Linux SSH 安全加固 + 秘钥登录 + 日志排错 + 时间同步 + 文件传输全套实战

以susan身份秘钥登录server、以root身份秘钥登录server

#1、生成密钥[susan@client ~16:42:13]$ ssh-keygen Generating public/private rsa key pair.#2、回车代表密钥为空Enterfileinwhichto save the key(/home/susan/.ssh/id_rsa): Enter passphrase(emptyforno passphrase): Enter same passphrase again: Your identification has been savedin/home/susan/.ssh/id_rsa. Your public key has been savedin/home/susan/.ssh/id_rsa.pub. The key fingerprint is: SHA256:C3GrQWajPR9qH94qjyuV0+T9p1IfAi+Kvg/M3zIfEDA susan@client.susan.cloud The key's randomart image is: +---[RSA 2048]----+ | E | | o | | * o | | * +.o. | | . ==S. o | | o+Bo+o + . | | .Bo+..+ o . | | ..o*++... o | | o=*B=+..o | +----[SHA256]-----+ [susan@client ~ 16:47:58]$ ls .ssh/ config id_rsa id_rsa.pub known_hosts [susan@client ~ 16:48:33]$ ssh-copy-id susan@server /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/susan/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys susan@server's password: Number of key(s)added:1Now try logging into the machine, with:"ssh 'susan@server'"and check tomakesure that only the key(s)you wanted were added.#3、ssh登录验证[susan@client ~16:49:13]$sshsusan@serverhostnameserver.susan.cloud#4、ssh以root用户登录服务端验证[susan@client ~16:49:36]$sshroot@serverhostnameroot@server's password: server.susan.cloud #5、ssh以root用户登录服务端 [susan@client ~ 16:55:36]$ ssh root@server root@server's password: Last login: Wed May1316:19:582026from client.laoma.cloud[root@server ~16:55:53]# exit登出 Connection to server closed.

禁止root登录、禁止密码登录、仅允许特定用户（例如laowang）登录

#1、禁止root登录，修改sshd配置文件[root@server ~17:04:27]# vim /etc/ssh/sshd_config#添加一行PermitRootLogin no#用ssh在client上验证[susan@client ~17:00:38]$sshroot@server root@server's password: Permission denied, please try again. root@server's password: Permission denied, please try again. root@server's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [susan@client ~ 17:08:13]$ #2限制密码登录 [root@server ~ 17:07:41]# vim /etc/ssh/sshd_config PasswordAuthentication no #重启服务 [root@server ~ 17:11:10]# systemctl reload sshd #用ssh在client上登录验证 [susan@client ~ 17:08:13]$ ssh susan@server hostname server.susan.cloud #因为没有限制密钥登录，密钥优先，所以现在限制密钥登录 [susan@client ~ 17:12:54]$ ssh -o PreferredAuthentications=password susan@server Permission denied (publickey,gssapi-keyex,gssapi-with-mic). #3、仅允许特定用户登录 #在client端上把公钥发给server端 [susan@client ~ 17:15:31]$ cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdGv2vwr/FVPcF2XIVVM3VoEgcN+zjqKZxjOhZfK0m7xclUfYpwLLLWlqaF4FrFoINqJ43fR8b1hSuepGbDpdsX6pkN9lg6hg7rOHX6Jz9wb5bvp0X1ZPn8cbBduur/jtGLusJyBLinzjIQyP98ohNVe25DXiRbopm9iq5R24yzj7doJHvILKDmo5nY0fXiM6dEv8mEirH3RR6uBhgn+u0d0TPYNiratqWdwFuDtu1wIIe7Vn6TVj1OeWj4+Cqr3ah99ZaE+QLdg8vWe1+gloR3Il4hwqXe3kq1fvm12uRRQeJRWbnSD0c38QEYdEkjlJlFOCtVLsKxE2r8e+yhLbH susan@client.susan.cloud [root@server ~ 17:23:59]# vim .ssh/authorized_keys sh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdGv2vwr/FVPcF2XIVVM3VoEgcN+zjqKZxjOhZfK0m7xclUfYpwLLLWlqaF4FrFoINqJ43fR8b1hSuepGbDpdsX6pkN9lg6hg7rOHX6Jz9wb5bvp0X1ZPn8cbBduur/jtGLusJyBLinzjIQyP98ohNVe25DXiRbopm9iq5R24yzj7doJHvILKDmo5nY0fXiM6dEv8mEirH3RR6uBhgn+u0d0TPYNiratqWdwFuDtu1wIIe7Vn6TVj1OeWj4+Cqr3ah99ZaE+QLdg8vWe1+gloR3Il4hwqXe3kq1fvm12uRRQeJRWbnSD0c38QEYdEkjlJlFOCtVLsKxE2r8e+yhLbH susan@client.susan.cloud [root@server ~ 17:25:08]# cp .ssh/authorized_keys /home/laowang/.ssh/ [root@server ~ 17:25:31]# chown -R laowang:laowang /home/laowang/.ssh/ #配置文件 [root@server ~ 17:27:28]# vim /etc/ssh/sshd_config #在最后写一行 AllowUsers susan #重启服务 [root@server ~ 17:29:46]# systemctl reload sshd #用ssh在client端分别登录laowang和susan用户 [susan@client ~ 17:24:04]$ ssh laowang@server hostname laowang@server's password: Permission denied, please try again. laowang@server's password: Permission denied, please try again. laowang@server's password: Permission denied(publickey,gssapi-keyex,gssapi-with-mic,password).[susan@client ~17:31:16]$sshsusan@serverhostnameserver.susan.cloud

