ssh服务由服务端软件Openssh和客户端(常见的有ssh,SecureCRT,putty,xshell)组成,ssh服务默认使用22端口提供服务,它有两个不兼容的ssh协议版本,分别是1.x和2.x
下面我们看下服务端上的ssh相关软件
[root@greymouster ~]# rpm -qa openssh openssh-5.3p1-104.el6.i686 [root@greymouster ~]# rpm -qa |grep openssh openssh-askpass-5.3p1-104.el6.i686 openssh-clients-5.3p1-104.el6.i686 openssh-server-5.3p1-104.el6.i686 openssh-5.3p1-104.el6.i686 [root@greymouster ~]# rpm -qa openssh openssl openssl-1.0.1e-30.el6.i686 openssh-5.3p1-104.el6.i686
[root@greymouster ~]# ps -ef |grep ssh root 1483 1 0 12:48 ? 00:00:00 /usr/sbin/sshd root 6234 1483 0 20:42 ? 00:00:00 sshd: root@pts/0 root 6461 6237 0 21:50 pts/0 00:00:00 grep ssh
ssh客户端包含ssh程序以及scp(远程拷贝)、slogin(远程登录)、sftp(安全FTP文件传输)等应用程序
Openssh是ssh服务端的软件之一,可同时支持ssh1和ssh2协议,可以在配置文件中使用protocol指令指定只支持其中一种或两种都支持,默认情况下centos5.x系统默认配置的是仅支持ssh2协议
[root@greymouster ~]# less /etc/ssh/sshd_config # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2
查看ssh的端口
[root@greymouster ~]# netstat -lntup|grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1526/sshd
tcp 0 0 :::22 :::* LISTEN 1526/sshd
linux客户端通过ssh连接
[root@greymouster ~]# ssh -p22 root@192.168.1.199
[root@greymouster ~]# ssh -p22 root@192.168.1.199 /user/bin/free 命令(全路径) 到其他机器上执行命令(不会切换到机器上)
The authenticity of host '[192.168.1.199]:60222 ([192.168.1.199]:22)' can't be established. RSA key fingerprint is d2:ad:69:ef:5e:55:43:c2:2d:c7:cc:fd:79:cd:af:c2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.1.199]:22' (RSA) to the list of known hosts. reverse mapping checking getaddrinfo for 69.169.37.106.static.bjtelecom.net [192.168.1.199] failed - POSSIBLE BREAK-IN ATTEMPT! root@192.168.1.199's password: Last login: Tue Jan 3 21:48:32 2017 from 1.180.212.133
当第一次连接的时候,本地会产生一个密钥文件 ~/.ssh/known_hosts
ssh客户端附带的远程拷贝scp命令
scp的基本语法使用:scp -secure copy
推:PUSH
scp -P22 -r -p /temp/data root@192.168.1.199:/tmp
拉:PULL
scp -P22 -rp root@192.168.1.169:/tmp/data /opt/
[root@greymouster tmp]# cat /tmp/a.text 1111 1111 1111
[root@greymouster tmp]# scp -P22 /tmp/a.text root@192.168.1.199:/opt
把当前机器的 /tmp/a.text 文件拷贝到192.168.1.199 /opt 目录下 The authenticity of host '192.168.1.199 (192.168.1.199)' can't be established. RSA key fingerprint is 32:0a:c0:7e:2a:a3:e2:dd:56:81:ca:d1:65:ba:a0:0b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.199' (RSA) to the list of known hosts. root@192.168.1.199's password: a.text 100% 15 0.0KB/s 00:00 [root@greymouster tmp]#
[root@greymouster tmp]# scp -P22 root@192.168.1.199:/opt/b.text /tmp/
把192.168.1.199上的/opt/b.text文件拷贝到本机器的 /tmp/目录下
root@192.168.1.199's password:
b.text 100% 4 0.0KB/s 00:00
[root@greymouster tmp]# ls /tmp
scp 为远程拷贝文件或目录的命令
-P(大写) 端口
-r 表示拷贝目录
-p 表示在拷贝前后保持文件或目录属性
注:scp是全量拷贝,效率不高 rsync 是增量拷贝
linux sftp客户端连接sftp服务器
[root@greymouster tmp]# sftp -oPort=22 root@192.168.1.199 Connecting to 192.168.1.199... root@192.168.1.199's password: sftp> ls -l -rw------- 1 root root 1399 Dec 6 05:35 anaconda-ks.cfg -rw-r--r-- 1 root root 44227 Dec 6 05:35 install.log -rw-r--r-- 1 root root 10033 Dec 6 05:33 install.log.syslog sftp> put /tmp/a.text 将/tmp/a.text上传到192.168.1.199 的家目录
Uploading /tmp/a.text to /root/a.text /tmp/a.text 100% 15 0.0KB/s 00:00 sftp> ls -l -rw-r--r-- 1 root root 15 Jan 11 01:04 a.text -rw------- 1 root root 1399 Dec 6 05:35 anaconda-ks.cfg -rw-r--r-- 1 root root 44227 Dec 6 05:35 install.log -rw-r--r-- 1 root root 10033 Dec 6 05:33 install.log.syslog sftp> get install.log 将192.168.1.199 的家目录install.log 下载到本机
sftp> put /tmp/a.text /ceshi/ 上传到指定目录下
sftp> get a.sh /home 下载到指定目录下
windows客户端连接sftp的方法
点击SecureCRT 文件-->连接sftp标签
sftp> put "C:a.txt" 正在把 a.txt 上传到 /root/a.txt 100% 3 字节 3 字节/s 00:00:00 sftp>
sftp> get /root/a.txt
正在从 /root/a.txt 下载 a.txt
100% 3 字节 3 字节/s 00:00:00
sftp>
过滤注释查看配置文件
[root@greymouster home]# egrep -v "^#|^$" /etc/ssh/sshd_config
更改ssh配置
[root@greymouster ~]# vi /etc/ssh/sshd_config
# sshd_config(5) for more information.
# The strategy used for options in the default sshd_c
onfig shipped with
# OpenSSH is to specify options with their default va
lue where
# possible, but leave them commented. Uncommented op
tions change a
# default value.
#Port 22 #ssh连接默认端口22
#PermitRootLogin no # root用户是否禁止远程登录
#PermitEmptyPasswords no #禁止空密码登录
#UseDNS no #不使用DNS
#GSSAPIAuthentication no #让ssh连接更快
修改配置文件后要重启ssh服务
[root@greymouster ~]# /etc/init.d/sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
扫描的软件安装
[root@greymouster ~]# yum install nmap -y
[root@greymouster ~]# nmap 192.168.1.199 -p1-65535
Starting Nmap 5.51 ( http://nmap.org ) at 2017-01-11 00:08 CST
Nmap scan report for 192.168.1.199
Host is up (0.000011s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3306/tcp open mysql
54573/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds
禁止某个ip
[root@greymouster ~]# iptables -A INPUT ! -s 10.0.0.8 -j DROP