完成一个项目的过程,将这个过程写成文档就是一个项目文档。
1.项目需求分析
2.项目实施规划
3.项目实施阶段
4.项目验收测试
5.项目梳理汇报
远程服务概念介绍:
远程服务可以实现远程下载传输数据
利用ssh Telnet服务实现远程连接主机
ssh 加密传输数据方式(安全性更高,复杂性更高)经过互联网 访问端口22 默认支持root用户远程连接
Telnet 明文传输数据方式(安全性更低,复杂性较低)经过局域网 访问端口 23 默认不支持root用户远程连接
远程服务连接原理:
客户端:发送建立连接通讯请求
服务端:回复密钥确认信息
客户端:进行密钥信息确认
服务端:将公钥信息进行发送传递
客户端:接受公钥进行保存,并发送确认信息(~/.ssh/known_hosts)
服务端:发送密码验证信息(加密处理)
客户端:输入密码信息 (加密处理)
数据连接建立完毕
传输数据(加密处理)
远程服务连接方式
a基于密码方式进行连接
b基于密钥方式进行管远程连接
实现方式:
linux系统-----> linux系统
第一个历程:管理端建立密钥对
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Ii4d8NRnqHZK060T0kuc7tSgeekOOWgfX+obESQ1m9Y root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| ..+ |
| + * |
| . . B E |
| + * * |
| X % S |
| * & X |
| + @ X o |
| . o X = |
| .oO. |
+----[SHA256]-----+
第二个历程:管理端建立密钥对
[root@localhost ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub 172.16.1.41
SHA256:m7ABG4m+HEblor9jbpeXJEZJR27uDT6VvqiM3ldEOUA.
ECDSA key fingerprint is MD5:26:0d:d0:c0:ad:0f:c9:b7:34:dc:b3:ed:8e:65:dd:c5.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.41's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost ~]#
第三个历程:进行远程连接测试
[root@localhost ~]# ssh 172.16.1.41
Last login: Thu Jan 16 07:02:28 2020 from 10.0.0.1
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:23:40:1f brd ff:ff:ff:ff:ff:ff
inet 10.0.0.41/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::5590:99cf:aee7:bec0/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:23:40:29 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.41/16 brd 172.16.255.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::da9d:e0d7:a934:dd31/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost ~]#
PS:这里我没有修改两台主机的主机名,所以根据IP地址进行分别
例子中的操作也可以写到一起:
[root@localhost ~]# ssh 172.16.1.41 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:23:40:1f brd ff:ff:ff:ff:ff:ff
inet 10.0.0.41/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::5590:99cf:aee7:bec0/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:23:40:29 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.41/16 brd 172.16.255.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::da9d:e0d7:a934:dd31/64 scope link noprefixroute
valid_lft forever preferred_lft forever
如何批量基于密码方式管理多台主机:
管理端 10.0.0.31
web 10.0.0.8
mysql 10.0.0.51
backup 10.0.0.41
批量分发公钥脚本
解决问题:如何实现免密交互
1.需要连接时输入yes信息
[root@localhost ~]# ssh 10.0.0.41
The authenticity of host '10.0.0.41 (10.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:m7ABG4m+HEblor9jbpeXJEZJR27uDT6VvqiM3ldEOUA.
ECDSA key fingerprint is MD5:26:0d:d0:c0:ad:0f:c9:b7:34:dc:b3:ed:8e:65:dd:c5.
Are you sure you want to continue connecting (yes/no)? yes
解决:
[root@nfs ~]# ssh 10.0.0.41 -o StrictHostKeyChecking=no
Warning: Permanently added '10.0.0.41' (ECDSA) to the list of known hosts.
root@10.0.0.41's password:
2.需要连接时输入密码信息
[root@nfs ~]# ssh 10.0.0.41 -o StrictHostKeyChecking=no
Warning: Permanently added '10.0.0.41' (ECDSA) to the list of known hosts.
root@10.0.0.41's password:
解决:
[root@lsy ~]# sshpass -p000000 ssh 10.0.0.41
Last login: Thu Jan 16 07:17:43 2020 from 10.0.0.1
3.需要连接时输入端口信息
修改端口为65535配合实验
[root@backup ~]# vim /etc/ssh/sshd_config
[root@backup ~]#
[root@backup ~]# systemctl resetart sshd
Unknown operation 'resetart'.
