TEST10

TEST10

1、总结ssh常用参数、用法

-p port：远程服务器监听的端口，目标主机的端口号是更改的 -b 指定连接的源IP -v 调试模式 -C 压缩方式 -X 支持x11转发 -t 强制伪tty分配，如：ssh -t remoteserver1 ssh -t remoteserver2   ssh  remoteserver3 -o option   如：-o StrictHostKeyChecking=no #在命令行也不需要回复yes no ,替代修改配置文件。 -i 指定私钥文件路径，实现基于key验证，默认使用文件： ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519，~/.ssh/id_rsa

2、总结sshd服务常用参数。

LoginGraceTime 2m #两分中一直连接不上就断开 PermitRootLogin yes #默认ubuntu不允许root远程ssh登录 root@ubuntu-10:~# grep '^PermitRootLogin' /etc/ssh/sshd_config PermitRootLogin yes StrictModes yes   #检查.ssh/文件的所有者，权限等 MaxAuthTries   6     #实际上只有三次 MaxSessions  10         #同一个连接最大会话。回话：复制的终端 PubkeyAuthentication yes     #基于key验证 PermitEmptyPasswords no      #空密码连接 PasswordAuthentication yes   #基于用户名和密码连接 GatewayPorts no #是否开启网关功能 ClientAliveInterval 10 #单位:秒 ClientAliveCountMax 3 #默认3 UseDNS yes #提高速度可改为no GSSAPIAuthentication yes #提高速度可改为no MaxStartups    #未认证连接最大值，默认值10 Banner /path/file #以下可以限制可登录用户的办法： AllowUsers user1 user2 user3 DenyUsers AllowGroups DenyGroups

