全面指南:OpenSSH和日志管理策略,轻松提升安全与运维效率
目录
-
日志管理
-
配置rsyslog服务器
-
openssh
-
Secure Shell 示例
-
SSH 主机密钥
-
配置基于 SSH 密钥的身份验证
[root@lnh ~]# cat /etc/redhat-release
CentOS Stream release 8 //查看当前系统版本
[root@lnh ~]# uname -r
4.18.0-257.el8.x86_64
//查看当前系统内核版本
[root@lnh ~]# dmesg
...
[ 5.273545] XFS (dm-2): Starting recovery (logdev: internal)
[ 5.323019] XFS (dm-2): Ending recovery (logdev: internal)
[ 5.397922] XFS (sda1): Ending clean mount
[ 7.026122] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 7.031966] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[ 7.034521] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 7.034533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 7.045958] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 7.050984] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[ 7.052685] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 7.052696] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
//可以查看系统所有的调试信息,日志(此处是centos8里面的)
[root@lnh ~]# tail -f /var/log/messages
Jul 19 16:39:01 lnh systemd-logind[976]: New session 1 of user root.
Jul 19 16:39:01 lnh systemd[1268]: Reached target Paths.
Jul 19 16:39:01 lnh systemd[1268]: Reached target Timers.
Jul 19 16:39:01 lnh systemd[1268]: Starting D-Bus User Message Bus Socket.
Jul 19 16:39:02 lnh systemd[1268]: Listening on D-Bus User Message Bus Socket.
Jul 19 16:39:02 lnh systemd[1268]: Reached target Sockets.
Jul 19 16:39:02 lnh systemd[1268]: Reached target Basic System.
Jul 19 16:39:02 lnh systemd[1268]: Reached target Default.
Jul 19 16:39:02 lnh systemd[1268]: Startup finished in 71ms.
Jul 19 16:39:02 lnh systemd[1]: Started User Manager for UID 0.
//系统标准错误日志信息;非内核产生的引导信息;各子系统产生的信息
[root@lnh ~]# cat /var/log/secure
Jul 19 16:18:44 localhost polkitd[962]: Loading rules from directory /etc/polkit-1/rules.d
Jul 19 16:18:44 localhost polkitd[962]: Loading rules from directory /usr/share/polkit-1/rules.d
Jul 19 16:18:44 localhost polkitd[962]: Finished loading, compiling and executing 2 rules
Jul 19 16:18:44 localhost polkitd[962]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Jul 19 16:18:44 localhost sshd[1062]: Server listening on 0.0.0.0 port 22.
Jul 19 16:18:44 localhost sshd[1062]: Server listening on :: port 22.
Jul 19 16:19:51 localhost systemd[1304]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jul 19 16:19:51 localhost login[1083]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jul 19 16:19:51 localhost login[1083]: ROOT LOGIN ON tty1
Jul 19 16:20:53 localhost polkitd[935]: Loading rules from directory /etc/polkit-1/rules.d
...
//与安全相关的日志信息
// /var/log/maillog:邮件系统产生的日志信息
syslog和rsyslog服务均有两个进程:
syslogd:系统,非内核产生的日志信息。
klogd:内核,专门负责记录内核产生的日志信息。
[root@lnh ~]# ps aux |grep syslogd
root 1194 0.0 0.2 218472 5768 ? Ssl 16:37 0:00 /usr/sbin/rsyslogd -n
root 1355 0.0 0.0 12108 1088 pts/0 S+ 16:48 0:00 grep --color=auto syslogd
//一直都在
[root@lnh ~]# ps aux |grep klogd
root 1362 0.0 0.0 12108 1080 pts/0 S+ 16:51 0:00 grep --color=auto klogd
//当前没有
配置rsyslog服务器
我们首先要关闭虚拟机创建一个克隆,记住是完整克隆
lnh作为客户端,ip是192.168.222.250
xbz作为服务端,ip是192.168.222.251
在客户端:
[root@lnh ~]# vim /etc/rsyslog.conf
在客户端赋予权限访问服务端
[root@lnh ~]# systemctl restart rsyslog.service
//重启服务
在服务端:
[root@xbz ~]# vim /etc/rsyslog.conf
取消这四行的注释
[root@xbz ~]# systemctl restart rsyslog.service
//重启服务
[root@xbz ~]# systemctl stop firewalld.service
[root@xbz ~]# setenforce 0
//关闭防火墙
[root@xbz ~]# tail -f /var/log/secure
Jul 19 17:02:19 lnh sshd[1012]: Server listening on :: port 22.
