【1】配置NTP服务
1、安装ntpd并配置ntp服务
[root@vdevops ~]# yum -y install ntp
# 18行: 添加允许同步的网络段 restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap<pre name="code" class="html">[root@vdevops ~]# <a target=_blank href="https://www.server-world.info/en/command/html/systemctl.html" style="color: #ffff00">systemctl</a> start ntpd[root@vdevops ~]# systemctl enable ntpd
2、如果当前系统的Firewalld是运行状态,需要执行下面命令
[root@vdevops ~]# firewall-cmd --add-service=ntp --permanent success [root@vdevops ~]# firewall-cmd --reload success
3、确认ntp服务是否正常 [root@vdevops ~]# ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== *time5.aliyun.co 10.137.38.86 2 u 92 64 36 30.174 0.236 0.5244、同步aliyun的时间服务器
[root@linuxprobe ~]# ntpdate times.aliyun.com 26 Oct 11:51:30 ntpdate[2935]: step time server 120.25.115.19 offset 15075.743514 sec【2】配置SSH服务
1、即使您使用“最小安装”安装了CentOS,OpenSSH也已默认安装,因此不必安装新软件包。您可以默认使用密码验证登录,但更改一些设置为安全如下:
[root@vdevops ~]# vi /etc/ssh/sshd_config # 48行: 取消注释改变yes为弄 ( 禁止root远程登录 ) PermitRootLogin no # 77 行:取消注释 PermitEmptyPasswords no PasswordAuthentication yes [root@vdevops ~]# systemctl restart sshd2、如果Firewalld是运行状态,需要添加以下策略
[root@vdevops ~]# firewall-cmd --add-service=ssh --permanent success [root@vdevops ~]# firewall-cmd --reload success3、ssh文件传输
使用SCP(安全复制)的例子
yum -y install openssh-clients拷贝本地的测试文件到远程主机,使用scp前设置hosts文件,保证每台主机上包含对方的主机IP和域名解析,并且对应起来
[root@vdevops ~]# scp test.txt wang@linuxprobe.org:/tmp The authenticity of host 'linuxprobe.org (10.1.1.53)' can't be established. ECDSA key fingerprint is d1:bd:3c:7f:68:71:79:44:4f:e5:2c:42:f1:06:49:14. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'linuxprobe.org,10.1.1.53' (ECDSA) to the list of known hosts. wang@linuxprobe.org's password: test.txt [root@vdevops ~]# scp -P22 wang@linuxprobe.org:/tmp/test.txt ./ wang@linuxprobe.org's password: test.txt
4、使用sftp传输文件 # sftp [Option] [user@host] 操作参数 [redhat@vdevops ~]$ sftp wang@linuxprobe.org #连接远程服务器 wang@linuxprobe.org's password:# password of the user Connected to linuxprobe.org sftp> # 查看远程服务器当前目录 sftp> pwd Remote working directory: /home/wang # 查看本地服务器当前目录 sftp> !pwd /home/redhat # 查看ftp服务器期当前目录文件 sftp> ls -l drwxrwxr-x 2 wang wang 6 Jul 29 21:33 public_html -rw-rw-r-- 1 wang wang 10 Jul 28 22:53 test.txt # 查看本地服务器当前目录文件 sftp> !ls -l total 4 -rw-rw-r-- 1 redhat redhat 10 Jul 29 21:31 test.txt sftp> cd public_html #切换目录 sftp> pwd Remote working directory: /home/wang/public_html # 上传本地文件到远程服务器 sftp> put test.txt redhat.txt Uploading test.txt to /home/wang/redhat.txt test.txt 100% 10 0.0KB/s 00:00 sftp> ls -l drwxrwxr-x 2 wang wang 6 Jul 29 21:33 public_html -rw-rw-r-- 1 wang wang 10 Jul 29 21:39 redhat.txt -rw-rw-r-- 1 wang wang 10 Jul 28 22:53 test.txt sftp> put *.txt Uploading test.txt to /home/wang/test.txt test.txt 100% 10 0.0KB/s 00:00 Uploading