3、PAM和google模块实现ssh双因子安全验证。

1. 在手机应用市场搜索：身份验证器或authenticator，并安装APP 2. 运行脚本(需要联网EPEL源),本质是修改了/etc/pam.d/sshd文件，将google的PAM模块加入进去实 现 [root@centos8 ~]#dnf info google-authenticator [root@centos8 ~]#bash google-authenticator.sh Installed: google-authenticator-1.07-1.el8.x86_64   Complete! Do you want me to update your /root/.google_authenticator file? (y/n) y 你希望我更新你的“/root/.google_authenticator”文件吗(y/n)？ Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y 你希望禁止多次使用同一个验证令牌吗?这限制你每次登录的时间大约是30秒， 但是这加大了发现或甚 至防止中间人***的可能性(y/n)? By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y 默认情况下，令牌保持30秒有效;为了补偿客户机与服务器之间可能存在的时滞， 我们允许在当前时间前后有一个额外令牌。如果你在时间同步方面遇到了问题， 可以增加窗口从默认的 3个可通过验证码增加到17个可通过验证码， 这将允许客户机与服务器之间的时差增加到4分钟。你希望这么做吗(y/n)? If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y 如果你登录的那台计算机没有经过固化，以防范运用蛮力的登录企图，可以对验证模块 启用尝试次数限制。默认情况下，这限制***者每30秒试图登录的次数只有3次。 你希望启用尝试次数 限制吗(y/n)? 在App Store 搜索Google Authenticator 进行App安装 Do you want authentication tokens to be time-based (y/n) y Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://google.com/chart? chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@centos8.localdomain%3Fse cret%3D7YTAL4GW3TND7BICUMJGJLIFVE%26issuer%3Dcentos8.localdomain  #浏览器打开 此地址 Failed to use libqrencode to show QR code visually for scanning. Consider typing the OTP secret into your app manually. Your new secret key is: 7YTAL4GW3TND7BICUMJGJLIFVE Enter code from app (-1 to skip) 3 访问生成的url(需要科学上网):   https://google.com/chart? chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@centos8.localdomain%3Fsecret %3D7YTAL4GW3TND7BICUMJGJLIFVE%26issuer%3Dcentos8.localdomain 4. 打开用身份验证器APP，扫网页上的二维码，进行绑定手机 5. 继续上面的安装配置向导，输入手机APP上的数字，后续都回答 y 即可 Failed to use libqrencode to show QR code visually for scanning. Consider typing the OTP secret into your app manually. Your new secret key is: 7YTAL4GW3TND7BICUMJGJLIFVE Enter code from app (-1 to skip): 224421  #手机APP上的数字 Code confirmed Your emergency scratch codes are:  68820657  77385307  50928320  41000243  54628309 Do you want me to update your "/root/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y Redirecting to /bin/systemctl restart sshd.service 6. ssh 当前主机，可看到提示，输入手机APP上显示的数字码和root密码，可以登录，否则失败 [root@centos7 ~]#ssh 10.0.0.8 Verification code: Password: Last failed login: Fri Feb  7 12:11:12 CST 2020 from 10.0.0.7 on ssh:notty There were 6 failed login attempts since the last successful login. Last login: Fri Feb  7 12:09:47 2020 from 10.0.0.7 7. 临时口令存放在/root/.google_authenticator中，用一次删除一个，可手动加入使用 [root@centos8 ~]#cat .google_authenticator 7YTAL4GW3TND7BICUMJGJLIFVE " RATE_LIMIT 3 30 " WINDOW_SIZE 17 " DISALLOW_REUSE " TOTP_AUTH 68820657 77385307 50928320 41000243 54628309 [root@centos8 ~]# 安装配置脚本 cat google-authenticator.sh #安装epel yum install -y epel-release.noarch yum makecache #安装google authenticator yum install -y google-authenticator.x86_64 echo -e "\033[31mDo you want me to update your "/root/.google_authenticator" file? (y/n) y" echo -e "\033[31m你希望我更新你的“/root/.google_authenticator”文件吗(y/n)？\033[0m" echo -e "\033[31mDo you want to disallow multiple uses of the same authentication" echo -e "\033[31mtoken? This restricts you to one login about every 30s, but it increases" echo -e "\033[31myour chances to notice or even prevent man-in-the-middle attacks (y/n) y" echo -e "\033[31m你希望禁止多次使用同一个验证令牌吗?这限制你每次登录的时间大约是30秒， 但是 这加大了发现或甚至防止中间人***的可能性(y/n)?\033[0m" echo -e "\033[31mBy default, a new token is generated every 30 seconds by the mobile app." echo -e "\033[31mIn order to compensate for possible time-skew between the client and the server," echo -e "\033[31mwe allow an extra token before and after the current time. This allows for a" echo -e "\033[31mtime skew of up to 30 seconds between authentication server and client. If you" echo -e "\033[31mexperience problems with poor time synchronization, you can increase the window" echo -e "\033[31mfrom its default size of 3 permitted codes (one previous code, the current" echo -e "\033[31mcode, the next code) to 17 permitted codes (the 8 previous codes, the current" echo -e "\033[31mcode, and the 8 next codes). This will permit for a time skew of up to 4 minutes" echo -e "\033[31mbetween client and server." echo -e "\033[31mDo you want to do so? (y/n) y" echo -e "\033[31m默认情况下，令牌保持30秒有效;为了补偿客户机与服务器之间可能存在的时滞， \033[0m" echo -e "\033[31m我们允许在当前时间前后有一个额外令牌。如果你在时间同步方面遇到了问题， 可以 增加窗口从默认的3个可通过验证码增加到17个可通过验证码，\033[0m" echo -e "\033[31m这将允许客户机与服务器之间的时差增加到4分钟。你希望这么做吗(y/n)?\033[0m" echo -e "\033[31mIf the computer that you are logging into isn't hardened against brute-force" echo -e "\033[31mlogin attempts, you can enable rate-limiting for the authentication module." echo -e "\033[31mBy default, this limits attackers to no more than 3 login attempts every 30s." echo -e "\033[31mDo you want to enable rate-limiting? (y/n) y" echo -e "\033[31m如果你登录的那台计算机没有经过固化，以防范运用蛮力的登录企图，可以对验证模块 \033[0m" echo -e "\033[31m启用尝试次数限制。默认情况下，这限制***者每30秒试图登录的次数只有3次。 你 希望启用尝试次数限制吗(y/n)?\033[0m" echo -e "\033[32m 在App Store 搜索Google Authenticator 进行App安装 \033[0m" google-authenticator #/etc/pam.d/sshd文件，修改或添加下行保存 #auth required pam_google_authenticator.so sed -i '1a\auth       required     pam_google_authenticator.so' /etc/pam.d/sshd #编辑/etc/ssh/sshd_config找到下行 #ChallengeResponseAuthentication no #更改为 #ChallengeResponseAuthentication yes sed -i 's/.*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config #重启SSH服务 service sshd restart

