ssh
檢視連線參數的設定
$ ssh -F ~/.ssh/config -G remote-host-name
user root
hostname 173.82.136.138
port 22
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
challengeresponseauthentication yes
checkhostip yes
compression no
...
建立金鑰檔
mkdir -p $HOME/.ssh
chmod 0700 $HOME/.ssh
ssh-keygen -t rsa
# Specify 4096 bits (default 2048)
# Specify the filename of the key file
# (default $HOME/.ssh/id_rsa is private key, $HOME/.ssh/id_rsa.pub is public key)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/my-vps-cloud.key -C "My Comment"
以金鑰方式連線
# By custom key file
ssh -i /path/to/the-key-file root@your.host.nameroot@hostname
# By default key file ~/.ssh/id_rsa
ssh root@your.host.nameroot@hostname
複製主機 A 的公鑰檔 id_rsa.pub 至遠端主機上
指令一:從主機 A 上執行
ssh-copy-id user@remote-host-ip
or
ssh-copy-id -f -i $HOME/.ssh/id_rsa.pub user@remote-host-ip
指令二:從主機 A 上執行
cat ~/.ssh/id_rsa.pub | ssh user@remote-host-ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
從主機 B 上執行,以手動方式複製:
cd ~/.ssh
mv id_rsa.pub host-A-hostname.pub
cat host-A-hostname.pub >> authorized_keys
chmod 0700 ~/.ssh
chmod 0640 authorized_keys
NOTE:
如果 .ssh 目錄裡已經有 authorized_keys 檔案,可以另存一個檔名加上 2,例如 authorized_keys2
測試連線: 從主機 A 上執行
ssh <remote-userB>@<remote-hostB-name>
不需要輸入密碼就可以登入。
# Allow login from 192.168.2.0/24 subnet but not from 192.168.2.25
from="!192.168.2.25,192.168.2.*" ssh-ed25519 my_random_pub_key_here vivek@nixcraft
# Allow login from *.sweet.home but not from router.sweet.home
from="!router.sweet.home,*.sweet.home" ssh-ed25519 my_random_pub_key_here vivek@nixcraft
sshpass
整合 shell 做自動化的指令
1. ssh 執行指令
# Use the -p (this is considered the least secure choice and shouldn't be used)
sshpass -p !4u2tryhack ssh -o StrictHostKeyChecking=no username@host.example.com hostname
# Use the -f option (the password should be the first line of the filename)
echo '!4u2tryhack' >pass_file
chmod 0400 pass_file
sshpass -f pass_file ssh -o StrictHostKeyChecking=no username@host.example.com hostname
# Use the -e option (the password should be the first line of the filename)
SSHPASS='!4u2tryhack' sshpass -e ssh -o StrictHostKeyChecking=no username@host.example.com hostname
2. 整合 rsync
# Use -e
SSHPASS='!4u2tryhack' rsync --rsh="sshpass -e ssh -l username" /custom/ host.example.com:/opt/custom/
# Use -f
rsync --rsh="sshpass -f pass_file ssh -l username" /custom/ host.example.com:/opt/custom/
3. 整合 scp
scp -r /var/www/html/example.com --rsh="sshpass -f pass_file ssh -l user" host.example.com:/var/www/html
4. With a GPG-encrypted file
echo '!4u2tryhack' > .sshpasswd
gpg -c .sshpasswd
rm .sshpasswd
gpg -d -q .sshpassword.gpg > pass_file; sshpass -f pass_file ssh user@srv1.example.com hostname
OTP and Two-Factor Authentication
Google Authenticator
- Setting up multi-factor authentication on Linux systems
- How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins
- How To Setup Multi-Factor Authentication For SSH In Linux
USB Thumb Drive / Memory Card
允許可遠端登入的帳號
AllowUsers joe root@192.168.1.32 axer@163.* axer@120.109.* axer@2001:288:5400:*
# OR
AllowGroups ssh-users
踢出(Kick Out) 遠端登入帳號
root@localhost:~# who -u
abhishek pts/0 2021-04-05 09:25 00:01 31970 (223.180.180.107)
prakash pts/1 2021-04-05 09:26 . 32004 (223.180.180.107)
root pts/2 2021-04-05 09:26 . 32039 (223.180.180.107)
root@localhost:~# echo "Your session will end in 2 minutes. Save your work!" | write prakash pts/2
root@localhost:~# kill -HUP 32004
從遠端一行指令修改密碼會顯示明碼
# add the option -t to have the password to be invisible.
ssh -t <username>@<remote-host-ip> passwd
從遠端執行指令
ssh user1@server1 'df -H'
ssh root@nas01 uname -mrs
ssh root@nas01 lsb_release -a
# Run sudo or su command
ssh -t user@hostname sudo command
ssh -t user@hostname 'sudo command1 arg1 arg2'
ssh user@nas01 su -c "/path/to/command1 arg1 arg2"
# RHEL/CentOS specific #
ssh user@nas01 su --session-command="/path/to/command1 arg1 arg2"
ssh vivek@nixcraft.home.server su --session-command="/sbin/service httpd restart"
# Running and executing multiple ssh command
cat > commands.txt
date
uptime
df -H
ssh user@server_name < commands.txt
Sample: The multi-line command syntax
#!/bin/bash
_remote="ls.backup"
_user="vivek"
echo "Local system name: $HOSTNAME"
echo "Local date and time: $(date)"
echo
echo "*** Running commands on remote host named $_remote ***"
echo
ssh -T $_remote <<'EOL'
now="$(date)"
name="$HOSTNAME"
up="$(uptime)"
echo "Server name is $name"
echo "Server date and time is $now"
echo "Server uptime: $up"
echo "Bye"
EOL
安全設定
停用不安全的密碼演算法
# Check the encryption_algorithms using nmap
nmap --script "ssh2*" your.ssh.server.ip
# Edit /etc/ssh/sshd_config on SSH server
# Disable weak ciphers, *-cbc, arcfour*
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com
# Verify the settings
sshd -t
# Reload the SSH
systemctl reload sshd
Port Knocking To Secure SSH
SFTP
DenyHosts
Learning
- How To Set up SSH Keys on a Linux / Unix System
- Top 20 OpenSSH Server Best Security Practices
- How to Set a Custom SSH Warning Banner and MOTD in Linux
- Protect SSH Logins with SSH & MOTD Banner Messages
- SSH ProxyCommand example: Going through one host to reach another server
- How To Reuse SSH Connection To Speed Up Remote Login Process Using Multiplexing
- 10 Actionable SSH Hardening Tips to Secure Your Linux Server
Web SSH