此文章是vip文章,如何查看?  

1,点击链接获取密钥 http://nicethemes.cn/product/view29882.html

2,在下方输入文章查看密钥即可立即查看当前vip文章


批量分发密钥,并测试是否成功

  • 时间:
  • 浏览:
  • 来源:互联网

完成一个项目的过程,将这个过程写成文档就是一个项目文档。
1.项目需求分析
2.项目实施规划
3.项目实施阶段
4.项目验收测试
5.项目梳理汇报

远程服务概念介绍:
远程服务可以实现远程下载传输数据
利用ssh Telnet服务实现远程连接主机
ssh 加密传输数据方式(安全性更高,复杂性更高)经过互联网 访问端口22 默认支持root用户远程连接
Telnet 明文传输数据方式(安全性更低,复杂性较低)经过局域网 访问端口 23 默认不支持root用户远程连接

远程服务连接原理:
客户端:发送建立连接通讯请求
服务端:回复密钥确认信息
客户端:进行密钥信息确认
服务端:将公钥信息进行发送传递
客户端:接受公钥进行保存,并发送确认信息(~/.ssh/known_hosts)

服务端:发送密码验证信息(加密处理)
客户端:输入密码信息 (加密处理)
数据连接建立完毕
传输数据(加密处理)

远程服务连接方式
a基于密码方式进行连接
b基于密钥方式进行管远程连接

实现方式:
linux系统-----> linux系统
第一个历程:管理端建立密钥对

[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Ii4d8NRnqHZK060T0kuc7tSgeekOOWgfX+obESQ1m9Y root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|    ..+          |
|     + *         |
|  . . B E        |
|   + * *         |
|    X % S        |
|   * & X         |
|  + @ X o        |
| . o X =         |
|    .oO.         |
+----[SHA256]-----+

第二个历程:管理端建立密钥对

[root@localhost ~]# ssh-copy-id  -i /root/.ssh/id_rsa.pub  172.16.1.41
 SHA256:m7ABG4m+HEblor9jbpeXJEZJR27uDT6VvqiM3ldEOUA.
ECDSA key fingerprint is MD5:26:0d:d0:c0:ad:0f:c9:b7:34:dc:b3:ed:8e:65:dd:c5.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.41's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

[root@localhost ~]# 

第三个历程:进行远程连接测试

[root@localhost ~]# ssh  172.16.1.41
Last login: Thu Jan 16 07:02:28 2020 from 10.0.0.1
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:23:40:1f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.41/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5590:99cf:aee7:bec0/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:23:40:29 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.41/16 brd 172.16.255.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::da9d:e0d7:a934:dd31/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[root@localhost ~]# 

PS:这里我没有修改两台主机的主机名,所以根据IP地址进行分别
例子中的操作也可以写到一起:

[root@localhost ~]# ssh  172.16.1.41  ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:23:40:1f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.41/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5590:99cf:aee7:bec0/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:23:40:29 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.41/16 brd 172.16.255.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::da9d:e0d7:a934:dd31/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

如何批量基于密码方式管理多台主机:
管理端 10.0.0.31

web 10.0.0.8
mysql 10.0.0.51
backup 10.0.0.41

批量分发公钥脚本
解决问题:如何实现免密交互
1.需要连接时输入yes信息

[root@localhost ~]# ssh  10.0.0.41
The authenticity of host '10.0.0.41 (10.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:m7ABG4m+HEblor9jbpeXJEZJR27uDT6VvqiM3ldEOUA.
ECDSA key fingerprint is MD5:26:0d:d0:c0:ad:0f:c9:b7:34:dc:b3:ed:8e:65:dd:c5.
Are you sure you want to continue connecting (yes/no)? yes

解决:

[root@nfs ~]# ssh   10.0.0.41  -o  StrictHostKeyChecking=no
Warning: Permanently added '10.0.0.41' (ECDSA) to the list of known hosts.
root@10.0.0.41's password: 

2.需要连接时输入密码信息

[root@nfs ~]# ssh   10.0.0.41  -o  StrictHostKeyChecking=no
Warning: Permanently added '10.0.0.41' (ECDSA) to the list of known hosts.
root@10.0.0.41's password: 

解决:

[root@lsy ~]# sshpass  -p000000 ssh 10.0.0.41
Last login: Thu Jan 16 07:17:43 2020 from 10.0.0.1