完成 rsyslog日志排故最佳实践

#故障1、sshd配置文件丢失[root@server ~17:34:38]# mv /etc/ssh/sshd_config .[root@server ~17:35:13]# ll总用量8-rw-------.1root root14615月1321:58 anaconda-ks.cfg -rw-------1root root39755月1417:27 sshd_config#重启服务[susan@server ~17:36:20]$ systemctl restart sshd====AUTHENTICATING FOR org.freedesktop.systemd1.manage-units===Authentication is required to manage system services or units. Authenticating as: susan Password:====AUTHENTICATION COMPLETE===Jobforsshd.service failed because the control process exited with error code. See"systemctl status sshd.service"and"journalctl -xe"fordetails.#初始日志[root@server ~17:37:05]# tail -f /var/log/messagesMay1417:12:54 server systemd-logind: New session7of user susan. May1417:12:54 server systemd-logind: Removed session7. May1417:23:02 server systemd: Removed slice User Slice of root. May1417:30:42 server systemd: Reloading OpenSSH server daemon. May1417:30:42 server systemd: Reloaded OpenSSH server daemon. May1417:31:43 server systemd: Started Session8of user susan. May1417:31:43 server systemd-logind: New session8of user susan. May1417:31:43 server systemd-logind: Removed session8. May1417:34:13 server systemd: Started Session9of user susan. May1417:34:13 server systemd-logind: New session9of user susan.#重启后日志 No such file or directoryMay1417:37:59 server systemd: Stopping OpenSSH server daemon... May1417:37:59 server systemd: Stopped OpenSSH server daemon. May1417:37:59 server systemd: Starting OpenSSH server daemon... May1417:37:59 server sshd: /etc/ssh/sshd_config: No suchfileor directory May1417:37:59 server systemd: sshd.service: main process exited,code=exited,status=1/FAILURE May1417:37:59 server systemd: Failed to start OpenSSH server daemon. May1417:37:59 server systemd: Unit sshd.service entered failed state. May1417:37:59 server systemd: sshd.service failed.#恢复文件[root@server ~17:41:40]# mv sshd_config /etc/ssh/[root@server ~17:42:47]# systemctl restart sshd[root@server ~17:43:04]# tail -f /var/log/messagesMay1417:42:13 server systemd: Unit sshd.service entered failed state. May1417:42:13 server systemd: sshd.service failed. May1417:42:55 server systemd: sshd.service holdofftimeover, scheduling restart. May1417:42:55 server systemd: Stopped OpenSSH server daemon. May1417:42:55 server systemd: Starting OpenSSH server daemon... May1417:42:55 server systemd: Started OpenSSH server daemon. May1417:43:04 server systemd: Stopping OpenSSH server daemon... May1417:43:04 server systemd: Stopped OpenSSH server daemon. May1417:43:04 server systemd: Starting OpenSSH server daemon... May1417:43:04 server systemd: Started OpenSSH server daemon.#故障2、sshd_config[root@server ~17:45:50]# echo hellow world >> /etc/ssh/sshd_config[root@server ~17:46:42]# tail -f /var/log/messagesMay1417:42:13 server systemd: Unit sshd.service entered failed state. May1417:42:13 server systemd: sshd.service failed. May1417:42:55 server systemd: sshd.service holdofftimeover, scheduling restart. May1417:42:55 server systemd: Stopped OpenSSH server daemon. May1417:42:55 server systemd: Starting OpenSSH server daemon... May1417:42:55 server systemd: Started OpenSSH server daemon. May1417:43:04 server systemd: Stopping OpenSSH server daemon... May1417:43:04 server systemd: Stopped OpenSSH server daemon. May1417:43:04 server systemd: Starting OpenSSH server daemon... May1417:43:04 server systemd: Started OpenSSH server daemon. :^H^C[root@server ~17:53:15]# systemctl reload sshd[root@server ~17:55:34]# tail -f /var/log/messagesMay1417:43:04 server systemd: Stopped OpenSSH server daemon. May1417:43:04 server systemd: Starting OpenSSH server daemon... May1417:43:04 server systemd: Started OpenSSH server daemon. May1417:55:34 server systemd: Reloading OpenSSH server daemon. May1417:55:34 server systemd: Reloaded OpenSSH server daemon. May1417:55:34 server sshd: /etc/ssh/sshd_config: line146: Bad configuration option: hellow May1417:55:34 server sshd: /etc/ssh/sshd_config: terminating,1bad configuration options May1417:55:34 server systemd: sshd.service: main process exited,code=exited,status=255/n/a May1417:55:34 server systemd: Unit sshd.service entered failed state. May1417:55:34 server systemd: sshd.service failed.

