Ç°Ò»ÕóÔ¶³Ìά»¤Linux·þÎñÆ÷£¬Ê¹ÓõÄÊÇSSH£¬´«ËµÖеÄsecure shell¡£
µÇ½£ºssh [hostname] -u user
ÊäÈëÃÜ*****£º*****
µÇ ½ÒÔºó¾Í¿ÉÒÔÏñ¿ØÖÆ×Ô¼ºµÄ»úÆ÷Ò»Ñù¿ØÖÆËüÁË£¬²»¹ýûÓпÉÊÓ»¯µÄ½çÃæ¡£²»¹ýÏÖÔÚÎÒËùʹÓùýµÄÁ½¸ö°æ±¾Linux(SUSEºÍFC5)ÖÐÓпÉÒÔʹÓÃÀàËÆFTP ½çÃæµÄ¹¤¾ß¡£Ê¹Óù¤¾ßÁ¬½Óʱ£¬Ñ¡ÔñSSH£¬¶Ë¿ÚÊÇÌî·þÎñÆ÷µÄSSH¶Ë¿Ú£¬Ä¬ÈÏÊÇ22£¬µ«ÊÇ»¹ÊÇÒªÊÖ¹¤Ìîд¡£Á¬½ÓÉÏÒÔºóFTP½çÃæºÍshellͬʱʹÓÿÉÒÔ Ìá¸ß¹¤×÷ЧÂÊ¡£
¼òµ¥µÄ´«ÊäÃüÁscp
scp /etc/php.ini user@
www.linuxidc.com:/home/user»á½«±¾µØµÄ /etc/php.ini Õâ¸öÎļþ copy µ½
www.linuxidc.com£¬Ê¹ÓÃÕßuserµÄÖ÷Ŀ¼ÏÂ
Ö´ÐÐÃüÁîÖ®ºóÐèÒªÊäÈëÃÜ*****£¬Ö»ºó¾Í¿ªÊ¼´«ËÍ¡£
scp
user@ww.linuxidc.com:/etc/php.ini /home/user2
½«Ö÷»úww.liniux.cn ÉϵÄ/etc/php.iniÎļþcopyµ½±¾µØ/home/user2Ŀ¼ÏÂ
ssh ¨Cl user ¨Cp 22 britepic.org
ÊäÈëÃÜ*****¼´¿ÉµÇ¼
l login_name
Ö¸¶¨µÇÈëÓÚÔ¶³Ì»úÆ÷ÉϵÄʹÓÃÕߣ¬Èôû¼ÓÕâ¸öÑ¡Ï¶øÖ±½Ó´ò ssh lost Ò²ÊÇ¿ÉÒԵģ¬ËüÊÇÒÔ¶ÁÕßÄ¿Ç°µÄʹÓÃÕßÈ¥×öµÇÈëµÄ¶¯×÷¡£ ÀýÈ磺 ssh ¨Cl root
http://www.britepic.org===================================================
-c blowfish|3des
ÔÚÆÚ¼äÄÚÑ¡ÔñËù¼ÓÃܵÄÃÜ*****ÐÍʽ¡£Ô¤ÉèÊÇ3des£¬3des(×÷Èý´ÎµÄ×ÊÁϼÓÃÜ) ÊÇÓÃÈýÖÖ²»Í¬µÄÃÜ*****¼ü×÷Èý´ÎµÄ¼ÓÃÜ-½âÃÜ-¼ÓÃÜ¡£ blowfish ÊÇÒ»¸ö¿ìËÙÇø¿éÃÜ*****±àÖÆÆ÷£¬Ëü±È3des¸ü°²È«ÒÔ¼°¸ü¿ìËÙ¡£
===================================================
-v
Verbose ģʽ¡£Ê¹ssh È¥Ó¡³ö¹ØÓÚÐг̵ijý´íѶϢ£¬ÕâÔÚÁ¬½Ó³ý´í£¬ÈÏ Ö¤ºÍÉ趨µÄÎÊÌâÉÏÓкܵİïÖú¡£
===================================================
-f
ÒªÇóssh ÔÚ±³¾°Ö´ÐÐÃüÁ¼ÙÈçsshҪѯÎÊÃÜ*****»òͨÐÐÖ¤£¬µ«ÊÇʹÓÃÕß ÏëÒªËüÔÚÄ»ºóÖ´ÐоͿÉÒÔÓÃÕâ¸ö·½Ê½£¬×îºÃ»¹ÊǼÓÉÏ-l user ÀýÈçÔÚÔ¶³Ì³¡ËùÉϼ¤»î X11£¬ÓеãÏñÊÇ ssh ¨Cf host xterm ¡£
