配置高性能日志服务器：rsyslog详细部署指南

在信息时代，数据安全变得尤为重要。本文将为您介绍一些关于SSH（安全外壳协议）的配置方法，帮助您更好地保障系统安全。
SSH是一种加密的网络协议，主要用于在不安全的网络环境中安全地传输数据。它通过加密机制确保数据的机密性和完整性，防止黑客截取和篡改数据。在Linux系统中，SSH服务通常使用`sshd`进程来提供，而客户端则通过`ssh`命令连接到SSH服务器。
为了确保SSH的安全性，您需要对SSH进行一些基本配置。以下是一些关键步骤：
1. 更改SSH端口：默认情况下，SSH服务使用22端口。黑客可能会针对这个端口进行攻击，因此建议您更改SSH端口。您可以在`/etc/ssh/sshd_config`文件中找到`Port`参数，将其更改为其他端口，例如2222。
2. 启用密钥认证：为了避免使用密码登录时被暴力破解，建议您启用密钥认证。您可以使用`ssh-keygen`命令生成一对密钥（公钥和私钥），然后将公钥添加到服务器的`~/.ssh/authorized_keys`文件中。客户端在登录时使用私钥进行认证，无需输入密码。
3. 限制SSH访问权限：您可以通过修改`/etc/ssh/sshd_config`文件中的`AllowUsers`和`AllowGroups`参数来限制SSH访问权限。例如，您可以只允许特定的用户或组通过SSH登录到服务器。
4. 关闭SSH空闲会话：为了防止SSH会话被恶意占用，您可以设置SSH会话的空闲超时时间。您可以在`/etc/ssh/sshd_config`文件中找到`ClientAliveInterval`和`ClientAliveCountMax`参数，分别设置心跳间隔和最大未响应次数。当客户端在指定时间内没有发送数据时，SSH服务器将自动断开连接。
5. 启用SSH日志记录：为了便于监控和分析SSH登录行为，建议您启用SSH日志记录。您可以在`/etc/ssh/sshd_config`文件中找到`SyslogFacility`和`LogLevel`参数，分别设置日志类别和级别。SSH日志通常存储在`/var/log/secure`文件中。
6. 定期更新SSH软件：SSH协议和软件会不断进行更新，以修复已知的安全漏洞。因此，您需要定期更新SSH软件，以保障系统安全。您可以使用系统自带的包管理器，例如`apt`或`yum`，来更新SSH软件。
7. 监控SSH登录尝试：为了及时发现潜在的攻击行为，您可以使用一些工具来监控SSH登录尝试。例如，您可以使用`fail2ban`来阻止连续失败的SSH登录尝试，或者使用`iptables`来限制IP地址的SSH连接次数。
通过以上步骤，您可以提高SSH的安全性，有效防止黑客攻击和数据泄露。请注意，SSH配置可能会因系统和版本的不同而有所差异，建议您根据实际情况进行调整。希望本文对您有所帮助！

目录

• 日志管理
• 配置rsyslog服务器
• openssh
• Secure Shell 示例
• SSH 主机密钥
• 配置基于 SSH 密钥的身份验证

[root@lnh ~]# cat /etc/redhat-release 
CentOS Stream release 8  //查看当前系统版本
[root@lnh ~]# uname -r
4.18.0-257.el8.x86_64
//查看当前系统内核版本
[root@lnh ~]# dmesg 
...
[    5.273545] XFS (dm-2): Starting recovery (logdev: internal)
[    5.323019] XFS (dm-2): Ending recovery (logdev: internal)
[    5.397922] XFS (sda1): Ending clean mount
[    7.026122] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    7.031966] E1000: eth0 NIC Link is Up 1000 mbps Full DuPlex, Flow Control: None
[    7.034521] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    7.034533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    7.045958] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[    7.050984] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[    7.052685] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[    7.052696] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
//可以查看系统所有的调试信息,日志(此处是centos8里面的)
[root@lnh ~]# tail -f /var/log/messages 
Jul 19 16:39:01 lnh systemd-logind[976]: New session 1 of user root.
Jul 19 16:39:01 lnh systemd[1268]: Reached target Paths.
Jul 19 16:39:01 lnh systemd[1268]: Reached target Timers.
Jul 19 16:39:01 lnh systemd[1268]: Starting D-Bus User Message Bus Socket.
Jul 19 16:39:02 lnh systemd[1268]: Listening on D-Bus User Message Bus Socket.
Jul 19 16:39:02 lnh systemd[1268]: Reached target Sockets.
Jul 19 16:39:02 lnh systemd[1268]: Reached target BASIC System.
Jul 19 16:39:02 lnh systemd[1268]: Reached target Default.
Jul 19 16:39:02 lnh systemd[1268]: Startup finished in 71ms.
Jul 19 16:39:02 lnh systemd[1]: Started User Manager for UID 0.
//系统标准错误日志信息；非内核产生的引导信息；各子系统产生的信息
[root@lnh ~]# cat /var/log/secure 
Jul 19 16:18:44 localhost polkitd[962]: Loading rules from directory /etc/polkit-1/rules.d
Jul 19 16:18:44 localhost polkitd[962]: Loading rules from directory /usr/share/polkit-1/rules.d
Jul 19 16:18:44 localhost polkitd[962]: Finished loading, compiling and executing 2 rules
Jul 19 16:18:44 localhost polkitd[962]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Jul 19 16:18:44 localhost sshd[1062]: Server listening on 0.0.0.0 port 22.
Jul 19 16:18:44 localhost sshd[1062]: Server listening on :: port 22.
Jul 19 16:19:51 localhost systemd[1304]: pam_UNIX(systemd-user session opened for user root by (uid=0)
Jul 19 16:19:51 localhost login[1083]: pam_unix(login session opened for user root by LOGIN(uid=0)
Jul 19 16:19:51 localhost login[1083]: ROOT LOGIN ON tty1
Jul 19 16:20:53 localhost polkitd[935]: Loading rules from directory /etc/polkit-1/rules.d
...
//与安全相关的日志信息
// /var/log/maillog：邮件系统产生的日志信息

