类似前言一样的垃圾话
本次内容较多,分别为Openssh服务
、网络配置
、日志管理
、时间服务器
四个部分的内容,所以为了提升阅读体验,本文中部分内容为GIF图,这样能更直观的理解,至于为什么叫做4.1,因为我写完上一篇发布后才发现自己并没有标题3,而这篇因为内容过多,所以想拆两部分写。
Openssh-server软件包 ,实现安全加密的远程连接服务:ssh协议 tcp/22 类拟 telnet协议 tcp/23 scp远程安全的文件复制, sftp 安全的FTP服务,交互。非对称加密算法+ 对称加密算法 IPSEC VPN
ssh -X <user>@<IP> (会将对方机器中的该程序的画面传输过来)
在初次登录的时候,会询问是否确定连接
[root@server0 .ssh]# ssh root@192.168.140.128
The authenticity of host '192.168.140.128 (192.168.140.128)' can't be established.
ECDSA key fingerprint is SHA256:Xqb6ZoNqLjAN40kHSbCSubYS91qpJqJ6hPNLB4BsOqs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.140.128' (ECDSA) to the list of known hosts.
root@192.168.140.128's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sun Oct 13 18:32:21 2019
[root@ropu ~]#
安装openssh-server软件包时候 自动生成一堆密钥
生成的密钥的程序:
[root@localhost ~]# systemctl list-unit-files |grep ssh
anaconda-sshd.service static
sshd-keygen@.service disabled
sshd.service enabled # openssh-server服务配置文件
sshd@.service static
sssd-ssh.service indirect
sshd.socket disabled
sssd-ssh.socket disabled
sshd-keygen.target static # 自动生成密钥
[root@localhost ~]#
密钥存放位置:/etc/ssh/
如果程序发现目录下没有这些文件的话,在启动的时候便会自动创建,测试如下
连接的时候会因为公钥这些不匹配而导致的问题
[root@server0 .ssh]# ssh root@192.168.79.129
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:nHFemHfJ8OCvk9xLlUR/7oE3ka57VUubDib3BlQkPwY.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:1
ECDSA host key for 192.168.79.129 has changed and you have requested strict checking.
Host key verification failed.
[root@server0 .ssh]#
这个时候只需要去用户主目录下的.ssh文件夹下,删除 known_hosts
文件或者清除文件内相关条目即可
客户端生成密钥: ssh-keygen -t rsa
ssh除了密码登录外,还有一种方法可以免密登录,可以将授权合法的客户端公钥放到服务端上
当然,你也可以将这个公钥文件传出去(不安全,勿试),这样别的机器就可以通过你这个文件来免密登录了
客户端将公钥发送到服务端后,服务端会生成一个authorized_keys
配置文件:/etc/ssh/sshd_config
1) 禁用root账户登录:
[root@localhost ~]# cat /etc/ssh/sshd_config |grep Root
PermitRootLogin no
# the setting of "PermitRootLogin without-password".
[root@localhost ~]#
修改完配置文件后,可以不通过重启的方式来加载配置文件
[root@localhost ~]# systemctl reload sshd
2) 禁用密码登录:
[root@localhost ~]# vim /etc/ssh/sshd_config
[root@localhost ~]# cat /etc/ssh/sshd_config |grep Password
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication
[root@localhost ~]#
3) 禁用DNS反向解析:
[root@localhost ~]# cat /etc/ssh/sshd_config |grep DNS
UseDNS no
[root@localhost ~]#
ifconfig -a
PS: ifconfig
为只显示启用的网卡设备
nmcli device查看网卡设备
[root@server0 ~]# nmcli device
DEVICE TYPE STATE CONNECTION
ens160 ethernet connected ens160
设备名 类型 状态 配置文件名:/etc/sysconfig/network-scripts/ifcfg-ens160
virbr0 bridge connected virbr0
lo loopback unmanaged --
virbr0-nic tun unmanaged --
[root@server0 ~]#
配置文件:
[root@server0 network-scripts]# cd /etc/sysconfig/network-scripts/
[root@server0 network-scripts]# ls
ifcfg-ens160
[root@server0 network-scripts]#
查看配置文件:
[root@server0 network-scripts]# nmcli connection show
NAME UUID TYPE DEVICE
ens160 4364cddc-97ab-4a29-a7ef-2e1d9749c98c ethernet ens160
virbr0 412bcc7d-5cfe-4679-9cbc-48f2b5091f1e bridge virbr0
[root@server0 network-scripts]#
查看配置内容:
[root@server0 network-scripts]# nmcli connection show ens160
connection.id: ens160
connection.uuid: 4364cddc-97ab-4a29-a7ef-2e1d9749c98c
connection.stable-id: --
connection.type: 802-3-ethernet
connection.interface-name: ens160
connection.autoconnect: yes
connection.autoconnect-priority: 0
connection.autoconnect-retries: -1 (default)
connection.multi-connect: 0 (default)
connection.auth-retries: -1
connection.timestamp: 1570937337
connection.read-only: no
connection.permissions: --
connection.zone: --
connection.master: --
connection.slave-type: --
connection.autoconnect-slaves: -1 (default)
connection.secondaries: --
connection.gateway-ping-timeout: 0
connection.metered: unknown
connection.lldp: default
connection.mdns: -1 (default)
connection.llmnr: -1 (default)
802-3-ethernet.port: --
802-3-ethernet.speed: 0
802-3-ethernet.duplex: --
802-3-ethernet.auto-negotiate: no
802-3-ethernet.mac-address: --
802-3-ethernet.cloned-mac-address: --