test2.txt to /home/wang/test2.txt test2.txt 100% 0 0.0KB/s 00:00 sftp> ls -l drwxrwxr-x 2 wang wang 6 Jul 29 21:33 public_html -rw-rw-r-- 1 wang wang 10 Jul 29 21:39 redhat.txt -rw-rw-r-- 1 wang wang 10 Jul 29 21:45 test.txt -rw-rw-r-- 1 wang wang 10 Jul 29 21:46 test2.txt # 从远程服务器上面下载单个文件 sftp> get test.txt Fetching /home/wang/test.txt to test.txt /home/wang/test.txt 100% 10 0.0KB/s 00:00 # 从远程服务器上面下载多个文件 sftp> get *.txt Fetching /home/wang/redhat.txt to redhat.txt /home/wang/redhat.txt 100% 10 0.0KB/s 00:00 Fetching /home/wang/test.txt to test.txt /home/wang/test.txt 100% 10 0.0KB/s 00:00 Fetching /home/wang/test2.txt to test2.txt /home/wang/test2.txt 100% 10 0.0KB/s 00:00 # create a directory on remote server sftp> mkdir testdir sftp> ls -l drwxrwxr-x 2 wang wang 6 Jul 29 21:33 public_html -rw-rw-r-- 1 wang wang 10 Jul 29 21:39 redhat.txt -rw-rw-r-- 1 wang wang 10 Jul 29 21:45 test.txt -rw-rw-r-- 1 wang wang 10 Jul 29 21:46 test2.txt drwxrwxr-x 2 wang wang 6 Jul 29 21:53 testdir # 删除远程服务器上面的目录 sftp> rmdir testdir rmdir ok,`testdir' removed sftp> ls -l drwxrwxr-x 2 wang wang 6 Jul 29 21:33 public_html -rw-rw-r-- 1 wang wang 10 Jul 29 21:39 redhat.txt -rw-rw-r-- 1 wang wang 10 Jul 29 21:45 test.txt -rw-rw-r-- 1 wang wang 10 Jul 29 21:46 test2.txt # 删除远程服务上面的文件 sftp> rm test2.txt Removing /home/wang/test2.txt sftp> ls -l drwxrwxr-x 2 wang wang 6 Jul 29 21:33 public_html -rw-rw-r-- 1 wang wang 10 Jul 29 21:39 redhat.txt -rw-rw-r-- 1 wang wang 10 Jul 29 21:45 test.txt # execute commands with "![command]" sftp> !cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin ... ... redhat:x:1001:1001::/home/redhat:/bin/bash # exit sftp> quit #退出sftp连接5、SSH keys认证
为每个用户创建密钥对,因此使用普通用户登录并按如下所示工作。
[wang@vdevops ~]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/wang/.ssh/id_rsa): Created directory '/home/wang/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/wang/.ssh/id_rsa. Your public key has been saved in /home/wang/.ssh/id_rsa.pub. The key fingerprint is: af:58:16:e9:f9:02:bc:95:5d:ec:4d:bd:6a:2b:39:06 wang@vdevops.com The key's randomart image is: +--[ RSA 2048]----+ | | | | | . . | | . o . .| | . So o o .| | o.oE. . .. | | += o . . | | .+.o = o | | . ..o +.. | +-----------------+ [wang@vdevops ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys [wang@vdevops ~]$ chmod 600 ~/.ssh/authorized_keys两台服务器其中vdevops.com作为服务端,linuxprobe.org作为客户端,拷贝服务的id_rsa文件到客户端,客户端上面对象的用户可以通过认证文件登录到服务端
#在linuxprobe.org上
