notes 鸟哥-鸟哥的Linux私房菜服务器架设篇 3ed

本文链接：https://blog.youkuaiyun.com/csdnmonkey/article/details/54948545

本文详细介绍了如何使用SSH服务进行远程连接Linux服务器，包括启动SSH服务器、配置SSH免密登录、通过SSH在非标准端口进行连接、利用SSH进行数据同步和加密服务。同时，还探讨了FTP服务器的安全性问题及替代方案，如SFTP的搭建和配置。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

远程连接服务器 ssh xdmcp vnc xrdp
FTP服务器
- 21-1 ftp数据传输原理
  - 21-1-4 ftp的安全性问题与替代方案

11 远程连接服务器 ssh xdmcp vnc xrdp

11-1 远程连接服务器

11-2 文字接口连接服务器：ssh服务器

11-2-2 启动ssh服务器

google centos 7 netstat
http://www.centoscn.com/CentOS/config/2014/0905/3681.html
yum install net-tools

google centos 7 etc init.d sshd
http://www.putorius.net/2014/07/restarting-services-in-red-hat-7-or.html
systemctl restart sshd.service

#google centos 7 etc init.d sshd
systemctl restart sshd.service
netstat -tlnp

ssh -p22 root@127.0.0.1

exit

11-2-3 ssh客户端连接程序——linux用户

google ssh mkdir
http://unix.stackexchange.com/questions/8612/programmatically-creating-a-remote-directory-using-ssh
ssh remote-host-ip ‘. ~/your_profile; mkdir your_directory’

google cli socks5
http://askubuntu.com/questions/610333/how-to-set-socks5-proxy-in-the-terminal
sudo proxychains4 apt-get update

ssh：直接登录远程主机的指令：

rm ~/find.log
ssh -p22 root@127.0.0.1 find / &> ~/find.log #没有-f会等待指令完毕

ls ~ #需要分开执行，因为没有-f选项

rm ~/find.log
ssh -p22 root@127.0.0.1 -f 'find /' &> ~/find.log #返回log到客户端而不是服务器
ls ~

sum: find /在服务器执行，重定向到本地服务器。这个演示server和client的交互
完全在服务器执行需要加上引号，ssh -p22 root@127.0.0.1 'find / &> ~/find.log ; ls ~'

服务器公钥记录文件：

cat ~/.ssh/known_hosts

sftp：

cd ~
touch ./client.txt
sftp -P22 root@127.0.0.1

pwd
put ./client.txt #~符号无效
ls

filezilla 323：

host: sftp://127.0.0.1
username: root
password: ****
port: 22

scp 323：
badiu linux ssh 上传
http://blog.youkuaiyun.com/hmsiwtv/article/details/7543875

touch client.txt
ll client.txt
scp -P22 -pr client.txt root@127.0.0.1:~

ssh -p22 root@127.0.0.1 'ls -l client.txt'

11-2-4 ssh客户端连接程序——windows用户

未测试

11-2-5 sshd服务器详细配置

vim /etc/ssh/sshd_config
未测试

11-2-6 制作不用密码可立即登录的ssh用户

local

mkdir ~/.ssh
chmod 700 ~/.ssh
ls -ld ~/.ssh
ssh-keygen
ls ~/.ssh

scp -P22 ~/.ssh/id_rsa.pub root@127.0.0.1:~

ssh -p22 root@127.0.0.1

server

ls ~ #确认client pub key
grep -i authorizedkeysfile /etc/ssh/sshd_config #确认keysfile

mkdir ~/.ssh
chmod 700 ~/.ssh
ls -ld ~/.ssh

touch ~/.ssh/authorized_keys
chmod 644 ~/.ssh/authorized_keys 
ls -l ~/.ssh/authorized_keys

cat ~/id_rsa.pub >> ~/.ssh/authorized_keys #注入client pub key
cat ~/.ssh/authorized_keys

11-6 ssh服务器的高级应用

11-6-1 在非标准端口启动ssh

未测试

11-6-2 以rsync进行同步镜像备份

google rsync port
http://stackoverflow.com/questions/4549945/is-it-possible-to-specify-a-different-ssh-port-when-using-rsync
rsync -rvz -e ‘ssh -p 2222’ –progress –remove-sent-files ./dir user@host:/path

local

mkdir ~/test -p

echo -n l >> ~/test/txt
rsync -avu ~/test/txt ~/test/txt2
ls -l ~/test/txt2 ~/test/txt2

echo -n s >> ~/test/txt
cat ~/test/txt2
rsync -avu ~/test/txt ~/test/txt2
ls -l ~/test/txt2 ~/test/txt2

cat ~/test/txt
cat ~/test/txt2

client server

mkdir ~/test -p
ssh -p22 root@127.0.0.1 'mkdir ~/test ; ls ~'

echo -n l >> ~/test/txt
rsync -avu ~/test/txt root@127.0.0.1:'~/test/txt'
ssh -p22 root@127.0.0.1 'ls -l ~/test/txt'

ls -l ~/test/txt #需要分开执行，ssh没有加-f，整个指令是串行执行

11-6-3 通过ssh通道加密原本无加密的服务

google proxychains ssh
http://superuser.com/questions/836194/how-to-chain-socks-proxies
[A]$ ssh -tt -v -L8888:localhost:8157 user@B ssh -t -D 8157 user@C

sudo cat /etc/ssh/sshd_config

...
Port 22
Port 2222
...

sudo systemctl restart sshd.service
sudo netstat -tnlp | grep ssh
sudo ssh -L22:127.0.0.1:2222 -N -p22  127.0.0.1 #绕回来报错

bind: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 22
Could not request local forwarding.

11-6-4以ssh通道配合x server传递图形界面

未测试

21 FTP服务器

21-1 ftp数据传输原理

21-1-4 ftp的安全性问题与替代方案

sftp

google centos sftp 服务器搭建
http://www.voidcn.com/blog/yuanyuan_186/article/p-5807117.html

google linux show user HOME_DIR
http://superuser.com/questions/484277/get-home-directory-by-username
eval echo ~$USER

google packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe sftp
http://stackoverflow.com/questions/18220104/write-failed-broken-pipe-when-trying-to-login-through-ssh-with-a-specific-use
“Basically the chroot directory has to be owned by root and can’t be any group-write access.”

groupadd sftpg
cat /etc/group | grep sftpg
useradd -g sftpg -s /bin/false sftpu
cat /etc/passwd | grep sftpu
id sftpu

mkdir -p /var/sftp/sftpu/update
usermod -d /var/sftp/sftpu sftpu
eval echo ~sftpu

chown root:sftpg /var/sftp/sftpu #ChrootDirectory的拥有者必须是root
chmod 755 /var/sftp/sftpu
ls -l /var/sftp/

chown sftpu:sftpg /var/sftp/sftpu/update
chmod 755 /var/sftp/sftpu/update
ls -l /var/sftp/sftpu

passwd sftpu

tail -n14 /etc/ssh/sshd_config

# Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp
Match Group sftpg
ChrootDirectory /var/sftp/%u
ForceCommand    internal-sftp
AllowTcpForwarding no
X11Forwarding no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

setenforce 0
systemctl restart sshd.service

sftp sftpu@127.0.0.1