CentOS 7设置ssh服务自动启动

字数统计: 1.7k字   |   阅读时长≈ 8分

SSH(Secure SHell)

SSH的英文全称是Secure SHell。通过使用SSH,你可以把所有传输的数据进行加密,这样“中间人”这种攻击方式就不可能实现了,而且也能够防止DNS和IP欺骗。还有一个额外的好处就是传输的数据是经过压缩的,所以可以加快传输的速度。SSH有很多功能,它既可以代替telnet,又可以为ftp、pop、甚至ppp提供一个安全的“通道”。

SSH在Linux中的服务是sshd,安装openssh后才可开启。CentOS 7 安装后默认情况下是不启动sshd服务,即无法通过ssh服务远程连接。
首先查看系统是否安装openssh,一般情况想都是默认安装了。

1
2
3
4
5
[root@localhost ~]# rpm -qa | grep ssh
libssh2-1.4.3-10.el7.x86_64
openssh-server-6.6.1p1-22.el7.x86_64
openssh-clients-6.6.1p1-22.el7.x86_64
openssh-6.6.1p1-22.el7.x86_64

如果没有安装可以通过yum在线安装。

1
yum install openssh

手动设置启动ssh服务

简单的设置就是在命令行中启动sshd服务。这样做比较快捷直接,但是只能对当前状态有效,一旦重启系统就丢失了该服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@localhost ~]# systemctl start sshd
[root@localhost ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2016-09-16 16:18:24 CST; 6h ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1031 (sshd)
CGroup: /system.slice/sshd.service
└─1031 /usr/sbin/sshd -D
Sep 16 16:18:24 localhost.localdomain systemd[1]: Starting OpenSSH server daemon…
Sep 16 16:18:25 localhost.localdomain sshd[1031]: Server listening on 0.0.0.0 port 22.
Sep 16 16:18:25 localhost.localdomain sshd[1031]: Server listening on :: port 22.
Sep 16 18:18:14 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
Sep 16 18:29:41 localhost.localdomain sshd[11847]: Accepted password for root from 192.168.92.1 port 55149 ssh2
Sep 16 18:37:11 localhost sshd[12969]: Address 192.168.92.1 maps to localhost, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 16 18:37:12 localhost sshd[12969]: Accepted password for root from 192.168.92.1 port 55391 ssh2
Sep 16 22:09:59 localhost sshd[15252]: Address 192.168.92.1 maps to localhost, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 16 22:10:02 localhost sshd[15252]: Accepted password for root from 192.168.92.1 port 64452 ssh2
Sep 16 22:22:08 localhost systemd[1]: Started OpenSSH server daemon.

设置自动启动ssh服务

1、systemclt设置自动启动

通过systemctl命令可以将sshd服务加到开机自启动列表里。实现开机自动启动sshd服务。

1
systemctl enable sshd

2、修改ssh监听端口
sshd_config文件中存放了端口、控制策略等信息。

1
vi /etc/ssh/sshd_config

结果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox          # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

3、需要修改的地方

  • 首先修改端口,端口设置为自定义端口,即1024之后的端口,这里设置为8090。
1
port 8090
  • 禁止空密码用户登录。
1
PermitEmptyPasswords no
  • 开启密码登录授权(默认即开启)
1
PasswordAuthentication yes
  • 禁止root账户使用ssh登录,这种设置通常用于互联网服务器,防止提权后用root账户登录搞破坏。
1
PermitRootLogin no

4、注意其中关于port的提示文字

1
2
3
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

修改端口的时候需要添加到防火墙的控制中,否则无法使用ssh连接。

1
2
3
4
5
6
[root@localhost ~]# semanage port -l | grep ssh #查看当前ssh服务监听的端口
ssh_port_t tcp 22
[root@localhost ~]# semanage port -a -t ssh_port_t -p tcp 8090 #增加监听端口8090

[root@localhost ~]# semanage port -l | grep ssh
ssh_port_t tcp 8090,22

semanage只是端口工具,修改防火墙只能使用firewall-cmd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[root@localhost ssh]# yum provides firewall-cmd #查找防火墙工具所在的包
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.bit.edu.cn
* extras: mirrors.btte.net
* updates: mirrors.btte.net
firewalld-0.3.9-14.el7.noarch : A firewall daemon with D-BUS interface providing a dynamic firewall
Repo : base
Matched from:
Filename : /usr/bin/firewall-cmd

[root@localhost ssh]# yum -y install firewalld #安装防火墙工具

[root@localhost ssh]# systemctl start firewalld #启动防火墙服务

[root@localhost ssh]# systemctl status firewalld #查看防火墙状态
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2016-09-17 04:22:15 CST; 15s ago
Main PID: 16979 (firewalld)
CGroup: /system.slice/firewalld.service
└─16979 /usr/bin/python -Es /usr/sbin/firewalld –nofork –nopid
Sep 17 04:22:14 localhost systemd[1]: Starting firewalld - dynamic firewall daemon…
Sep 17 04:22:15 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
[root@localhost ssh]# firewall-cmd –zone=public –add-port=8090/tcp –permanent #防火墙中允许8090端口通过
success

[root@localhost ssh]# semanage port -m -t ssh_port_t -p tcp 8090 #将ssh服务修改为8090端口
[root@localhost ssh]# firewall-cmd –zone=public –remove-port=22/tcp –permanent #删除22端口
success
[root@localhost ssh]# firewall-cmd –reload #重新加载防火墙服务配置
success

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

建立此博客主要用途:
分享知识、学习笔记、
技术探讨、好的文章收藏整理

在本博客中如果涉及到版权问题
请联系QQ:1583881877

如果对文章中有更好的看法,
请在留言区留下您宝贵的意见呦!!