完成 client 自动与 server 对时

#server端[root@server ~19:12:44]# systemctl restart chronyd[root@server ~19:12:57]# vim /etc/chrony.conf[root@server ~19:14:09]# systemctl restart chronyd[root@server ~19:14:16]# systemctl stop firewalldbindaddress10.1.8.10 allow10.8.1.0/24[root@server ~18:13:59]# systemctl restart chronyd[root@server ~18:14:12]# systemctl stop firewalld.service#client端[root@client ~19:14:47]# vim /etc/chrony.conf[root@client ~19:15:19]# systemctl restart chronyd[root@client ~19:15:31]# chronyc sources -v210Number of sources=1.-- Source mode'^'=server,'='=peer,'#'=localclock. / .- Source state'*'=current synced,'+'=combined ,'-'=not combined,|/'?'=unreachable,'x'=timemay beinerror,'~'=timetoo variable.||.- xxxx[yyyy]+/- zzzz||Reachability register(octal)-.|xxxx=adjusted offset,||Log2(Polling interval)--.||yyyy=measured offset,||\||zzzz=estimated error.||||\MS Name/IP address Stratum Poll Reach LastRx Last sample===============================================================================^* server.susan.cloud46174-3092ns[-210us]+/- 122ms

实现Windows和Linux之间的传输

1、xftp工具

直接拖拽或者双击即可

2、lrzsz软件包

[root@client ~17:13:13]# yum install -y lrzsz

上传：直接拖拽到命令窗口即可

SZ工具：输入命令并保存位置

[root@client ~17:16:37]# sz /etc/savepalce

Linux之间传输

1、scp命令

即secure copy，安全复制，scp基于ssh协议，Linux必须开启ssh服务

缺点：不管目的位置是否有文件，全量备份，不会比对原系统上是否有相同文件

#scp复制单个文件#date +%Y%m%d获取当天日期即20260515[root@client ~17:29:08]# scp root@server:/root/etc-$(date +%Y%m%d).tar .root@server's password: etc-20260515.tar 100% 29MB 110.2MB/s 00:00 [root@client ~ 17:30:33]# ls etc-* etc-20260515.tar #scp复制多个文件 [root@client ~ 17:34:45]# scp root@server:/root/{etc-$(date +%Y%m%d).tar,etc.tar} . root@server's password: etc-20260515.tar100% 29MB91.4MB/s 00:00 root@server's password: etc.tar 100% 29MB 117.6MB/s 00:00 #scp复制目录（要递归-r） [root@client ~ 17:35:14]# scp root@server:/etc/selinux/ . root@server's password: scp: /etc/selinux: not a regularfile[root@client ~17:37:28]# scp -r root@server:/etc/selinux/ .root@server's password: semanage.conf 100% 2321 1.8MB/s 00:00 config 100% 542 1.1MB/s 00:00 cil 100% 7792 17.1MB/s 00:00 hll 100% 17KB 21.3MB/s 00:00 lang_ext 100% 2 5.4KB/s 00:00 ...... #如若不写路径则默认在相对路径家目录下 [root@client ~ 17:37:41]# scp etc.tar root@server: root@server's password: etc.tar100% 29MB70.6MB/s 00:00[root@client ~17:39:40]# ll总用量59084-rw-------.1root root14615月1321:58 anaconda-ks.cfg -rw-r--r--1root root302489605月1517:35 etc-20260515.tar -rw-r--r--1root root302489605月1517:35 etc.tar drwxr-xr-x2root root915月1517:04 Pictures drwxr-xr-x5root root815月1517:37 selinux