===================================================
-i identity_file
Ñ¡ÔñËù¶ÁÈ¡µÄ RSA ÈÏ֤ʶ±ðµÄµµ°¸¡£Ô¤ÉèÊÇÔÚʹÓÃÕߵļÒĿ¼ ÖÐµÄ .ssh/identity
===================================================
-n
ÖØ µ¼ stdin µ½ /dev/null (ʵ¼ÊÉÏÊDZÜÃâ¶ÁÈ¡ stdin)¡£±ØÐëµ± ssh ÔÚÄ»ºóÖ´ÐÐʱ²ÅʹÓᣳ£¼ûµÄÕÐÊýÊÇʹÓÃÕâÑ¡ÏîÔÚÔ¶³Ì»úÆ÷ÉÏÈ¥Ö´ÐÐ X11 µÄ³ÌÐò ÀýÈ磬ssh -n shadows.cs.hut.fi emacs &£¬½«ÔÚ shadows.cs.hut.fi Éϼ¤»î emace£¬²¢ÇÒ X11 Á¬½Ó½«×Ô¶¯µØÔÚ¼ÓÃܵÄÐŵÀÉÏ·¢ËÍ¡£ssh ³ÌÐò½«°ÑËü·Å ÔÚÄ»ºó¡£(¼ÙÈçsshÐèҪȥѯÎÊÃÜ*****ʱ£¬Õ⽫²»»á¶¯×÷)
===================================================
-t
Ç¿ÖÆÅäÖà pseudo-tty¡£Õâ¿ÉÒÔÔÚÔ¶³Ì»úÆ÷ÉÏÈ¥Ö´ÐÐÈÎÒâµÄ screen-based ³Ì ʽ£¬ÀýÈç²Ù×÷ menu services¡£
===================================================
-C
Òª ÇóѹËõËùÓÐ×ÊÁÏ(°üº¬ stdin, stdout,stderr ºÍ X11 ºÍ TCP/IP Á¬½Ó) ѹËõÑÝËã¹æÔòÓë gzip Ïàͬ£¬µ«ÊÇѹËõµÄµÈ¼¶²»ÄÜ¿ØÖÆ¡£ÔÚµ÷Öƽâµ÷Æ÷»ò Áª»úËٶȺÜÂýµÄµØ·½£¬Ñ¹ËõÊǸöºÜºÃµÄÑ¡Ôñ£¬µ«Èç¹û¶ÁÕßµÄÍøÂçËÙ·ºÜ ¿ìµÄ»°£¬Ëٶȷ´¶ø»áÂýÏÂÀ´¡£
=====================================================
-p port
Á¬½ÓÔ¶³Ì»úÆ÷É쵀 port¡£ ²»ÓÃÕâ¸öÑ¡ÏĬÈϾÍÊÇ22
======================================================
-P
ʹÓ÷ÇÌض¨µÄ port È¥¶ÔÍâÁª»ú¡£Èç¹û¶ÁÕߵķÀ»ðǽ²»»´Ðí´ÓÌض¨µÄ portÈ¥Áª»úʱ£¬¾Í¿ÉÒÔʹÓÃÕâ¸öÑ¡Ïî¡£×¢ÒâÕâ¸öÑ¡Ïî»á¹Øµô RhostsAuthentication ºÍ RhostsRSAAuthentication¡£
=====================================================
-L listen-port:host:port
Ö¸Åɱ¾µØµÄ port µ½´ï¶Ë»úÆ÷µØÖ·É쵀 port¡£
====================================================
-R listen-port:host:port