4、使用chrony实现内网时间同步（一台node1从外网同步时间，其余机器从node1同步时间）。

# 将10.0.0.24 作为服务器 配置 1 安装包，开启服务 yum install chrony -y && systemctl enable --now chronyd 2 修改配置文件 [root@C8-24 ~]# grep '^[^#]' /etc/chrony.conf pool ntp.aliyun.com iburst pool ntp1.aliyun.com iburst #连接的外网服务器 pool ntp2.aliyun.com iburst driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync allow 10.0.0.0/24 #被准许同步时间的客服端 keyfile /etc/chrony.keys leapsectz right/UTC logdir /var/log/chrony 3 重启服务 systemctl restart chronyd 4.客服端同步时间 [root@c7-137-mariadb-bak ~]# rpm -q ntpdate ntpdate-4.2.6p5-29.el7.centos.2.x86_64 [root@c7-137-mariadb-bak ~]# date -s '-1 years' Thu Jul 23 13:31:56 CST 2020 [root@c7-137-mariadb-bak ~]# ntpdate 10.0.0.24 23 Jul 13:32:17 ntpdate[2251]: step time server 10.0.0.24 offset 31535999.996948 sec [root@c7-137-mariadb-bak ~]# date Fri Jul 23 13:32:26 CST 2021 或者 #以上的方法是要手动的去同步时间，要自动同步还要写定时任务。下面的方法不写定时任务同步 [root@c7-137-mariadb-bak ~]# yum install chrony -y [root@c7-137-mariadb-bak ~]# grep '^[^#]' /etc/chrony.conf server 10.0.0.24 iburst #将服务器指向局域网的主机 driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync logdir /var/log/chrony #重启服务 [root@c7-137-mariadb-bak ~]# systemctl restart chronyd [root@c7-137-mariadb-bak ~]# date -s '-1 days' Thu Jul 22 13:51:46 CST 2021 [root@c7-137-mariadb-bak ~]# chronyc sources -v 210 Number of sources = 1 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^? 10.0.0.24 0 6 17 - +0ns[ +0ns] +/- 0ns [root@c7-137-mariadb-bak ~]# systemctl restart chronyd [root@c7-137-mariadb-bak ~]# date Fri Jul 23 13:52:39 CST 2021 [root@c7-137-mariadb-bak ~]#