[wang@linuxprobe ~]$ ls -a . .. .bash_logout .bash_profile .bashrc [wang@linuxprobe ~]$ mkdir ~/.ssh [wang@linuxprobe ~]$ chmod 700 ~/.ssh [wang@linuxprobe ~]$ scp wang@vdevops.com:/home/wang/.ssh/id_rsa ~/.ssh/ The authenticity of host 'vdevops.com (10.1.1.56)' can't be established. ECDSA key fingerprint is f8:d2:55:54:8f:e8:43:e0:ee:aa:d6:8d:53:8c:8e:85. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'vdevops.com,10.1.1.56' (ECDSA) to the list of known hosts. wang@vdevops.com's password: id_rsa 100% 1679 1.6KB/s 00:00 [wang@linuxprobe ~]$ ssh -i ~/.ssh/id_rsa wang@vdevops.com Last login: Wed Oct 26 15:39:18 2016 #登录成功#如果想要更加安全的登录远程服务器,可以设置PasswordAuthentication=no,重启sshd服务,这样从本地登录远程服务器的时候不仅需要密码验证还需要key文件验证
6、设置SFTP和Chroot
应用此设置的某些用户只能使用SFTP访问,或者访问制定允许的目录。
例如,设置Chroot目录/ home
# 针对SFTP创建一个特定的组 [root@vdevops ~]# groupadd sftp_users # 把用户wang加到sftp组中 [root@vdevops ~]# usermod -G sftp_users cent [root@vdevops ~]# vi /etc/ssh/sshd_config # line 147: 取消注释并添加一行 #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp # 在下面增加下面几行内容 Match Group sftp_users X11Forwarding no AllowTcpForwarding no ChrootDirectory /home ForceCommand internal-sftp [root@vdevops ~]# systemctl restart sshd #重启sshd服务6.2、测试用户登录
[root@linuxprobe ~]# ssh wang@10.1.1.56 wang@10.1.1.56's password: Could not chdir to home directory /home/wang: No such file or directory This service allows sftp connections only. Connection to 10.1.1.56 closed. [root@linuxprobe ~]# sftp wang@10.1.1.56 wang@10.1.1.56's password: Connected to 10.1.1.56. sftp> ls -l drwx------ 2 1000 1000 59 Oct 25 17:02 shaon drwx------ 2 1002 1003 59 Oct 26 2016 testuser drwx------ 3 1001 1001 90 Oct 26 07:39 wang sftp> pwd Remote working directory: / sftp> exit7、SSH端口转发
例如,配置转发设置,将本地的8081转发到本地的5901(VNC)。
# forward the connection to 8081 to 5901 on local [wang@linuxprobe ~]$ ssh -L 0.0.0.0:8081:localhost:5901 wang@localhost wang@localhost's password: # the password of the working user (it means the login to local to local) Last login: Thu Jul 10 01:35:15 2014 # confirm [wang@linuxprobe ~]$ netstat -lnp | grep 8081 (Not all processes could be identified,non-owned process info will not be shown,you would have to be root to see it all.) tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 3238/ssh # keep this session and go next # it's possbile to start the process on background as a daemon with "-f" option but then it needs to kill it by hand after working.#然后通过8081端口连接VNC服务端
8、使用SSHPass自动输入密码身份验证密码
这很方便,但有安全隐患(密码泄漏),如果你使用它时要格外小心。
<div class="color2"># 从EPEL源安装</div>[root@vdevops ~]# yum --enablerepo=epel -y install sshpass # 使用sshpass [root@vdevops ~]# sshpass -p fangbuxia..0 ssh 10.1.1.53 hostname linuxprobe.org [root@vdevops ~]# echo "fangbuxia..0" sshpass.txt fangbuxia..0 sshpass.txt [root@vdevops ~]# echo "fangbuxia..0" > sshpass.txt [root@vdevops ~]# chmod 600 sshpass.txt [root@vdevops ~]# sshpass -f sshpass.txt ssh 10.1.1.53 hostname linuxprobe.org [root@vdevops ~]# export SSHPASS=fangbuxia..0 [root@vdevops ~]# sshpass -e ssh 10.1.1.53 hostname linuxprobe.org9、用SSH-Agent自动输入密钥对身份验证的密码
9.1、SSH密钥验证
配置SSH服务器以使用密钥验证进行登录。为客户端创建一个私钥,并为服务器创建一个公钥。