Ö¸ÅÉÔ¶³ÌÉ쵀 port µ½±¾µØµØÖ·É쵀 port¡£
-2 Ç¿ÖÆ ssh ȥʹÓÃÐÒé°æ±¾ 2¡£
-4 Ç¿ÖÆ ssh ȥʹÓà IPv4 µØÖ·¡£
-6 Ç¿ÖÆ ssh ȥʹÓà IPv6 µØÖ·¡£
=====================================================
-g
ÔÊÐíÔ¶³ÌÖ÷»úÈ¥Á¬½Ó±¾µØÖ¸ÅÉµÄ ports¡£
-a
¹Ø±ÕÈÏÖ¤´úÀíÁª»ú¡£
-e character
É趨ÌøÍÑ×Ö·û
scp ʹÓà scp ÔÚÔ¶³Ì»úÆ÷ÉÏ copy µµ°¸
======================================================
copy ±¾µØµÄµµ°¸µ½Ô¶³ÌµÄ»úÆ÷ÉÏ
scp /etc/lilo.conf my@
www.britepic.org:/home/my»á½«±¾µØµÄ /etc/lilo.conf Õâ¸öµµ°¸ copy µ½
www.britepic.org£¬Ê¹ÓÃÕßmy µÄ¼ÒĿ¼Ï¡£
=====================================================
copyÔ¶³Ì»úÆ÷Éϵĵµ°¸µ½±¾µØÀ´
scp my@
www.britepic.org:/etc/lilo.conf /etc
»á½«
http://www.britepic.org ÖÐ /etc/lilo.conf µµ°¸ copy µ½±¾µØµÄ /etc Ŀ¼Ï¡£
=====================================================
±£³Ö´ÓÀ´Ô´ host µµ°¸µÄÊôÐÔ
scp ¨Cp my@
www.britepic.org:/etc/lilo.conf /etc
ssh-keygen
²úÉú¹«¿ªÔ¿ (pulib key) ºÍ˽ÈËÔ¿ (private key)£¬ÒÔ±£ÕÏ ssh Áª»úµÄ°²ÐÔ.
µ± ssh Á¬ shd ·þÎñÆ÷£¬»á½»»»¹«¿ªÔ¿ÉÏ£¬ÏµÍ³»á¼ì²é /etc/ssh_know_hosts ÄÚ´¢´æµÄ key£¬Èç¹ûÕÒµ½¿Í»§¶Ë¾ÍÓÃÕâ¸ö key ²úÉúÒ»¸öËæ»ú²úÉúµÄsession key ´«¸ø·þÎñÆ÷£¬Á½¶Ë¶¼ÓÃÕâ¸ö key À´¼ÌÐøÍê³É ssh Ê£ÏÂÀ´µÄ½×¶Î¡£
Ëü»á²úÉú identity.pub¡¢identity Á½¸öµµ°¸£¬Ë½ÈËÔ¿´æ·ÅÓÚidentity£¬¹«¿ªÔ¿ ´æ·ÅÓÚ identity.pub ÖУ¬½ÓÏÂÀ´Ê¹Óà scp ½« identity.pub copy µ½Ô¶³Ì»úÆ÷µÄ¼ÒĿ¼ÏÂ.sshϵÄauthorized_keys¡£ .ssh/authorized_keys(Õâ¸ö authorized_keys µµ°¸Ï൱ÓÚÐÒéµÄ rhosts µµ°¸)£¬Ö®ºóʹÓÃÕßÄܹ»²»Ó*************************Ü*****È¥µÇÈë¡£RSAµÄÈÏÖ¤¾ø¶ÔÊÇ±È rhosts ÈÏÖ¤¸üÀ´µÄ°²È«¿É¿¿¡£