5、利用cobbler实现系统自动化安装

两台主机 一台主机：CentOS 7 充当 Cobbler，服务器，并关闭防火墙和SELinux 一台主机：充当测试机，用于实现自动化安装Linux系统 网络要求：关闭Vmware软件中的NAT模式中的DHCP服务，两个主机网卡基于NAT模式 #安装相关包并启动服务 [root@centos7 ~]#yum install cobbler dhcp -y [root@centos7 ~]#systemctl enable --now cobblerd tftp dhcpd #修改cobbler相关的配置 [root@centos7 ~]#cobbler check The following are potential configuration items that you may want to fix: 1 : The 'server' field in /etc/cobbler/settings must be set to something other than localhost, or kickstarting features will not work. This should be a resolvable hostname or IP for the boot server as reachable by all machines that will use it. 2 : For PXE to be functional, the 'next_server' field in /etc/cobbler/settings must be set to something other than 127.0.0.1, and should match the IP of the boot server on the PXE network. 3 : change 'disable' to 'no' in /etc/xinetd.d/tftp 4 : Some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely. Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements. 5 : enable and start rsyncd.service with systemctl 6 : debmirror package is not installed, it will be required to manage debian deployments and repositories 7 : ksvalidator was not found, install pykickstart 8 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrasehere' 'your-password-here'" to generate new one 9 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them #生成新密码，默认安装好的系统root密码为cobbler [root@centos7 ~]#openssl passwd -1 'magedu' $1$1spuisnh$j34LNmyTQWs3l6xKxCZY60 #根据以上提示，只需要做1，2，8这三项即可，修改下面四行 [root@centos7 ~]#vim /etc/cobbler/settings default_password_crypted: "$1$1spuisnh$j34LNmyTQWs3l6xKxCZY60" next_server：< tftp服务器的 IP 地址> server： manage_dhcp：1  #设置为1，表示通过cobbler生成dhcpd.conf配置文件 [root@centos7 ~]#systemctl restart cobblerd #实现dhcp服务 #修改dhcp的模版文件下面的行，用来生成dhcp的配置文件 [root@centos7 ~]#vim /etc/cobbler/dhcp.template subnet 192.168.100.0 netmask 255.255.255.0 {     option routers             192.168.100.1;     option domain-name-servers 180.76.76.76,223.6.6.6;     option subnet-mask         255.255.255.0;     range dynamic-bootp       192.168.100.1 192.168.100.200; [root@centos7 ~]#cobbler sync [root@centos7 ~]#systemctl start dhcpd #下载启动的相关文件 [root@centos7 ~]#cobbler get-loaders task started: 2020-02-10_163111_get_loaders task started (id=Download Bootloader Content, time=Mon Feb 10 16:31:11 2020) downloading to /var/lib/cobbler/loaders/README downloading to /var/lib/cobbler/loaders/COPYING.elilo downloading to /var/lib/cobbler/loaders/COPYING.yaboot downloading to /var/lib/cobbler/loaders/COPYING.syslinux downloading to /var/lib/cobbler/loaders/elilo-ia64.efi downloading to /var/lib/cobbler/loaders/yaboot downloading to /var/lib/cobbler/loaders/pxelinux.0 downloading to /var/lib/cobbler/loaders/menu.c32 downloading to /var/lib/cobbler/loaders/grub-x86.efi downloading to /var/lib/cobbler/loaders/grub-x86_64.efi *** TASK COMPLETE *** [root@centos7 ~]#ls /var/lib/cobbler/loaders COPYING.elilo     COPYING.yaboot grub-x86_64.efi menu.c32   README COPYING.syslinux elilo-ia64.efi grub-x86.efi     pxelinux.0 yaboot [root@centos7 ~]#tree /var/lib/tftpboot/ /var/lib/tftpboot/ ├── boot ├── etc ├── grub ├── images ├── images2 ├── ppc ├── pxelinux.cfg └── s390x 8 directories, 0 files [root@centos7 ~]#cobbler sync task started: 2020-02-10_163219_sync task started (id=Sync, time=Mon Feb 10 16:32:19 2020) running pre-sync triggers cleaning trees removing: /var/lib/tftpboot/grub/images copying bootloaders trying hardlink /var/lib/cobbler/loaders/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0 trying hardlink /var/lib/cobbler/loaders/menu.c32 -> /var/lib/tftpboot/menu.c32 trying hardlink /var/lib/cobbler/loaders/yaboot -> /var/lib/tftpboot/yaboot trying hardlink /usr/share/syslinux/memdisk -> /var/lib/tftpboot/memdisk trying hardlink /var/lib/cobbler/loaders/grub-x86.efi -> /var/lib/tftpboot/grub/grub-x86.efi trying hardlink /var/lib/cobbler/loaders/grub-x86_64.efi -> /var/lib/tftpboot/grub/grub-x86_64.efi copying distros to tftpboot