js獲取視訊總時長,監聽播放進度
阿新 • • 發佈:2022-05-19
SSH遠端管理
遠端連線
Linux:
- ssh 埠:22 加密傳輸資料
- telnet 埠:23 明文傳輸資料
windows:
- rpd 埠 :3389 remote desktop protocol
抓包演示
SSH資料加密傳輸
Telnet資料明文傳輸
企業面試題
# 寫出下列服務或協議的埠
ftp 21
ssh 22
telnet 23
dns 53
mysql 3306
http 80
https 443
rsync 873
ssh免密連線
驗證方式:
1. 使用者名稱密碼驗證
2. 金鑰對驗證方式
ssh祕鑰對認證流程
# ssh-keygen :生成金鑰對 Generating public/private rsa key pair. # 將金鑰儲存到檔案中,可以指定其他路徑(直接回車) Enter file in which to save the key (/root/.ssh/id_rsa): # 給金鑰對設定密碼,不需要設定(直接回車) Enter passphrase (empty for no passphrase): # 重複輸入設定的密碼(直接回車) Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:ZtaU4r/a46kq2e2cTwifzqMw7P/AUfMkMJQOIKnAFU4 root@backup The key's randomart image is: +---[RSA 2048]----+ |o.oE..+. | |ooo . .o . | |o . o = + | |. .o O | | o S o | | . . B + | | +oo.+ o | | .oo.=o+.o | | .o+=X**. | +----[SHA256]-----+
# 生成後的金鑰對 [root@backup ~]# ll /root/.ssh/ -rw------- 1 root root 1675 May 24 15:41 id_rsa -rw-r--r-- 1 root root 393 May 24 15:41 id_rsa.pub # 傳送公鑰 :ssh-copy-id -i :指定公鑰的位置 [root@backup ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '10.0.0.31 (10.0.0.31)' can't be established. ECDSA key fingerprint is SHA256:wGVlGAGUpQ81Lnju8l4JWZ1bkzS5HD2QLo+UGdeNrYc. ECDSA key fingerprint is MD5:f3:9e:dd:de:07:39:20:cc:db:ca:78:6d:90:f7:76:f9. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added.
# .ssh目錄中的know_hosts作用
[root@backup ~]# cat ~/.ssh/known_hosts
10.0.0.31 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBqysXIuaFhCmbuIya4GFDxLImWGWWaBFdRic8ZKzabH7lOf1ekEvY6uqe23wNnn3HTYKRaOmcXJOJ1h6CBb2E8=
# 記錄連線過的伺服器,如果沒有連線過(第一次連),需要輸入yes
生成金鑰對命令:ssh-keygen
- 在當前使用者的家目錄下建立隱藏目錄 .ssh mkdir ~/.ssh
- 將金鑰存放到目錄 .ssh 授權為700 chmod 700 ~/.ssh
- 將公鑰內容寫入 ~/.ssh/id_rsa.pub 檔案中
- 將私鑰內容寫入到 ~/.ssh/id_rsa 檔案中
- 將私鑰檔案授權為600 chmod 600 ~/.ssh/id_rsa
傳送公鑰:ssh-copy-id
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
輸入yes
輸入密碼
- 在遠端的指定使用者的家目錄下建立隱藏目錄.ssh
- 將金鑰存放目錄.ssh 授權為 700
- 先將在遠端~/.ssh 目錄下建立檔案authorized_keys
- 將authorized_keys檔案授權為600
- 將公鑰內容儲存到authorized_keys檔案中
免密使用場景
1.批量檢視伺服器的資訊
#!/bin/bash
[ $# -ne 1 ] && echo "請輸入執行的命令" && exit 1
for i in 5 7 8 31 41
do
echo "#########172.16.1.$i#####"
ssh [email protected].$i "$1"
done
2.跳板機
#!/bin/bash
#jumpserver
lb01=10.0.0.5
lb02=10.0.0.6
web01=10.0.0.7
web02=10.0.0.8
web03=10.0.0.9
nfs=10.0.0.31
backup=10.0.0.41
db01=10.0.0.51
m01=10.0.0.61
zabbix=10.0.0.71
menu(){
cat <<-EOF
+-------------------------+
| 1) lb01 |
| 2) lb02 |
| 3) web01 |
| 4) web02 |
| 5) web03 |
| 6) nfs |
| 7) backup |
| 8) db01 |
| 9) m01 |
| 10) zabbix |
| h) help |
+-------------------------+
EOF
}
#選單函式
menu
#連線函式
connect(){
ping -c 1 -w 1 $1 &>/dev/null
if [ $? -eq 0 ];then
ssh root@$1
else
echo -e "\033[5;4;40;31m 別連了,我的哥,$2:$1機器都沒開!!!\033[0m"
fi
}
#控制不讓輸入ctrl+c,z
trap "" HUP INT TSTP
while true
do
read -p "請輸入要連線的主機編號:" num
case $num in
1|lb01)
connect $lb01 lb01
;;
2|lb02)
connect $lb02 lb02
;;
3|web01)
connect $web01 web01
;;
4|web02)
connect $web02 web02
;;
5|web03)
connect $web03 web03
;;
6|nfs)
connect $nfs nfs
;;
7|backup)
connect $backup backup
;;
8|db01)
connect $db01 db01
;;
9|m01)
connect $m01 m01
;;
10|zabbix)
connect $zabbix zabbix
;;
h|help)
clear
menu
;;
close)
break
;;
esac
done
ssh安全優化
# 配置檔案
[root@m01 ~]# vim /etc/ssh/ssh_config
17 Port 52022 # 修改預設埠
115 UseDNS no # 關閉反向解析
38 PermitRootLogin no # 禁止root使用者登入
65 PasswordAuthentication no # 禁止使用密碼登入