Ö´ÐУº
scp identity.pub
my@sohu.com:.ssh/authorized_keys
ÈôÔÚʹÓà ssh-keygen ²úÉúÔ¿³×¶ÔʱûÓÐÊäÈëÃÜ*****£¬ÔòÈçÉÏËùʾ²»ÐèÊäÈëÃÜ*****¼´¿É´Ó
http://www.britepic.orgÈ¥µÇÈë sohu.com¡£
ÔÚ´Ë£¬ÕâÀïÊäÈëµÄÃÜ*****¿ÉÒÔ¸úÕʺŵÄÃÜ*****²»Í¬£¬Ò²¿ÉÒÔ²»ÊäÈëÃÜ*****¡£
SSH protocol version 1£º
ÿһ²¿Ö÷»ú¶¼¿ÉÒÔʹÓà RSA ¼ÓÃÜ·½Ê½À´²úÉúÒ»¸ö 1024-bit µÄ RSA Key £¬Õâ¸ö RSA µÄ¼ÓÃÜ·½Ê½£¬Ö÷Òª¾ÍÊÇÓÃÀ´²úÉú¹«Ô¿Óë˽ԿµÄÑÝËã·½·¨£¡Õâ¸ö version 1 µÄÕû¸öÁª»úµÄ¼ÓÃܲ½Öè¿ÉÒÔ¼òµ¥µÄÕâô¿´£º
1. µ±Ã¿´Î SSH daemon (sshd) ¼¤»îʱ£¬¾Í»á²úÉúÒ»Ö§ 768-bit µÄ¹«Ô¿(»ò³ÆΪ server key)´æ·ÅÔÚ Server ÖУ»
2. ÈôÓÐ client ¶ËµÄÐèÇó´«ËÍÀ´Ê±£¬ÄÇô Server ¾Í»á½«ÕâÒ»Ö§¹«Ô¿´«¸ø client £¬¶ø Client ½åÓɱȶԱ¾ÉíµÄ RSA ¼ÓÃÜ·½Ê½À´È·ÈÏÕâÒ»Ö§¹«Ô¿£»
3. ÔÚ Client ½ÓÊÜÕâ¸ö 768-bit µÄ server key Ö®ºó£¬Client ×Ô¼ºÒ²»áËæ»ú²úÉúÒ»Ö§ 256-bit µÄ˽Կ(host key)£¬²¢ÇÒÒÔ¼ÓÃܵķ½Ê½½« server key Óë host key ÕûºÏ³ÉÒ»Ö§ÍêÕûµÄ Key £¬²¢ÇÒ½«ÕâÖ§ Key Ò²´«Ë͸ø server £»
4. Ö®ºó£¬Server Óë Client ÔÚÕâ´ÎµÄÁª»úµ±ÖУ¬¾ÍÒÔÕâÒ»Ö§ 1024-bit µÄ Key À´½øÐÐ×ÊÁϵĴ«µÝ£¡
µ±È»À²£¬ÒòΪ Client ¶Ëÿ´ÎµÄ 256-bit µÄ Key ÊÇËæ»úÈ¡µÄ£¬ËùÒÔÄãÕâ´ÎµÄÁª»úÓëÏ´εÄÁª»úµÄ Key ¾Í»á²»Ò»ÑùÀ²£¡
==============================================
SSH protocol version 2£º
Óë version 1 ²»Í¬µÄÊÇ£¬ÔÚ version 2 µ±Öн«²»ÔÙ²úÉú server key ÁË£¬ËùÒÔ£¬µ± Client ¶ËÁª»úµ½ Server ¶Ëʱ£¬Á½Õß½«½åÓÉ Diffie-Hellman key µÄÑÝË㷽ʽÀ´²úÉúÒ»¸ö·ÖÏíµÄ Key £¬Ö®ºóÁ½Õß½«½åÓÉÀàËÆ Blowfish µÄÑÝË㷽ʽ½øÐÐͬ²½½âÃܵĶ¯×÷£¡