以vdevops.com为服务端:
为每个用户创建密钥对,因此使用普通用户登录并按如下所示工作:
[wang@vdevops ~]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/wang/.ssh/id_rsa): /home/wang/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/wang/.ssh/id_rsa. Your public key has been saved in /home/wang/.ssh/id_rsa.pub. The key fingerprint is: 75:6c:9b:02:0a:00:78:3b:aa:6a:10:71:99:42:a7:62 wang@vdevops.com The key's randomart image is: +--[ RSA 2048]----+ |+o.+ | |+ B. . | |.E .. . . + | |+ o . . o o o | | o . . S . o | |o . | |o | |.. | |+ | +-----------------+ [wang@vdevops ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys [wang@vdevops ~]$ chmod 600 ~/.ssh/authorized_keys将在服务器上创建的密钥传输到客户端,然后可以使用密钥身份验证登录。
linuxprobe.org作为客户端:
[wang@linuxprobe ~]$ mkdir ~/.ssh #创建存放密钥文件的默认路径,如果已存在不需要重复创建 [wang@linuxpeobe ~]$ mkdir 700 ~/.ssh [wang@linuxprobe ~]$ scp wang@10.1.1.56:/home/wang/.ssh/id_rsa ~/.ssh/ #拷贝服务端的私钥 wang@10.1.1.56's password: id_rsa 100% 1675 1.6KB/s 00:00 [wang@linuxprobe ~]$ ssh -i ~/.ssh/id_rsa wang@10.1.1.56 #使用服务端的私钥登录到服务端 Last login: Thu Oct 27 09:24:18 2016 [wang@vdevops ~]$ #登录成功 #客户端创建公钥文件 [wang@linuxprobe ~]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/wang/.ssh/id_rsa): y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in y. Your public key has been saved in <span style="color:#FF6666;">y.pub</span>. The key fingerprint is: 3e:de:94:77:cc:11:8c:a5:df:38:30:63:32:25:a1:81 wang@linuxprobe.org The key's randomart image is: +--[ RSA 2048]----+ | .. o.. . | | E o o = | | . o B o | | + = + | | S = .| | . . o o | | o o . + | | . + . . | | . . | +-----------------+ #把y.pub拷贝到服务端加入到authorized_keys里面,即可从服务端免密码登录到客户端
10、使用并行SSH
[1] 安装pssh # 从EPEL源安装 [root@vdevops ~]# yum --enablerepo=epel -y install pssh [2] 如何使用PSSH. 确保服务器之间设置好密钥对认证 # 连接到服务器上执行命令 [wang@vdevops ~]$ pssh -H "10.1.1.51 10.1.1.52" -i "hostname" [1] 17:28:02 [SUCCESS] 10.1.1.51 node01.linuxprobe [2] 17:28:02 [SUCCESS] 10.1.1.52 node02.linuxprobe # it's possible to read host list fron a file [wang@vdevops ~]$ vi pssh_hosts.txt # 自定义host文件,按照下面的格式 wang@10.1.1.51 wang@10.1.1.52 [wang@vdevops ~]$ pssh -h pssh_hosts.txt -i "uptime" [1] 19:37:59 [SUCCESS] wang@10.1.1.52 19:37:59 up 1:35,0 users,load average: 0.00,0.00,0.00 [2] 19:37:59 [SUCCESS] wang@10.1.1.51 19:37:59 up 1:35,0.00 [3] 可以采用密码认证的方式,但是需要保证host文件中定义的主机同一账户的密码是相同的 [wang@vdevops ~]$ pssh -h pssh_hosts.txt -A -O PreferredAuthentications=password -i "uname -r" Warning: do not enter your password if anyone else has superuser privileges or access to your account. Password: # input password [1] 12:54:06 [SUCCESS] wang@10.1.1.51 2.6.32-504.12.2.el6.x86_64 [2] 12:54:06 [SUCCESS] wang@10.1.1.52 2.6.32-504.12.2.el6.x86_64<span id="transmark" style="display: none; width: 0px; height: 0px;"></span>
#总结:在CentOS配置相关服务时,建议多配置几篇,大致了解服务的原理。