3.需要连接时输入端口信息
修改端口为65535配合实验

[root@backup ~]# vim /etc/ssh/sshd_config 
[root@backup ~]# 
[root@backup ~]# systemctl resetart sshd
Unknown operation 'resetart'.
[root@backup ~]# systemctl restart sshd
[root@lsy ~]# sshpass  -p000000 ssh 10.0.0.41 -p22
ssh: connect to host 10.0.0.41 port 22: Connection refused

解决:

[root@lsy ~]# sshpass  -p000000 ssh 10.0.0.41 -p65535
Last login: Thu Jan 16 07:24:52 2020 from 10.0.0.31

补充:
ssh命令参数以及使用

sshpass命令参数以及使用

批量分发公钥脚本:

管理端

root@lsy scripts]# sh distribute_public_key.sh 
to 10.0.0.8 distribute_key 
public key distribute ok

to 10.0.0.51 distribute_key 
public key distribute ok

to 10.0.0.41 distribute_key
public key distribute no

[root@lsy scripts]# cat distribute_public_key.sh
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
sshpass -p000000 ssh-copy-id -i /root/.ssh/id_rsa.pub $ip -o StrictHostKeyChecking=no &>/dev/null
if [ $? -eq 0 ]
then
   echo  "to $ip distribute_key "
   echo  "public key distribute ok"
   echo  ""
else
   echo  "to $ip distribute_key"
   echo  "public key distribute no"
   echo  ""
fi
      done

批量分发验证脚本:

脚本内容
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
    ssh $ip $1
done



验证结果:
[root@lsy scripts]# sh Verification.sh hostname

web
mysql
backup

PS:$1是传递参数的意思,这也就是为什么sh Verification.sh后面有 hostname的原因 总体意思就是登陆到相对应的主机上查询出主机名后退出

批量分发验证脚本:

脚本内容
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
ssh $ip $1
done

验证结果:
[root@lsy scripts]# sh Verification.sh hostname

web
mysql
backup

PS:$1是传递参数的意思,这也就是为什么sh Verification.sh后面有 hostname的原因
总体意思就是登陆到相对应的主机上查询出主机名后退出

在批量分发公钥信息时:
1.如果受控端主机密码信息不一致
2.如果受控端主机端口信息不一致
3.如果受控端主机用户信息不一致

密码不同、端口不同的主机分发公钥
编写主机信息文件:
web 10.0.0.8:123123:65531
mysql 10.0.0.51:321321:65532
backup 10.0.0.41:654321:65534

ssh服务配置文件:修改端口号

 vim /etc/ssh/sshd_config 

修改后的脚本

[root@lsy scripts]# cat distribute_public_key.sh
#!/bin/bash
for host in $(cat /server/scripts/ip_list.txt)
    do
     host_ip=$(echo $host|awk -F ":" '{print $1}')
     host_pass=$(echo $host|awk -F ":" '{print $2}')
     host_port=$(echo $host|awk -F ":" '{print $3}')
     sshpass -p$host_pass ssh-copy-id -i /root/.ssh/id_rsa.pub $host_ip -o StrictHostKeyChecking=no -p$host_port  &>/dev/null
   if [ $? -eq 0 ]
     then
      echo  "to $host_ip distribute_key "
      echo  "public key distribute ok"
      echo  ""
    else
      echo  "to $host_ip distribute_key"
      echo  "public key distribute no"
      echo  ""
    fi
done

-eq 等于
$0 上一个命令如果执行成功就是0 否则返回不是0的值。

端口不同时的测试脚本

[root@lsy scripts]# cat Verification.sh 
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
    ip_1=$(echo $ip|awk -F ":" '{print $1}')
    ip_port=$(echo $ip|awk -F ":" '{print $3}')
    ssh $ip_1 -p$ip_port  $1
done
[root@lsy scripts]# cat ip_list.txt 
10.0.0.8:123123:65531:root
10.0.0.51:321321:65532:lsy
10.0.0.41:654321:65534:lyh

编写主机信息文件

[root@lsy scripts]# cat ip_list.txt 
10.0.0.8:123123:65531
10.0.0.51:321321:65532
10.0.0.41:654321:65534

登录用户名不同、端口号不同、密码不同的情况

[root@lsy scripts]# cat ip_list.txt
10.0.0.8:123123:65531:root
10.0.0.51:321321:65532:lsy
10.0.0.41:654321:65534:lyh

测试脚本出现问题:root用户可以不用密码,但是其他用户不行

[root@lsy scripts]# ssh  root@10.0.0.8 -p65531   hostname
web
[root@lsy scripts]# ssh  lsy@10.0.0.51 -p65532   hostname
lsy@10.0.0.51's password: 

解决:

