【centos7环境搭建】 CentOS 7设置ssh服务自动启动

CentOS 前端之家
前端之家收集整理的这篇文章主要介绍了【centos7环境搭建】 CentOS 7设置ssh服务自动启动前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

实验环境:CentOS7 Minimal安装,安装过程及软件包见http://blog.csdn.net/capricorn90/article/details/52556174
SSH的英文全称是Secure SHell。通过使用SSH,你可以把所有传输的数据进行加密,这样“中间人”这种攻击方式就不可能实现了,而且也能够防止DNS和IP欺骗。还有一个额外的好处就是传输的数据是经过压缩的,所以可以加快传输的速度。SSH有很多功能,它既可以代替telnet,又可以为ftp、pop、甚至ppp提供一个安全的“通道”。

SSH在Linux中的服务是sshd,安装openssh后才可开启。CentOS 7 安装后默认情况下是不启动sshd服务,即无法通过ssh服务远程连接。
首先查看系统是否安装openssh,一般情况想都是默认安装了,

[root@localhost ~]# rpm -qa | grep ssh
libssh2-1.4.3-10.el7.x86_64
openssh-server-6.6.1p1-22.el7.x86_64
openssh-clients-6.6.1p1-22.el7.x86_64
openssh-6.6.1p1-22.el7.x86_64

如果没有安装可以通过yum在线安装。

[root@localhost ~]# yum install openssh

手动设置启动ssh服务

简单的设置就是在命令行中启动sshd服务。这样做比较快捷直接,但是只能对当前状态有效,一旦重启系统就丢失了该服务。

[root@localhost ~]# systemctl start sshd
[root@localhost ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active:active (running)since Fri 2016-09-16 16:18:24 CST; 6h ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1031 (sshd)
CGroup: /system.slice/sshd.service
└─1031 /usr/sbin/sshd -D
Sep 16 16:18:24 localhost.localdomain systemd[1]: Starting OpenSSH server daemon…
Sep 16 16:18:25 localhost.localdomain sshd[1031]: Server listening on 0.0.0.0 port 22.
Sep 16 16:18:25 localhost.localdomain sshd[1031]: Server listening on :: port 22.
Sep 16 18:18:14 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
Sep 16 18:29:41 localhost.localdomain sshd[11847]: Accepted password for root from 192.168.92.1 port 55149 ssh2
Sep 16 18:37:11 localhost sshd[12969]: Address 192.168.92.1 maps to localhost,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 16 18:37:12 localhost sshd[12969]: Accepted password for root from 192.168.92.1 port 55391 ssh2
Sep 16 22:09:59 localhost sshd[15252]: Address 192.168.92.1 maps to localhost,but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 16 22:10:02 localhost sshd[15252]: Accepted password for root from 192.168.92.1 port 64452 ssh2
Sep 16 22:22:08 localhost systemd[1]: Started OpenSSH server daemon.