ÿһ¸ö sshd ¶¼ÌṩÕâÁ½¸ö°æ±¾µÄÁª»ú£¬¶ø¾ö¶¨ÕâÁ½ÖÖģʽÁª»úµÄ£¬¾Í±ØÐèÒªÔÚ client ¶ËÁª»úʱѡÔñÁª»úµÄģʽ²ÅÄÜÈ·ÈÏ¡£Ä¿Ç°Ô¤ÉèÇé¿öÏ£¬»á×Ô¶¯Ê¹Óà version 2 µÄÁª»úģʽร¡¶øÓÉÓÚÎÒÃǵÄÁª»ú×ÊÁÏÖУ¬¾¹ýÁËÕâ¸ö Public Óë Private Key µÄ¼ÓÃÜ¡¢½âÃܶ¯×÷£¬ËùÒÔÔÚÖмäµÄ´«Ë͹ý³ÌÖУ¬µ±È»¾Í±È½Ï°²È«µÄ¶à†ª£¡
Èç¹ûÖ±½ÓÒÔ ssh hostname À´Á¬½Ó½øÈë hostname Õâ¸öÖ÷»úʱ£¬Ôò½øÈë hostname Õâ¸öÖ÷»úµÄ¡ºÕʺÅÃû³Æ¡»½«»áÊÇÄ¿Ç°ÄãËùÔÚµÄÕâ¸ö»·¾³µ±ÖеÄʹÓÃÕßÕʺţ¡ÒÔÉÏÃæΪÀý£¬ÒòΪÎÒÊÇÒÔ root µÄÉí·ÝÔÚÖ´ÐУ¬ËùÒÔÈç¹ûÎÒÖ´ÐÐÁË¡º ssh host.domain.name ¡»Ê±£¬ÄÇô¶Ô·½ host.domain.name ÕⲿÖ÷»ú£¬¾Í»áÒÔ root µÄÉí·ÝÀ´ÈÃÎÒ½øÐÐÃÜ*****È·ÈϵĵÇÈ붯×÷£¡Òò´Ë£¬ÎªÁ˱ÜÃâÕâÑùµÄÂé·³£¬Í¨³£ÎÒ¶¼ÊÇÒÔ¼òµ¥µÄ e-mail µÄд·¨À´µÇÈëÔ¶·½µÄÖ÷»ú£¬ÀýÈ硺ssh user@hostname ¡»¼´±íʾ£¬ÎÒÊÇÒÔ user Õâ¸öÕʺÅÈ¥µÇÈë hostname ÕⲿÖ÷»úµÄÒâ˼¡£µ±È»£¬Ò²¿ÉÒÔʹÓà -l username ÕâÑùµÄÐÎʽÀ´Êéд£¡µÇÈë¶Ô·½Ö÷»úÖ®ºó£¬ÆäËüµÄËùÓÐÖ´ÐÐÐÐΪ¶¼¸úÔÚ Linux Ö÷»úÄÚûÓÐÁ½Ñù¡«ËùÒÔ£¬ÕæµÄÊǺܼòµ¥°É£¡ ^_^ ÕâÑù¾Í¿ÉÒÔ´ïµ½Ô¶³Ì¿Ø¹ÜÖ÷»úµÄÄ¿µÄÁË£¡´ËÍ⣬ÔÚÔ¤ÉèµÄÇé¿öÏ£¬ SSH ÊÇ¡ºÔÊÐíÄãÒÔ root µÄÉí·ÝµÇÈ롻ร¡ºÇºÇ£¡¸üÊÇˬ¿ìÀ²£¡´ËÍ⣬ÇëÌرðÁôÒâµÄÊÇ£¬µ±ÄúÒªÁ¬½Óµ½¶Ô·½µÄÖ÷»úʱ£¬Èç¹ûÊÇÊ×´ÎÁ¬½Ó£¬ÄÇô Server »áÎÊÄ㣬ÄãµÄÁª»úµÄ Key ÉÐδ±»½¨Á¢£¬Òª²»Òª½ÓÊÜ Server ´«À´µÄ Key £¬²¢½¨Á¢ÆðÁª»úÄØ£¿ºÇºÇ£¡Õâ¸öʱºòÇ롺Îñ±ØÒªÊäÈë yes ¶ø²»ÊÇ y »ò Y¡»£¬ÕâÑù³ÌÐò²Å»á½ÓÊÜ
sftp -l username hostname »òÕß sftp user@hosname
½øÈëµ½ sftp Ö®ºó£¬ÄǾ͸úÔÚÒ»°ã FTP ģʽϵIJÙ×÷·½·¨Ã»ÓÐÁ½Ñù
cd
ls dir
mkdir
rmdir
pwd
chgrp
chown
chmod
ln oldname newname
rm path
rename oldname newname
exit bye
===================================
lcd path
lls
lmkdir
lpwd
put [local] [remote]
get [remote] [local]
SSHÃüÁîʹÓü¼ÇÉ.txt
Ò» Ç°ÑÔ
¹ØÓÚ ssh µÄºÃ´¦, ÏàÐŲ»ÓÃÎÒ¶à˵ÁË°É?