802-3-ethernet.generate-mac-address-mask:--
802-3-ethernet.mac-address-blacklist: --
802-3-ethernet.mtu: auto
802-3-ethernet.s390-subchannels: --
802-3-ethernet.s390-nettype: --
802-3-ethernet.s390-options: --
802-3-ethernet.wake-on-lan: default
802-3-ethernet.wake-on-lan-password: --
ipv4.method: auto # auto :DHCP获取地址 manual:手动配置
ipv4.dns: --
ipv4.dns-search: --
ipv4.dns-options: ""
ipv4.dns-priority: 0
ipv4.addresses: --
ipv4.gateway: --
ipv4.routes: --
ipv4.route-metric: -1
ipv4.route-table: 0 (unspec)
ipv4.ignore-auto-routes: no
ipv4.ignore-auto-dns: no
ipv4.dhcp-client-id: --
ipv4.dhcp-timeout: 0 (default)
ipv4.dhcp-send-hostname: yes
ipv4.dhcp-hostname: --
ipv4.dhcp-fqdn: --
ipv4.never-default: no
ipv4.may-fail: yes
ipv4.dad-timeout: -1 (default)
ipv6.method: auto
小实验:添加一块网卡,为其创建配置文件,默认地址获取为DHCP
我们输入ifconfig -a
,查看新添加的设备名为ens224
利用nmcli添加新网卡配置
nmcli connection add con-name elapse ifname ens224 autoconnect yes type ethernet
激活配置:创建时和修改之后要激活配置
如果添加了配置后,发现是这样的
那么就得激活配置
IP:192.168.0.201/24
gateway: 192.168.0.254
DNS1 : 8.8.8.8
DNS2: 8.8.4.4
配置:
验证:IP地址
网关:
DNS:
PS: nmcli工具使用前提是 NetworkManager运行
修改主机名:
[root@server0 network-scripts]#
[root@server0 network-scripts]# hostnamectl set-hostname server1.example.com #永久生效
[root@localhost ~]# cd /var/log/
[root@localhost log]# ls
anaconda firewalld secure-20191013
audit #审计,不对文件审计 gdm speech-dispatcher
boot.log #启动 glusterfs #分布式文件系统的客户端 spooler
boot.log-20191013 insights-client spooler-20191013
btmp lastlog #登录日志 sssd
btmp-20191013 libvirt swtpm
chrony maillog #邮件日志 tuned #自动化调优
cron #计划任务 maillog-20191013 vmware-network.1.log
cron-20191013 messages #系统日志 vmware-network.log
cups messages-20191013 vmware-vgauthsvc.log.0
dnf.librepo.log private vmware-vmsvc.log
dnf.librepo.log-20191013 qemu-ga vmware-vmusr.log
dnf.log README wtmp
dnf.log-20191013 rhsm Xorg.9.log
dnf.rpm.log samba #smb服务
dnf.rpm.log-20191013 secure #安全日志
类型 | 说明 |
---|---|
Kern | 内核 |
authpriv | 授权和安全 |
cron | 计划任务 |
邮件 | |
daemon | 系统守护进程 |
syslog | 由rsyslog生成的信息 |
local0~local7 | 自定义本地策略 |
级别 | 说明 | 详细解释 |
---|---|---|
0 | EMERG(紧急) | 会导致主机系统不可用的情况 |
1 | ALERT(警告) | 必须马上采取措施解决的问题 |
2 | CRIT(严重) | 比较严重的情况 |
3 | ERR(错误) | 运行出现错误 |
4 | WARNING(提醒) | 可能会影响系统功能的事件 |
5 | NOTICE(注意) | 不会影响系统但值得注意 |
6 | INFO(信息) | 一般信息 |
7 | DEBUG(调试) | 程序或系统调试信息等 |
[root@localhost ~]# vim /etc/rsyslog.conf
[root@localhost ~]# systemctl restart rsyslog
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# netstat -natp |grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 11420/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 11420/rsyslogd
写一个message的
写一个安全的日志
配置文件: /etc/logrotate.conf
具体的其他语法自己用man 查
journalctl 工具:分析日志
[root@localhost 5cfd8520d321437e8c109f9c8827113e]#
[root@localhost 5cfd8520d321437e8c109f9c8827113e]# cd /run/log/journal/
[root@localhost journal]# ls
5cfd8520d321437e8c109f9c8827113e
[root@localhost journal]# cd 5cfd8520d321437e8c109f9c8827113e/
[root@localhost 5cfd8520d321437e8c109f9c8827113e]# ls
system.journal
[root@localhost 5cfd8520d321437e8c109f9c8827113e]# file system.journal
system.journal: Journal file, online
[root@localhost 5cfd8520d321437e8c109f9c8827113e]#
[root@localhost etc]# journalctl -p err -t rsyslogd # journalctl 读取日志内容
-- Logs begin at Sun 2019-10-13 17:27:32 CST, end at Sun 2019-10-13 22:27:34 CST. --
Oct 13 17:27:46 ropu.example.com rsyslogd[1654]: imjournal: fscanf on state file `/var/lib/rsyslog/imjou>
Oct 13 17:27:46 ropu.example.com rsyslogd[1654]: imjournal: ignoring invalid state file /var/lib/rsyslog>
lines 1-3/3 (END)
[root@localhost /]# timedatectl set-timezone Asia/Shanghai
[root@localhost /]#
[root@localhost /]#
[root@localhost /]# timedatectl status
Local time: Sun 2019-10-13 22:44:05 CST
Universal time: Sun 2019-10-13 14:44:05 UTC
RTC time: Sun 2019-10-13 14:44:05
Time zone: Asia/Shanghai (CST, +0800)
System clock synchronized: no
NTP service: inactive
RTC in local TZ: no
[root@localhost /]#
[root@localhost /]# timedatectl set-time 10:10:10