Jul 19 17:03:03 lnh systemd[1258]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jul 19 17:03:03 lnh login[1032]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jul 19 17:03:03 lnh login[1032]: ROOT LOGIN ON tty1
Jul 19 17:03:16 lnh sshd[1294]: Accepted password for root from 192.168.222.1 port 55495 ssh2
Jul 19 17:03:16 lnh sshd[1294]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 19 17:03:22 lnh sshd[1320]: Accepted password for root from 192.168.222.1 port 55497 ssh2
Jul 19 17:03:22 lnh sshd[1320]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 19 17:05:36 lnh sshd[1474]: Accepted password for root from 192.168.222.1 port 55524 ssh2
Jul 19 17:05:36 lnh sshd[1474]: pam_unix(sshd:session): session opened for user root by (uid=0)
//记录安全相关的东西
验证:
我们在客户端进行登录用户故意输入错误密码然后再登录
可以在服务的看到下面的信息
[root@xbz ~]# tail -f /var/log/secure
ser root by (uid=0)
Jul 19 17:24:37 lnh sshd[1410]: pam_unix(sshd:session): session closed for user root
Jul 19 17:24:41 lnh unix_chkpwd[1441]: password check failed for user (root)
Jul 19 17:24:41 lnh sshd[1439]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.222.1 user=root
Jul 19 17:24:44 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:45 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:46 lnh unix_chkpwd[1442]: password check failed for user (root)
Jul 19 17:24:48 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:50 lnh unix_chkpwd[1443]: password check failed for user (root)
Jul 19 17:24:52 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:54 lnh sshd[1439]: Accepted password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:54 lnh sshd[1439]: pam_unix(sshd:session): session opened for user root by (uid=0)
openssh
Secure Shell 示例
lnh作为客户端,ip是192.168.222.250
xbz作为服务端,ip是192.168.222.251
[root@lnh ~]# ssh root@192.168.222.251 '/usr/sbin/ip a' //接命令的绝对路径,防止没有识别出命令
The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established.
ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts.
root@192.168.222.251's password:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:e8:25:ce brd ff:ff:ff:ff:ff:ff
inet 192.168.222.251/24 brd 192.168.222.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fee8:25ce/64 scope link
valid_lft forever preferred_lft forever
//在同一网段下可以以远程用户身份(remoteuser)在远程主机(remotehost)上通过将输出返回到本地显示器的方式来执行单一命令
[root@lnh ~]# w
17:41:09 up 38 min, 2 users, load average: 0.02, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 17:02 38:20 0.28s 0.28s -bash
root pts/0 192.168.222.1 17:06 0.00s 0.13s 0.02s w
//w命令可以显示当前登录到计算机的用户列表。这对于显示哪些用户使用ssh从哪些远程位置进行了登录以及执行了何种操作等内容特别有用
SSH 主机密钥
[root@lnh ~]# cat ~/.ssh/known_hosts
192.168.222.251 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKh5FAHxXc6ck4NXY9q32oHHoZrK1+aMTpEo6smApoMbBUfvSd9YxtlRhd9TdPy8qfPwBg6ZdRkEFeRxlIzaSh8=
//192.168.222.251是客户端远程服务端的ip地址 ecdsa-sha2-nistp256 是算法,AAAA这里是公钥
//主机ID存储在本地客户端系统上的 ~/.ssh/known_hosts 中
//此处也可以换ip地址,之后还是可以进行登录,因为公钥没有发生改变
[root@xbz ~]# cd /etc/ssh/
[root@xbz ssh]# ll
total 600
-rw-r--r--. 1 root root 577388 Apr 27 2020 moduli
-rw-r--r--. 1 root root 1770 Apr 27 2020 ssh_config
drwxr-xr-x. 2 root root 28 Jul 19 16:14 ssh_config.d
-rw-------. 1 root root 4269 Apr 27 2020 sshd_config