¼ò¶øÑÔÖ®, ֮ǰµÄ rpc command Óë telnet ¶¼È«¿ÉÓà ssh ´úÌæ.
±È·½ÈçϵÄÕâЩ³£¼û¹¦ÄÜ:
- Ô¶³ÌµÇ¼
ssh
user@remote.machine
- Ô¶³ÌÖ´ÐÐ
ssh
user@remote.machine 'command ...'
- Ô¶³Ì
scp
user@remote.machine:/remote/path /local/path
scp /local/path
user@remote.machine:/remote/path
- X forward
ssh -X
user@remote.machine
xcommand ...
- Tunnel / Portforward
ssh -L 1234:remote.machine:4321
user@remote.machine
ssh -R 1234:local.machine:4321
user@remote.machine
ssh -L 1234:other.machine:4321
user@remote.machine
¶þ, ʵ×÷
1) ½ûÖ¹ root µÇ¼
# vi /etc/ssh/sshd_config
PermitRootLogin no
2) ·Ï³ýÃÜ*****µÇ¼, Ç¿ÆÈʹÓà RSA ÑéÖ¤(¼ÙÉè ssh ÕË»§Îª user1 )
# vi /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
# service sshd restart
# su - user1
$ mkdir ~/.ssh 2>/dev/null
$ chmod 700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ chmod 644 ~/.ssh/authorized_keys
--------------------------------------------------
תÍù client ¶Ë:
$ ssh-keygen -t rsa
(°´ÈýÏ enter Íê³É©r²»ÐèÉèÃÜ*****£¬³ý·ÇÄú»áÓà ssh-agent ¡£)
$ scp ~/.ssh/id_rsa.pub
user1@server.machine:id_rsa.pub
(ÈôÊÇ windows client, ¿ÉÓÃ puttygen.exe ²úÉú public key,
È»ºóµ½ server ¶ËºóÐÞ¸ÄÖ®, ʹÆäÄÚÈݳÉΪµ¥Ò»Ò»ÐÐ.)
---------------------------------------------------
»Øµ½ server ¶Ë:
$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
$ rm ~/id_rsa.pub
$ exit
3) ÏÞÖÆ su / sudo Ãûµ¥:
# vi /etc/pam.d/su
auth required /lib/security/$ISA/pam_wheel.so use_uid
# visudo
%wheel ALL=(ALL) ALL
# gpasswd -a user1 wheel
4) ÏÞÖÆ ssh ʹÓÃÕßÃûµ¥
# vi /etc/pam.d/sshd
auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users ¨nerr=fail
# echo user1 >> /etc/ssh_users
5) ·âËø ssh Áª»ú²¢¸ÄÓà web ¿Ø¹ÜÇåµ¥
# iptables -I INPUT -p tcp --dport 22 -j DROP
# mkdir /var/www/html/ssh_open
# cat > /var/www/html/ssh_open/.htaccess < AuthName "ssh_open"
AuthUserFile /var/www/html/ssh_open/.htpasswd
AuthType basic
require valid-user
END
# htpasswd -c /var/www/html/ssh_open/.htpasswd user1
(×îºÃ»¹½« SSL ÉèÆðÀ´, »òÖ»ÏÞ https Áª»ú¸ü¼Ñ, ÎÒÕâÀïÂÔ¹ý SSL É趨, Çë¶ÁÕß×Ô²¹.)
(ÈçÐè¿ØÖÆÁª»úÀ´Ô´, ÄÇÇëÔÙ²¹ Allow/Deny ÏîÄ¿, Ò²Çë¶ÁÕß×Ô²¹.)
