deny
		fi
	done

上面的脚本通过筛选linux系统secure日志中的“Invalid user root from 1.1.1.1 port 38866”信息来对登录系统未逐的IP进行过滤并统计次数,超过3次直接加到/etc/hosts.deny中阻止登录

#! /bin/bash

DENY_IP_LIST=`cat /var/log/secure* | grep "Invalid user" | awk -F ' ' '{print $10}'| sort | uniq -cd | sort -n | awk -F ' ' '{if ($1 >= 3) print $2}'| grep '^[0-9]'`
for a in $DENY_IP_LIST
do
    grep $a /etc/hosts.deny > /dev/null 2>&1
    if [ $? -gt 0 ]; then
        echo "ALL:$a:deny" >> /etc/hosts.deny
    fi
done

wait
DENY_IP_LIST_2=`cat /var/log/secure* | grep rhost | awk -F ' ' '{print $14}' | awk -F '=' '{print$2}' | sort | uniq -cd | sort -n | awk -F ' ' '{if ($1 >= 3) print $2}'`
for b in $DENY_IP_LIST_2
do
    grep $b /etc/hosts.deny > /dev/null 2>&1
    if [ $? -gt 0 ]; then
        echo "ALL:$b:deny" >> /etc/hosts.deny
    fi
done

wait
DENY_IP_LIST_3=`cat /var/log/secure* | grep "Failed password for"  | awk -F ' ' '{print $(NF-3)}' | sort | uniq -cd | sort -n | awk -F ' ' '{if ($1 >= 3) print $2}'`
for c in $DENY_IP_LIST_3
do
    grep $c /etc/hosts.deny > /dev/null 2>&1
    if [ $? -gt 0 ]; then
        echo "ALL:$c:deny" >> /etc/hosts.deny
    fi
done

安装google-authenticator 配置F2A双因子认证,增加CentOS登录安全

系统:CentOS7x64 1804

yum install -y google-authenticator 	# 安装
google-authenticator					# 开始配置

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M&cht=qr&chl=otpauth://totp/root@TEST-01%3Fsecret%3DOCT7BGIIG3TPHFEBT4ZHAXQJCY%26issuer%3DTEST-01

![](../../../media/Images/F2A-QRCode.png| 300)

Your new secret key is: OCT7BGIIG3TPHFEBT4ZHAXQJCY
Your verification code is 292118
Your emergency scratch codes are:
  75790075
  10624502
  34743379
  10201854
  30805825

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y	# 服务器跟手机时间如果不一至,会导致两者之间算出来的验证码不一样,可以通过允许两者之间的时间偏差来使用一定时间范围内的验证码(范围为前1中1后1总计3个到前8中1后8总计17个),可以在~/.google-authenticator 中修改" WINDOW_SIZE 17来调整。

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

修改/etc/pam.d/sshd文件,增加 如下配置

auth required pam_google_authenticator.so

修改 /etc/ssh/sshd_config文件,

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive	# 增加该配置用于防止使用密钥登录时不弹出Google Authenticator的提醒。

重启sshd服务

systemctl restart sshd

SSH远程执行命令

ssh user@remoteNode "df -h"

ssh user@remoteNode "cd /home ; ls"  #双引号,必须有。如果不加双引号,第二个ls命令在本地执行;分号,两个命令之间用分号隔开

[[../Windows/SSH隧道]]

CVE-2024-6387

影响范围 8.5p1 <= OpenSSH < 9.8p1

AlmaLinux OS 9 升级openssh-8.7p1-38.el9_4.4.x86_64,该版本为官方提供的修复版本 说明文档

dnf --refresh upgrade openssh

rpm -q openssh
openssh-8.7p1-38.el9_4.4.x86_64
上一页RustDesk自建服务器下一页SVN

最后更新于