SSH configuration

標準

安全的ssh

一、配置openssh伺服器

1、ssh的設定檔是/etc/ssh/ssh_config,一般不要修改!

2、啟動伺服器!

#ntsysv =>確認將sshd前面的勾已打上!

3、手工啟動Openssh:

#service sshd start

#service sshd restart(重新啟動)

4、停止伺服器:

#service sshd stop

二、使用Openssh用戶端

Redhat Linux 9默認已安裝了Openssh的用戶端,用戶端和伺服器連接時,可以使用兩種驗證方式:基於口令的驗證方式和基於密匙的驗證方式!

1、基於口令的驗證方式

這種驗證方式要求使用者輸入用戶名稱和密碼!若沒有指定用戶名稱和密碼,則預設使用當前在客戶機上的用戶名!

例1:直接登陸

[root@wljs /]#ssh 210.45.160.17

則登陸用戶名為客戶機當前用戶名!

例2:指定用戶名登陸

[root@wljs /]#ssh wwz@210.45.160.17

或: [root@wljs /]#ssh –l wwz 210.45.160.17

上面過程結束後,系統將會提示你輸入用戶名和密碼!

2、基於密匙的驗證方式

使用密匙的驗證方式,使用者先需要為自己創建一對密匙:公匙和私匙。(公匙用在要登陸的伺服器上)

Openssh公開密匙的密碼體制有RSA、DSA!

創建密匙:

例:[root@wljs /]#ssh-keygen –t rsa

回車後,要求輸入使用密匙時的口令!這樣便生成了公匙和私匙:放在用戶主目錄下的.ssh目錄下,檔案名:id_rsa.pub和id_rsa!必須將公匙複製到登陸的伺服器的~/.ssh/目錄下,並改名為:authorized_keys!然後,便可使用密匙方式登陸!

#ssh [–l username] ip地址或主機名稱

三、Openssh上常用的命令

1、不登陸遠端系統使用命令

#ssh 210.45.160.17 [命令] [參數]

2、本地系統和遠端系統間檔的傳輸

#scp a.txt root@210.45.160.17:/b.txt

#scp root@210.45.160.17:/b.txt /c.txt

3、sftp命令

Sftp 命令和ftp命令類似,它是Openssh提供的網路傳輸檔的小工具,它更加安全,使用和ftp相似的命令:主要有如下幾個:

1、登陸

#ftp 210.45.160.17

2、ftp 會話的打開與關閉

打開:open 210.45.160.27

關閉:close

3、文件的傳輸

從ftp伺服器上得到檔:

Get a.txt

向ftp上放文件

Put a.txt

4、退出ftp

Bye

5、其他

bell:每個命令執行完畢後電腦響鈴一次

Cd ,ls 等一些常見命令也可以在ftp伺服器目錄中使用!

廣告

vsftp 配置 ftps

標準

先 ldd `which vsftpd`  | grep ssl 查看vsftp是否支持 ftps

在 vsftpd.conf中加入 下面選項

ssl_enable=YES

force_local_data_ssl=YES

force_local_logins_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=YES

rsa_cert_file=/etc/vsftpd/vsftpd.pem

如果未改動其他內容,此時配置的是一個 ftpes伺服器,

因為默認埠為  21 ,而ssl_enable為YES,所以滿足ftp explicit over ssl 的條件。

再加入

implicit_ssl=YES

listen_port=990

此時vsftpd為一個ftps伺服器。也就是 ftp
over ssl implicit

設定檔改動需要重啟vsftpd
rsa_cert_file=/etc/vsftpd/vsftpd.pem 可用下麵命令生成

openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem

centos的vsftpd 不支援 implicit_ssl選項。

Starting vsftpd for vsftpd: 500 OOPS: unrecognised variable in config file:
implicit_ssl

vsftpd: version 2.0.5

啟動vsftpd ,用cutfpt、flashfxp等支援ssl的ftp用戶端軟體連一下,選TLS v1連接方式,一切OK。


Install And Configurate SSL

標準
For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache’s interface to OpenSSL. Use yum to get them if you need them.
yum install mod_ssl openssl
Yum will either tell you they are installed or will install them for you.

2. Generate a self-signed certificate

Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you are probably likely to want a key from Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine. To create the key you will need to be root so you can either su to root or use sudo in front of the commands
# Generate private key
openssl genrsa -out ca.key 1024 

# Generate CSR
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

# Copy the files to the correct locations
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr
If you have moved the files and not copied them, you can use the following command to correct the SELinux contexts on those files, as the correct context definitions for /etc/pki/* come with the bundled SELinux policy.
restorecon -RvF /etc/pki
Then we need to update the Apache SSL configuration file
vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
Change the paths to match where the Key file is stored. If you’ve used the method above it will be
SSLCertificateFile /etc/pki/tls/certs/ca.crt
Then set the correct path for the Certificate Key File a few lines below. If you’ve followed the instructions above it is:
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
Quit and save the file and then restart Apache
/etc/init.d/httpd restart
All being well you should now be able to connect over https to your server and see a default Centos page. As the certificate is self signed browsers will generally ask you whether you want to accept the certificate. Firefox 3 won’t let you connect at all but you can override this.

3. Setting up the virtual hosts

Just as you set VirtualHosts for http on port 80 so you do for https on port 443. A typical VirtualHost for a site on port 80 looks like this
<VirtualHost *:80>
        <Directory /var/www/vhosts/yoursite.com/httpdocs>
        AllowOverride All
        </Directory>
        DocumentRoot /var/www/vhosts/yoursite.com/httpdocs
        ServerName yoursite.com
</VirtualHost>
To add a sister site on port 443 you need to add the following at the top of your file
NameVirtualHost *:443
and then a VirtualHost record something like this:
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/ca.crt
        SSLCertificateKeyFile /etc/pki/tls/private/ca.key
        <Directory /var/www/vhosts/yoursite.com/httpsdocs>
        AllowOverride All
        </Directory>
        DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs
        ServerName yoursite.com
</VirtualHost>
Restart Apache again using
/etc/init.d/httpd restart

4. Configuring the firewall

You should now have a site working over https using a self-signed certificate. If you can’t connect you may need to open the port on your firewall. To do this amend your iptables rules:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/service iptables save
iptables -L -v