copying images generating PXE configuration files generating PXE menu structure rendering TFTPD files generating /etc/xinetd.d/tftp cleaning link caches running post-sync triggers running python triggers from /var/lib/cobbler/triggers/sync/post/* running python trigger cobbler.modules.sync_post_restart_services running shell triggers from /var/lib/cobbler/triggers/sync/post/* running python triggers from /var/lib/cobbler/triggers/change/* running python trigger cobbler.modules.manage_genders running python trigger cobbler.modules.scm_track running shell triggers from /var/lib/cobbler/triggers/change/* *** TASK COMPLETE *** [root@centos7 ~]#tree /var/lib/tftpboot/ /var/lib/tftpboot/ ├── boot │   └── grub │       └── menu.lst ├── etc ├── grub │   ├── efidefault │   ├── grub-x86_64.efi │   ├── grub-x86.efi │   └── images -> ../images ├── images ├── images2 ├── memdisk ├── menu.c32 ├── ppc ├── pxelinux.0 ├── pxelinux.cfg │   └── default ├── s390x │   └── profile_list └── yaboot 10 directories, 10 files #修改菜单的标题信息 [root@centos7 ~]#vim /etc/cobbler/pxe/pxedefault.template MENU TITLE Cobbler | [root@centos7 ~]#cobbler sync [root@centos7 ~]#cat /var/lib/tftpboot/pxelinux.cfg/default DEFAULT menu PROMPT 0 MENU TITLE Cobbler |  #默认为：http://cobbler.github.io/ TIMEOUT 200 TOTALTIMEOUT 6000 ONTIMEOUT local LABEL local       MENU LABEL (local)       MENU DEFAULT       LOCALBOOT -1 MENU end [root@centos7 ~]#cobbler sync #导入CentOS系统的安装文件，生成相应的YUM源 [root@centos7 ~]#cobbler import --name=centos-8.1-x86_64 --path=/misc/cd -- arch=x86_64 [root@centos7 ~]#mount /dev/sr1 /mnt mount: /dev/sr1 is write-protected, mounting read-only [root@centos7 ~]#cobbler import --name=centos-7.7-x86_64 --path=/mnt -- arch=x86_64 [root@centos7 ~]#du -sh /var/www/cobbler/ks_mirror/* 11G /var/www/cobbler/ks_mirror/centos-7.7-x86_64 7.2G /var/www/cobbler/ks_mirror/centos-8.1-x86_64 12K /var/www/cobbler/ks_mirror/config [root@centos7 ~]#cobbler distro list   centos-7.7-x86_64   centos-8.1-x86_64 [root@centos7 ~]#cobbler profile list   centos-7.7-x86_64   centos-8.1-x86_64   #默认生成的是最小化安装 准备 kickstart文件,并关联至指定的YUM源 [root@centos7 ~]#vim /var/lib/cobbler/kickstarts/centos8.cfg [root@centos7 ~]#cat /var/lib/cobbler/kickstarts/centos8.cfg ignoredisk --only-use=sda zerombr text reboot clearpart --all --initlabel selinux --disabled firewall --disabled url --url=$tree   #注意此行必须指定 keyboard --vckeymap=us --xlayouts='us' lang en_US.UTF-8 network  --bootproto=dhcp --device=ens160 --ipv6=auto --activate network  --hostname=centos8.magedu.com rootpw --iscrypted $6$nOPs5JTMlP4mhQeW$R/o62B6SXAh3RR.zrZ3U0X4xYX9/u5nSLrR/vqCB6kdO2XFfMk2a4yAgrHJQ pXK/e4jzRb0jiLBv2nFMXaBjB/ firstboot --enable skipx services --disabled="chronyd" timezone Asia/Shanghai --isUtc --nontp user --name=wang -- password=$6$oUfb/02CWfLb5l8f$sgEZeR7c7DpqfpmFDH6huSmDbW1XQNR4qKl2EPns.gOXqlnAIgv 9pTogtFVaDtEpMOC.SWXKYqxfVtd9MCwxb1 --iscrypted --gecos="wang" part / --fstype="xfs" --ondisk=sda --size=102400 part /data --fstype="xfs" --ondisk=sda --size=51200 part swap --fstype="swap" --ondisk=sda --size=2048 part /boot --fstype="ext4" --ondisk=sda --size=1024 %packages @^minimal-environment kexec-tools %end %addon com_redhat_kdump --enable --reserve-mb='auto' %end %anaconda pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty %end #将kickstart文件，关联指定的YUM源和生成菜单列表 [root@centos7 ~]#cobbler profile add --name=CentOS-8.1_test --distro=CentOS-8.1- x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos8.cfg [root@centos7 ~]#cobbler profile add --name=CentOS-7.7_test --distro=CentOS-7.7- x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos7.cfg #删除默认生成的菜单 [root@centos7 ~]#cobbler profile remove --name=centos-8.1-x86_64 [root@centos7 ~]#cobbler profile remove --name=centos-7.7-x86_64 [root@centos7 ~]#cobbler profile list   CentOS-7.7_test   CentOS-8.1_test   #删除默认的菜单列表 [root@centos7 ~]#cobbler profile remove --name=CentOS8.0-x86_6 #测试客户端基于Cobbler实现自动安装

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。