# cat > /var/www/html/ssh_open/ssh_open.php < //Set dir path for ip list
$dir_path=".";
//Set filename for ip list
$ip_list="ssh_open.txt";
//Get client ip
$user_ip=$_SERVER['REMOTE_ADDR'];
//allow specifying ip if needed
if (@$_GET['myip']) {
$user_ip=$_GET['myip'];
}
//checking IP format
if ($user_ip==long2ip(ip2long($user_ip))) {
//Put client ip to a file
if(@!($file = fopen("$dir_path/$ip_list","w+")))
{
echo "Permission denied!!
";
echo "Pls Check your rights to dir $dir_path or file $ip_list";
}
else
{
fputs($file,"$user_ip");
fclose($file);
echo "client ip($user_ip) has put into $dir_path/$ip_list";
}
} else {
echo "Invalid IP format!!
ssh_open.txt was not changed.";
}
?>
END
# touch /var/www/html/ssh_open/ssh_open.txt
# chmod 640 /var/www/html/ssh_open/*
# chgrp apache /var/www/html/ssh_open/*
# chmod g+w /var/www/html/ssh_open/ssh_open.txt
# chmod o+t /var/www/html/ssh_open
# service httpd restart
# mkdir /etc/iptables
# cat > /etc/iptables/sshopen.sh < #!/bin/bash
PATH=/in:/bin:/usr/in:/usr/bin
list_dir=/var/www/html/ssh_open
list_file=$list_dir/ssh_open.txt
chain_name=ssh_rules
mail_to=root
# clear chain if exits, or create chain.
iptables -L -n | /bin/grep -q "^Chain $chain_name" && {
iptables -F $chain_name
true
} || {
iptables -N $chain_name
iptables -I INPUT -p tcp --dport 22 -j $chain_name
}
# clear chain when needed
[ "$1" = clear ] && {
iptables -F $chain_name
exit 0
}
# do nothing while list is empty
[ -s $list_file ] || exit 1
# add rule
iptables -A $chain_name -p tcp --dport 22 -s $(< $list_file) -j ACCEPT && \
echo "ssh opened to $(< $list_file) on $(date)" | mail -s "sshopen" $mail_to
END
# chmod +x /etc/iptables/sshopen.sh
# echo -e 'sshopen\t\t1234/tcp' >> /etc/services
# cat > /etc/xinetd.d/sshopen < service sshopen
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
server = /etc/iptables/sshopen.sh
}
# iptables -I INPUT -p tcp --dport 1234 -j ACCEPT
# cat > /etc/cron.d/sshopen < */5 * * * * root /etc/iptables/sshopen.sh clear
END
---------------------------
תÍù client ¶Ë
ÔÚ browser URL ÊäÈë:
http://server.machine/ssh_open/ssh_open.php?myip=1.2.3.4(Èô²»Ö¸¶¨ ?myip=1.2.3.4 ÔòÒÔ client µ±Ê± IP Ϊ׼, Èôû¾ proxy µÄ»°.)
Èç´Ë, server ¶ËµÄ ssh_open.txt ÎļþÖ»Óе¥Ò»¼Ç¼, ÿ´Î¸Çд.
½Ó×Å:
$ telnet server.machine 1234
È»ºóÄãÓÐ×î¶à 5 ·ÖÖÓʱ¼äÓà ssh Áª»ú server !
---------------------------
´Ë²½ÖèµÄ»ù±¾¹¹Ë¼ÈçÏÂ:
5.1) ½« sshd µÄ firewall Áª»úÈ«²¿ block µô.
5.2) È»ºóÔÚ httpd ÄÇÉèÒ»¸ö directory, ¿ÉÉè ssl+htpasswd+allow/deny control,
È»ºóÔÚĿ¼ÄÚдһ¸ö php ½« browser ip ¼Ç¼ÓÚÒ»·Ý .txt ÎÄ×ÖÎļþÀï.
ÊÓÄãµÄתдÄÜÁ¦, Äã¿É×Ô¶¯×¥È¡ browser ¶ËµÄ IP, Ò²¿ÉÈà browser ¶Ë´«Èë²ÎÊýÀ´Ö¸¶¨.
ÎÄ×ÖÎļþÖ»Óе¥Ò»¼Ç¼, ÿ´Î¸Çд.