[root@lsy scripts]# cat Verification.sh 
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
    ip_1=$(echo $ip|awk -F ":" '{print $1}')
    ip_port=$(echo $ip|awk -F ":" '{print $3}')
    ip_hostname=$(echo $ip|awk -F ":" '{print $4}')
    ip_pass=$(echo $ip|awk -F ":" '{print $2}')
    sshpass -p$ip_pass  ssh $ip_hostname@$ip_1 -p$ip_port   $1
done
[root@lsy scripts]# sh Verification.sh  hostname
web
mysql
backup
[root@lsy scripts]# 

windows系统(xshell) --> linux系统
第一个历程: 管理端建立密钥对
xshell工具—新建密钥向导
第二个历程: 将公钥信息进行编辑
id_rsa_2048.pub -信息编辑到- linux主机authorized_keys
第三个历程: 修改连接会话设置
以pubic key方式连接 — 加载密钥信息

对批量管理软件进行环境准备: ansible

[root@lsy ~]# yum install -y ansible

问题:

现象就是这么迷惑人

[root@lsy ~]# exit 
exit
[root@localhost ~]# ll
total 12
-rw-------. 1 root root 1326 Jan  7 08:12 anaconda-ks.cfg
-rwxr-xr-x. 1 root root 1111 Jan  7 06:26 centos.sh
-rwxr-xr-x. 1 root root  651 Jan  7 11:58 modifynetwork.sh
[root@localhost ~]# 
[root@localhost ~]# 
[root@localhost ~]# bash
[root@lsy ~]# 
[root@lsy ~]# 

解决:养成好的习惯,将操作的窗口进行顺序排版

ssh远程登录的原理:
控制端:

[root@backup ssh]# cat ssh_host_ed25519_key.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG44onV97IMGk22GAt+p3SWrXjkM2BMDg7jjJq5JWAeZ 
[root@backup ssh]# cat ssh_host_ecdsa_key.pub 
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJB5reN8WckuBVYsXG3O9hx3LJqNG5+jY2Txk2BYntQHa1fh5aNEALXNLAhnyEgg9LO7geFg7m2d07RbGvCu0Us= 
[root@backup ssh]# ssh  10.0.0.8
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:m7ABG4m+HEblor9jbpeXJEZJR27uDT6VvqiM3ldEOUA.
ECDSA key fingerprint is MD5:26:0d:d0:c0:ad:0f:c9:b7:34:dc:b3:ed:8e:65:dd:c5.
Are you sure you want to continue connecting (yes/no)? yes         
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
root@10.0.0.8's password: 

客户端:
他客户端在此目录下的密钥值是由控制端传输过来的

[root@web ssh]# cat ~/.ssh/known_hosts 
172.16.1.41 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJB5reN8WckuBVYsXG3O9hx3LJqNG5+jY2Txk2BYntQHa1fh5aNEALXNLAhnyEgg9LO7geFg7m2d07RbGvCu0Us=
[root@web ssh]# 

扩展:
DOS攻击:来源于百度百科
DoS是Denial of Service的简称,即拒绝服务,造成DoS的攻击行为被称为DoS攻击,其目的是使计算机或网络无法提供正常的服务。最常见的DoS攻击有计算机网络宽带攻击和连通性攻击。 [1]
DoS攻击是指故意的攻击网络协议实现的缺陷或直接通过野蛮手段残忍地耗尽被攻击对象的资源,目的是让目标计算机或网络无法提供正常的服务或资源访问,使目标系统服务系统停止响应甚至崩溃,而在此攻击中并不包括侵入目标服务器或目标网络设备。这些服务资源包括网络带宽,文件系统空间容量,开放的进程或者允许的连接。这种攻击会导致资源的匮乏,无论计算机的处理速度多快、内存容量多大、网络带宽的速度多快都无法避免这种攻击带来的后果。

DDoS:来源于百度百科
分布式拒绝服务攻击可以使很多的计算机在同一时间遭受到攻击,使攻击的目标无法正常使用,分布式拒绝服务攻击已经出现了很多次,导致很多的大型网站都出现了无法进行操作的情况,这样不仅仅会影响用户的正常使用,同时造成的经济损失也是非常巨大的。 [1]
分布式拒绝服务攻击方式在进行攻击的时候,可以对源IP地址进行伪造,这样就使得这种攻击在发生的时候隐蔽性是非常好的,同时要对攻击进行检测也是非常困难的,因此这种攻击方式也成为了非常难以防范的攻击

本文链接http://element-ui.cn/news/show-42194.aspx