设置自动启动ssh服务

1、systemclt设置自动启动

通过systemctl命令可以将sshd服务加到开机自启动列表里。实现开机自动启动sshd服务。

[root@localhost ~]# systemctl enable sshd

2、修改ssh监听端口

在sshd_config文件中存放了端口、控制策略等信息。

[root@localhost ~]# vi /etc/ssh/sshd_config

  1. # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
  2.  
  3. # This is the sshd server system-wide configuration file. See
  4. # sshd_config(5) for more information.
  5.  
  6. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
  7.  
  8. # The strategy used for options in the default sshd_config shipped with
  9. # OpenSSH is to specify options with their default value where
  10. # possible,but leave them commented. Uncommented options override the
  11. # default value.
  12.  
  13. # If you want to change the port on a SELinux system,you have to tell
  14. # SELinux about this change.
  15. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
  16. #
  17. #Port 22
  18. #AddressFamily any
  19. #ListenAddress 0.0.0.0
  20. #ListenAddress ::
  21.  
  22. # The default requires explicit activation of protocol 1
  23. #Protocol 2
  24.  
  25. # HostKey for protocol version 1
  26. #HostKey /etc/ssh/ssh_host_key
  27. # HostKeys for protocol version 2
  28. HostKey /etc/ssh/ssh_host_rsa_key
  29. #HostKey /etc/ssh/ssh_host_dsa_key
  30. HostKey /etc/ssh/ssh_host_ecdsa_key
  31. HostKey /etc/ssh/ssh_host_ed25519_key
  32.  
  33. # Lifetime and size of ephemeral version 1 server key
  34. #KeyRegenerationInterval 1h
  35. #ServerKeyBits 1024
  36.  
  37. # Ciphers and keying
  38. #RekeyLimit default none
  39.  
  40. # Logging
  41. # obsoletes QuietMode and FascistLogging
  42. #SyslogFacility AUTH
  43. SyslogFacility AUTHPRIV
  44. #LogLevel INFO
  45.  
  46. # Authentication:
  47.  
  48. #LoginGraceTime 2m
  49. #PermitRootLogin yes
  50. #StrictModes yes
  51. #MaxAuthTries 6
  52. #MaxSessions 10
  53.  
  54. #RSAAuthentication yes
  55. #PubkeyAuthentication yes
  56.  
  57. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
  58. # but this is overridden so installations will only check .ssh/authorized_keys
  59. AuthorizedKeysFile      .ssh/authorized_keys
  60.  
  61. #AuthorizedPrincipalsFile none
  62.  
  63. #AuthorizedKeysCommand none
  64. #AuthorizedKeysCommandUser nobody
  65.  
  66. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  67. #RhostsRSAAuthentication no
  68. # similar for protocol version 2
  69. #HostbasedAuthentication no
  70. # Change to yes if you don't trust ~/.ssh/known_hosts for
  71. # RhostsRSAAuthentication and HostbasedAuthentication
  72. #IgnoreUserKnownHosts no
  73. # Don't read the user's ~/.rhosts and ~/.shosts files
  74. #IgnoreRhosts yes
  75.  
  76. # To disable tunneled clear text passwords,change to no here!
  77. #PasswordAuthentication yes
  78. #PermitEmptyPasswords no
  79. PasswordAuthentication yes
  80.  
  81. # Change to no to disable s/key passwords
  82. #ChallengeResponseAuthentication yes
  83. ChallengeResponseAuthentication no
  84.  
  85. # Kerberos options
  86. #KerberosAuthentication no
  87. #KerberosOrLocalPasswd yes
  88. #KerberosTicketCleanup yes
  89. #KerberosGetAFSToken no
  90. #KerberosUseKuserok yes
  91.  
  92. # GSSAPI options
  93. GSSAPIAuthentication yes
  94. GSSAPICleanupCredentials no
  95. #GSSAPIStrictAcceptorCheck yes
  96. #GSSAPIKeyExchange no
  97. #GSSAPIEnablek5users no
  98.  
  99. # Set this to 'yes' to enable PAM authentication,account processing,
  100. # and session processing. If this is enabled,PAM authentication will
  101. # be allowed through the ChallengeResponseAuthentication and
  102. # PasswordAuthentication. Depending on your PAM configuration,68);"># PAM authentication via ChallengeResponseAuthentication may bypass
  103. # the setting of "PermitRootLogin without-password".
  104. # If you just want the PAM account and session checks to run without
  105. # PAM authentication,then enable this but set PasswordAuthentication
  106. # and ChallengeResponseAuthentication to 'no'.
  107. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
  108. # problems.
  109. UsePAM yes
  110.  
  111. #AllowAgentForwarding yes
  112. #AllowTcpForwarding yes
  113. #GatewayPorts no
  114. X11Forwarding yes
  115. #X11DisplayOffset 10
  116. #X11UseLocalhost yes
  117. #PermitTTY yes
  118. #PrintMotd yes
  119. #PrintLastLog yes
  120. #TCPKeepAlive yes
  121. #UseLogin no
  122. UsePrivilegeSeparation sandBox          # Default for new installations.
  123. #PermitUserEnvironment no
  124. #Compression delayed
  125. #ClientAliveInterval 0
  126. #ClientAliveCountMax 3
  127. #ShowPatchLevel no
  128. #UseDNS yes
  129. #PidFile /var/run/sshd.pid
  130. #MaxStartups 10:30:100
  131. #PermitTunnel no
  132. #ChrootDirectory none
  133. #VersionAddendum none
  134.  
  135. # no default banner path
  136. #Banner none
  137.  
  138. # Accept locale-related environment variables
  139. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
  140. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
  141. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
  142. AcceptEnv XMODIFIERS
  143.  
  144. # override default of no subsystems
  145. Subsystem       sftp    /usr/libexec/openssh/sftp-server
  146.  
  147. # Example of overriding settings on a per-user basis
  148. #Match User anoncvs
  149. # X11Forwarding no
  150. # AllowTcpForwarding no
  151. # PermitTTY no
  152. # ForceCommand cvs server