-rw-r-----. 1 root ssh_keys 492 Jul 19 16:18 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 Jul 19 16:18 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 387 Jul 19 16:18 ssh_host_ed25519_key
-rw-r--r--. 1 root root 82 Jul 19 16:18 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 2578 Jul 19 16:18 ssh_host_rsa_key
-rw-r--r--. 1 root root 554 Jul 19 16:18 ssh_host_rsa_key.pub
[root@xbz ssh]# less ssh_host_ecdsa_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSoeRQB8V3OnJODV2Pat9qBx6Gaytfm
jE6RKOrJgKaDGwVH70nfWMbZUYXfU3T8vKnz8AYOmXUZBBXkcZSM2kofAAAAoP4DJvj+Ay
b4AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKh5FAHxXc6ck4NX
Y9q32oHHoZrK1+aMTpEo6smApoMbBUfvSd9YxtlRhd9TdPy8qfPwBg6ZdRkEFeRxlIzaSh
8AAAAhAP8Fsmj6nWXKoVWYgPeuv22eYQK8hQn4Wrr7PTXRlztaAAAAAAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----
//可以在服务端查看是否一样
[root@lnh ~]# ls /etc/ssh/*key*
/etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key.pub
//主机密钥存储在SSH服务器上的 /etc/ssh/ssh_host_key* 中
//有pub的是公钥,其他的是私钥
配置基于 SSH 密钥的身份验证
在客户端上面的操作:
[root@lnh ~]# ssh-keygen -t rsa //-t是指定算法 rsa算法
Enter file in which to save the key (/root/.ssh/id_rsa): //确认这个秘钥保存在括号里面那个目录里面?id_rsa是私钥
Enter passphrase (empty for no passphrase): //请设置私钥的密码
Enter same passphrase again: //重新输入私钥密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Tgi3RqIiIw0nt3uMxeuyw3J3DM3uN8PUK4ItiDoWlXM root@lnh
The key's randomart image is:
+---[RSA 3072]----+ //rsa算法 长度3072
| |
| |
|o o + o |
| * B E o |
|= = =o+ S. |
|o+ =.ooo. . |
| o+.+* o. . |
|+.*o+ * * . |
|++.=.+.o + |
+----[SHA256]-----+
[root@lnh ~]# ls .ssh/
id_rsa id_rsa.pub known_hosts
//可以查看到私钥,pub结尾的是公钥
把这个客户机上面的公钥发送给服务端
[root@lnh ~]# ssh-copy-id root@192.168.222.251
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.222.251's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.222.251'"
and check to make sure that only the key(s) you wanted were added.
//因为我的公钥就是叫id_rsa.pub 这个名字所以直接用这个
//如果公钥不叫id_rsa.pub ,那么要指定位置 [root@lnh ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.222.251
在服务端查看:
[root@xbz ~]# ls .ssh/
authorized_keys
//这个就是传过来的公钥
在客户端:
[root@lnh ~]# ssh root@192.168.222.251
Last login: Tue Jul 19 17:05:36 2022 from 192.168.222.1
//可以查看到可以直接免密登录
在服务端也进行设置秘钥
[root@xbz ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:FppTggRIQaZOQGlZHVBCOyG5RicFG80NYUU9xl8wCys root@xbz
The key's randomart image is:
+---[RSA 3072]----+
|=@&%@=+. o. |
|=B==++ =o o. |
|+o+o.Eo.=.. |
|oo . .= o |
|.. + S |
| o |
| |
| |
| |
+----[SHA256]-----+
[root@xbz ~]# ls .ssh/
authorized_keys id_rsa id_rsa.pub
[root@xbz ~]# ssh-copy-id root@192.168.222.250
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.222.250 (192.168.222.250)' can't be established.
ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.222.250's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.222.250'"
and check to make sure that only the key(s) you wanted were added.
在客户端查看:
[root@xbz ~]# ls .ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
在服务端登录验证:
[root@xbz ~]# ssh root@192.168.222.250
Last login: Tue Jul 19 17:24:54 2022 from 192.168.222.1
//直接免密登录
//scp命令常用选项
-r //递归复制
-p //保持权限
-P //端口
-q //静默模式
-a //全部复制
链接:https://www.cnblogs.com/tushanbu/p/16495244.html