5.3) ÐÞ¸Ä /etc/services , Ôö¼ÓÒ»¸öÐÂÏîÄ¿(Èç xxx), ²¢Ö¸¶¨Ò»¸öРport(Èç 1234)
5.4) ÔÙÓà xinetd ¼àÌý¸Ã port , ²¢Æô¶¯ÁîÒ»Ö» scr¨©pt, É趨 iptables , ´Ó step2 µÄÇåµ¥ÀïÈ¡µÃ IP, Ϊ֮´ò¿ª ssh Áª»ú.
5.5) Éè crontab ÿÊý·ÖÖÐÇåÀí iptables ¹ØÓÚ ssh Áª»úµÄ¹æÔò. Õâ²¢²»Ó°Ïì¼ÈÓÐÁª»ú, ÈôÓâʱÔÙÁ¬, ÔòÖظ´ÉÏÊö.
6) ÒªÊÇÉÏÒ»²½ÖèûÉ趨, Äã»òÐí»áµ£ÐĹý¶àµÄÈËÀ´ try ÄãµÄ ssh ·þÎñµÄ»°:
# cat > /etc/iptables/sshblock.sh < #!/bin/bash
PATH=/in:/bin:/usr/in:/usr/bin
LOG_FILE=/var/log/secure
KEY_WORD="Illegal user"
KEY_WORD1="Failed password for root"
PERM_LIST=/etc/firewall/bad.list.perm
LIMIT=5
MAIL_TO=root
IPT_SAV="$(iptables-save)"
bad_list=$(egrep "$KEY_WORD" $LOG_FILE | awk '{print $NF}' | xargs)
bad_list1=$(egrep "$KEY_WORD1" $LOG_FILE | awk '{print $11}' | xargs)
bad_list="$bad_list $bad_list1"
for i in $(echo -e "${bad_list// /\n}" | sort -u)
do
hit=$(echo $bad_list | egrep -o "$i" | wc -l)
[ "$hit" -ge "$LIMIT" ] && {
echo "$IPT_SAV" | grep -q "$i .*-j DROP" || {
echo -e "\n$i was dropped on $(date)\n" | mail -s "DROP by ${0##*/}: $i" $MAIL_TO
iptables -I INPUT -s $i -j DROP
}
egrep -q "^$i$" $PERM_LIST || echo $i >> $PERM_LIST
}
done
END
# chmod +x /etc/firewall/sshblock.sh
# cat >> /etc/hosts.allow < sshd: ALL: spawn ( /etc/firewall/sshblock.sh )& : ALLOW
END
ÕâÑù, ÄÇЩÂÒ try SSH µÄ¼Ò»ï, ¶¥¶àÄÜÊÔ 5 ´Î(LIMIT ¿Éµ÷Õû), È»ºó¾Í¸ø BLOCK µôÁË.
´ËÍâ, ÔÚ PERM_LIST µÄ ip, Ò²¿ÉÌṩ¸ø iptables µÄ³õʼ scr¨©pt , À´¸öÓÀ¾ÃÐÔ·â±Õ:
for i in $(< $PERM_LIST)
do
/in/iptables -I INPUT -s $i -j DROP
done
7) »¹ÓÐ, ÄãÏëÖªµÀÓÐÄÄЩÈ˶ÔÄã×ö full range port scan µÄ»°:
# iptables -I INPUT -p tcp --dport 79 -j ACCEPT
cat > /etc/xinetd.d/finger < service finger
{
socket_type = stream
wait = no
user = nobody
server = /usr/in/in.fingerd
disable = no
}
END
# cat >> /etc/hosts.allow < in.fingerd: ALL : spawn ( echo -e "\nWARNING %a was trying finger.\n$(date)" | mail -s "finger from %a" root ) & : DENY
END
ÕâÀï, ÎÒÖ»ÊÇÉèΪ·¢ÐŸø root.
ÊÂʵÉÏ, Äã¿ÉÐÞ¸ÄΪÆ𶯠firewall ½« %a Õâ¸ö´«»ØÖµ¸ø ban µôÒ²ÐÐ.
²»¹ý, ¶Ô·½ÒªÊÇÓÐÑ¡ÔñÐÔµÄ×ö port scan , ûɨµ½ finger µÄ»°, Äǵ±È»¾ÍûÓÃÁË...