首先修改端口,端口设置为自定义端口,即1024之后的端口,这里设置为8090。

  1. port 8090
  • 1

禁止空密码用户登录

  1. PermitEmptyPasswords no
  • 1

开启密码登录授权(默认即开启)

  1. PasswordAuthentication yes
  • 1

禁止root账户使用ssh登录,这种设置通常用于互联网服务器,防止提权后用root账户登录搞破坏。

  1. PermitRootLogin no
  • 1

注意其中关于port的提示文字

  1. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
  • 1
  • 2
  • 3

修改端口的时候需要添加到防火墙的控制中,否则无法使用ssh连接。

[root@localhost ~]# semanage port -l | grep ssh#查看当前ssh服务监听的端口
ssh_port_t tcp 22
[root@localhost ~]# semanage port -a -t ssh_port_t -p tcp 8090#增加监听端口8090

[root@localhost ~]# semanage port -l | grep ssh
ssh_port_t tcp 8090,22

semanage只是端口工具,修改防火墙只能使用firewall-cmd

[root@localhost ssh]# yum provides firewall-cmd#查找防火墙工具所在的包
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.bit.edu.cn
* extras: mirrors.btte.net
* updates: mirrors.btte.net
firewalld-0.3.9-14.el7.noarch : A firewall daemon with D-BUS interface providing a dynamic firewall
Repo : base
Matched from:
Filename : /usr/bin/firewall-cmd

[root@localhost ssh]# yum -y install firewalld#安装防火墙工具

[root@localhost ssh]# systemctl start firewalld#启动防火墙服务

[root@localhost ssh]# systemctl status firewalld#查看防火墙状态
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2016-09-17 04:22:15 CST; 15s ago
Main PID: 16979 (firewalld)
CGroup: /system.slice/firewalld.service
└─16979 /usr/bin/python -Es /usr/sbin/firewalld –nofork –nopid
Sep 17 04:22:14 localhost systemd[1]: Starting firewalld - dynamic firewall daemon…
Sep 17 04:22:15 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
[root@localhost ssh]# firewall-cmd –zone=public –add-port=8090/tcp –permanent#防火墙中允许8090端口通过
success

[root@localhost ssh]# semanage port -m -t ssh_port_t -p tcp 8090#将ssh服务修改为8090端口
[root@localhost ssh]# firewall-cmd –zone=public –remove-port=22/tcp –permanent#删除22端口
success
[root@localhost ssh]# firewall-cmd –reload#重新加载防火墙服务配置 success

猜你在找的CentOS相关文章

Centos7离线安装gcc4.8
有时候CentOS工作在无互联网的环境下,需要在离线环境下安装一些组件,这次实现的是模拟在...
CentOS7离线安装devtoolset-9并编译redis6.0.5
首先参照https://www.cnblogs.com/wdw984/p/13330074.html,来进行如何安装Centos和离线下...
使用Nginx在80端口上代理多个.NET CORE网站
有两个.NET CORE3.1网站部署在CentOS7上(内网IP是192.168.2.32),现在想实现访问http://...
CentOS7中配置vsftpd
1、yum -y install vsftpd 安装vsftpd 2、配置vsftpd的配置文件(/etc/vsftpd/vsftpd.conf...
CentOS7离线安装Mysql8.0
首先去mysql官网下载mysql的离线rpm安装包(https://downloads.mysql.com/archives/commun...
CentOS中增加网络连接数的方法
CentOS默认对外访问,发起的TCP链接总数小于28232个。 可以通过以下命令的结果计算出来 $ ...
VMware安装Centos7虚拟机
首先安装虚拟机很简单,所以呢,具体的安装过程就引用别人的博客,这篇文字很详细,引用之...
[Linux] 解决CentOS下Requires: libjson-c.so错误
当安装某些rpm包的时候 , 会爆出这个错误 Requires: libjson-c.so json-c是c语言下的json库...
阿里云centos7安装mysql8数据库
linux系统安装mysql8
centos安装mysql
一、安装 二、修改密码 三、修改远程连接权限(为了使用navicat)
LinuxWindowsCentOSUbuntuNginxWebServiceScalaMemcacheApacheRedisDockerBashAzureTomcatLNMPShell数据结构服务器运维网络安全
xebugnodemondocker-copydcoselasticsearcwindows-contdocker-windodocker-awsamazon-cloudenvoyproxyhashicorp-vaswisscomdevkafka-pythonzscalerphoton-osdocker-swarmkamongoogle-cloudconcoursewso2-ampersistent-vapi-managerprocess-manamanjarojenkins-workhypriotremoteapikeystonejsbitcoindbitcoin-test