[root@backup ~]# systemctl restart sshd
[root@lsy ~]# sshpass -p000000 ssh 10.0.0.41 -p22
ssh: connect to host 10.0.0.41 port 22: Connection refused
解决:
[root@lsy ~]# sshpass -p000000 ssh 10.0.0.41 -p65535
Last login: Thu Jan 16 07:24:52 2020 from 10.0.0.31
补充:
ssh命令参数以及使用
sshpass命令参数以及使用
批量分发公钥脚本:
管理端
root@lsy scripts]# sh distribute_public_key.sh
to 10.0.0.8 distribute_key
public key distribute ok
to 10.0.0.51 distribute_key
public key distribute ok
to 10.0.0.41 distribute_key
public key distribute no
[root@lsy scripts]# cat distribute_public_key.sh
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
sshpass -p000000 ssh-copy-id -i /root/.ssh/id_rsa.pub $ip -o StrictHostKeyChecking=no &>/dev/null
if [ $? -eq 0 ]
then
echo "to $ip distribute_key "
echo "public key distribute ok"
echo ""
else
echo "to $ip distribute_key"
echo "public key distribute no"
echo ""
fi
done
批量分发验证脚本:
脚本内容
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
ssh $ip $1
done
验证结果:
[root@lsy scripts]# sh Verification.sh hostname
web
mysql
backup
PS:$1是传递参数的意思,这也就是为什么sh Verification.sh后面有 hostname的原因 总体意思就是登陆到相对应的主机上查询出主机名后退出
批量分发验证脚本:
脚本内容
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
ssh $ip $1
done
验证结果:
[root@lsy scripts]# sh Verification.sh hostname
web
mysql
backup
PS:$1是传递参数的意思,这也就是为什么sh Verification.sh后面有 hostname的原因
总体意思就是登陆到相对应的主机上查询出主机名后退出
在批量分发公钥信息时:
1.如果受控端主机密码信息不一致
2.如果受控端主机端口信息不一致
3.如果受控端主机用户信息不一致
密码不同、端口不同的主机分发公钥
编写主机信息文件:
web 10.0.0.8:123123:65531
mysql 10.0.0.51:321321:65532
backup 10.0.0.41:654321:65534
ssh服务配置文件:修改端口号
vim /etc/ssh/sshd_config
修改后的脚本
[root@lsy scripts]# cat distribute_public_key.sh
#!/bin/bash
for host in $(cat /server/scripts/ip_list.txt)
do
host_ip=$(echo $host|awk -F ":" '{print $1}')
host_pass=$(echo $host|awk -F ":" '{print $2}')
host_port=$(echo $host|awk -F ":" '{print $3}')
sshpass -p$host_pass ssh-copy-id -i /root/.ssh/id_rsa.pub $host_ip -o StrictHostKeyChecking=no -p$host_port &>/dev/null
if [ $? -eq 0 ]
then
echo "to $host_ip distribute_key "
echo "public key distribute ok"
echo ""
else
echo "to $host_ip distribute_key"
echo "public key distribute no"
echo ""
fi
done
-eq 等于
$0 上一个命令如果执行成功就是0 否则返回不是0的值。
端口不同时的测试脚本
[root@lsy scripts]# cat Verification.sh
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
ip_1=$(echo $ip|awk -F ":" '{print $1}')
ip_port=$(echo $ip|awk -F ":" '{print $3}')
ssh $ip_1 -p$ip_port $1
done
[root@lsy scripts]# cat ip_list.txt
10.0.0.8:123123:65531:root
10.0.0.51:321321:65532:lsy
10.0.0.41:654321:65534:lyh
编写主机信息文件
[root@lsy scripts]# cat ip_list.txt
10.0.0.8:123123:65531
10.0.0.51:321321:65532
10.0.0.41:654321:65534
登录用户名不同、端口号不同、密码不同的情况
[root@lsy scripts]# cat ip_list.txt