79 GSSAPIAuthentication no # 關閉GSSAPI認證
# 重啟服務
[root@m01 ~]# systemctl restart sshd
# 解決方案
如果優化好的ssh發現以下問題
1.沒有普通使用者
useradd zh (無法建立進入單使用者模式)
2.Windows上沒有推送金鑰
在windows上生成金鑰對
- 使用windows的命令執行ssh-keygen
- 使用Xshell
使用Xshell生成金鑰對
生成金鑰對
[hz@m01 ~]$ mkdir .ssh
[hz@m01 ~]$ chmod 700 .ssh
[hz@m01 ~]$ vim .ssh/authorized_keys
1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApiqMuZeV5gNd/GOa0wCgofxUyXVF yUK9gpZokHGbAUPRmmzy8xX5+bic0pM5JQWVidQwmPIpFxbQQXBcXUT1FrMExw8r VJBvW2C7ktxpyYxxV7pP3Lwd8XzlEW2NfXU7Eyvk5uxULmEGTWSrh9YEr82EFHLQ v4yIVua7JBz3iqebCmWKGWvjkJ8yLjyzPbXlY2Ju7KWMpCjly5AddNXWv01mPff0 ebzR2koT8xU81wosfaTzPhRRi6OT5b27g8J1iW+qPfiRiyiPNjMP7buC7XoaVuop xsvZb9ogZFfMtVz0w7Av+mbul6U0jLMFnzJwkqv9XGlqWGWBjbNsDbTDkw==
[hz@m01 ~]$ chmod 600 .ssh/authorized_keys
免互動生成金鑰對
ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null
-t:指定加密型別
-P:空密碼
-f:祕鑰生成的位置
免互動推送公鑰
#!/bin/bash
ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
# 迴圈
#!/bin/bash
ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null
for n in `cat /root/1.txt`;do
ssh-copy-id -i ~/.ssh/id_rsa.pub root@$n
done
# 解決免互動問題
1.使用expect解決
#!/usr/bin/expect
set ip 172.16.1.31
set pass 1
set timeout 30
spawn ssh-keygen
expect {
"id_rsa):" {send "\r"; exp_continue}
"passphrase):" {send "\r"; exp_continue}
"again:" {send "\r"}
}
expect eof
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@$ip
expect {
"(yes/no)" {send "yes\r"; exp_continue}
"password:" {send "$pass\r"}
}
#expect "root@*" {send "df -h\r"}
#expect "root@*" {send "df -h\r"}
expect eof
2.使用sshpass解決
[root@m01 ~]# yum install -y sshpass
[root@m01 ~]# ssh -o 'StrictHostKeyChecking no' [email protected]
[root@m01 ~]# sshpass -p 1 ssh-copy-id -o 'StrictHostKeyChecking no' -i ~/.ssh/id_rsa.pub
[email protected]
######################################################
[root@m01 ~]# vim 1.txt
172.16.1.31
172.16.1.41
172.16.1.7
172.16.1.8
[root@m01 ~]# vim send_public_key.sh
#!/bin/bash
ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null
for n in `cat /root/1.txt`;do
shpass -p 1 ssh-copy-id -o 'StrictHostKeyChecking no' -i ~/.ssh/id_rsa.pub root@$n
done
# 密碼不一致
[root@m01 ~]# vim /root/2.txt
172.16.1.31:1
172.16.1.41:
172.16.1.5:3
172.16.1.7:4
172.16.1.8:111
#!/bin/bash
ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null
for n in `cat /root/1.txt`;do
pass=`echo $n|awk -F ':' '{print $2}'`
ip=`echo $n|awk -F ':' '{print $1}'`
sshpass -p $pass ssh-copy-id -o 'StrictHostKeyChecking no' -i ~/.ssh/id_rsa.pub root@$ip
done
優化後的指令碼
#!/bin/bash
. /etc/init.d/functions
ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null
for n in `cat /root/1.txt`;do
pass=`echo $n|awk -F ':' '{print $2}'`
ip=`echo $n|awk -F ':' '{print $1}'`
sshpass -p $pass ssh-copy-id -o 'StrictHostKeyChecking no' -i ~/.ssh/id_rsa.pub root@$ip &>/dev/null
if [ $? -eq 0 ];then
action "$ip send public key " /bin/true
else
action "$ip send public key " /bin/false
fi
done
# 優化後不使用判斷的指令碼
#!/bin/bash
. /etc/init.d/functions
ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null
for n in `cat /root/1.txt`;do
pass=`echo $n|awk -F ':' '{print $2}'`
ip=`echo $n|awk -F ':' '{print $1}'`
sshpass -p $pass ssh-copy-id -o 'StrictHostKeyChecking no' -i ~/.ssh/id_rsa.pub root@$ip
&>/dev/null && \
action "$ip send public key " /bin/true || \
action "$ip send public key " /bin/false
done