10.0.0.8:123123:65531:root
10.0.0.51:321321:65532:lsy
10.0.0.41:654321:65534:lyh
测试脚本出现问题:root用户可以不用密码,但是其他用户不行
[root@lsy scripts]# ssh root@10.0.0.8 -p65531 hostname
web
[root@lsy scripts]# ssh lsy@10.0.0.51 -p65532 hostname
lsy@10.0.0.51's password:
解决:
[root@lsy scripts]# cat Verification.sh
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
ip_1=$(echo $ip|awk -F ":" '{print $1}')
ip_port=$(echo $ip|awk -F ":" '{print $3}')
ip_hostname=$(echo $ip|awk -F ":" '{print $4}')
ip_pass=$(echo $ip|awk -F ":" '{print $2}')
sshpass -p$ip_pass ssh $ip_hostname@$ip_1 -p$ip_port $1
done
[root@lsy scripts]# sh Verification.sh hostname
web
mysql
backup
[root@lsy scripts]#
windows系统(xshell) --> linux系统
第一个历程: 管理端建立密钥对
xshell工具—新建密钥向导
第二个历程: 将公钥信息进行编辑
id_rsa_2048.pub -信息编辑到- linux主机authorized_keys
第三个历程: 修改连接会话设置
以pubic key方式连接 — 加载密钥信息
对批量管理软件进行环境准备: ansible
[root@lsy ~]# yum install -y ansible
问题:
现象就是这么迷惑人
[root@lsy ~]# exit
exit
[root@localhost ~]# ll
total 12
-rw-------. 1 root root 1326 Jan 7 08:12 anaconda-ks.cfg
-rwxr-xr-x. 1 root root 1111 Jan 7 06:26 centos.sh
-rwxr-xr-x. 1 root root 651 Jan 7 11:58 modifynetwork.sh
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# bash
[root@lsy ~]#
[root@lsy ~]#
解决:养成好的习惯,将操作的窗口进行顺序排版
ssh远程登录的原理:
控制端:
[root@backup ssh]# cat ssh_host_ed25519_key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG44onV97IMGk22GAt+p3SWrXjkM2BMDg7jjJq5JWAeZ
[root@backup ssh]# cat ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJB5reN8WckuBVYsXG3O9hx3LJqNG5+jY2Txk2BYntQHa1fh5aNEALXNLAhnyEgg9LO7geFg7m2d07RbGvCu0Us=
[root@backup ssh]# ssh 10.0.0.8
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:m7ABG4m+HEblor9jbpeXJEZJR27uDT6VvqiM3ldEOUA.
ECDSA key fingerprint is MD5:26:0d:d0:c0:ad:0f:c9:b7:34:dc:b3:ed:8e:65:dd:c5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
root@10.0.0.8's password:
客户端:
他客户端在此目录下的密钥值是由控制端传输过来的
[root@web ssh]# cat ~/.ssh/known_hosts
172.16.1.41 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJB5reN8WckuBVYsXG3O9hx3LJqNG5+jY2Txk2BYntQHa1fh5aNEALXNLAhnyEgg9LO7geFg7m2d07RbGvCu0Us=
[root@web ssh]#
扩展:
DOS攻击:来源于百度百科
DoS是Denial of Service的简称,即拒绝服务,造成DoS的攻击行为被称为DoS攻击,其目的是使计算机或网络无法提供正常的服务。最常见的DoS攻击有计算机网络宽带攻击和连通性攻击。 [1]
DoS攻击是指故意的攻击网络协议实现的缺陷或直接通过野蛮手段残忍地耗尽被攻击对象的资源,目的是让目标计算机或网络无法提供正常的服务或资源访问,使目标系统服务系统停止响应甚至崩溃,而在此攻击中并不包括侵入目标服务器或目标网络设备。这些服务资源包括网络带宽,文件系统空间容量,开放的进程或者允许的连接。这种攻击会导致资源的匮乏,无论计算机的处理速度多快、内存容量多大、网络带宽的速度多快都无法避免这种攻击带来的后果。
DDoS:来源于百度百科
分布式拒绝服务攻击可以使很多的计算机在同一时间遭受到攻击,使攻击的目标无法正常使用,分布式拒绝服务攻击已经出现了很多次,导致很多的大型网站都出现了无法进行操作的情况,这样不仅仅会影响用户的正常使用,同时造成的经济损失也是非常巨大的。 [1]
分布式拒绝服务攻击方式在进行攻击的时候,可以对源IP地址进行伪造,这样就使得这种攻击在发生的时候隐蔽性是非常好的,同时要对攻击进行检测也是非常困难的,因此这种攻击方式也成为了非常难以防范的攻击