syslog和rsyslog服务均有两个进程：
syslogd：系统，非内核产生的日志信息。
klogd：内核，专门负责记录内核产生的日志信息。

[root@lnh ~]# ps aux |grep syslogd
root        1194  0.0  0.2 218472  5768 ?        Ssl  16:37   0:00 /usr/sbin/rsyslogd -n
root        1355  0.0  0.0  12108  1088 pts/0    S+   16:48   0:00 grep --color=auto syslogd
//一直都在
[root@lnh ~]# ps aux |grep klogd
root        1362  0.0  0.0  12108  1080 pts/0    S+   16:51   0:00 grep --color=auto klogd
//当前没有

配置rsyslog服务器

我们首先要关闭虚拟机创建一个克隆，记住是完整克隆

lnh作为客户端，ip是192.168.222.250
xbz作为服务端，ip是192.168.222.251
在客户端：
[root@lnh ~]# vim /etc/rsyslog.conf 

在客户端赋予权限访问服务端

[root@lnh ~]# systemctl restart rsyslog.service
//重启服务
在服务端：
[root@xbz ~]# vim /etc/rsyslog.conf 

取消这四行的注释

[root@xbz ~]# systemctl restart rsyslog.service 
//重启服务
[root@xbz ~]# systemctl stop firewalld.service 
[root@xbz ~]# setenforce 0
//关闭防火墙
[root@xbz ~]# tail -f /var/log/secure 
Jul 19 17:02:19 lnh sshd[1012]: Server listening on :: port 22.
Jul 19 17:03:03 lnh systemd[1258]: pam_unix(systemd-user session opened for user root by (uid=0)
Jul 19 17:03:03 lnh login[1032]: pam_unix(login session opened for user root by LOGIN(uid=0)
Jul 19 17:03:03 lnh login[1032]: ROOT LOGIN ON tty1
Jul 19 17:03:16 lnh sshd[1294]: Accepted password for root from 192.168.222.1 port 55495 ssh2
Jul 19 17:03:16 lnh sshd[1294]: pam_unix(sshd session opened for user root by (uid=0)
Jul 19 17:03:22 lnh sshd[1320]: Accepted password for root from 192.168.222.1 port 55497 ssh2
Jul 19 17:03:22 lnh sshd[1320]: pam_unix(sshd session opened for user root by (uid=0)
Jul 19 17:05:36 lnh sshd[1474]: Accepted password for root from 192.168.222.1 port 55524 ssh2
Jul 19 17:05:36 lnh sshd[1474]: pam_unix(sshd session opened for user root by (uid=0)
//记录安全相关的东西
验证:
我们在客户端进行登录用户故意输入错误密码然后再登录
可以在服务的看到下面的信息
[root@xbz ~]# tail -f /var/log/secure 
ser root by (uid=0)
Jul 19 17:24:37 lnh sshd[1410]: pam_unix(sshd session closed for user root
Jul 19 17:24:41 lnh unix_chkpwd[1441]: password check faiLED for user (root)
Jul 19 17:24:41 lnh sshd[1439]: pam_unix(sshd authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.222.1  user=root
Jul 19 17:24:44 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:45 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:46 lnh unix_chkpwd[1442]: password check failed for user (root)
Jul 19 17:24:48 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:50 lnh unix_chkpwd[1443]: password check failed for user (root)
Jul 19 17:24:52 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:54 lnh sshd[1439]: Accepted password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:54 lnh sshd[1439]: pam_unix(sshd session opened for user root by (uid=0)

openssh

Secure Shell 示例

lnh作为客户端，ip是192.168.222.250
xbz作为服务端，ip是192.168.222.251

[root@lnh ~]# ssh root@192.168.222.251 '/usr/sbin/ip a' //接命令的绝对路径，防止没有识别出命令
The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established.             
ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts.
root@192.168.222.251's password: 
1: lo: 
 
   mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: 
  
    mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:2925:ce brd ffffff:ff inet 192.168.222.251/24 brd 192.168.222.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff25ce/64 scope link valid_lft forever preferred_lft forever //在同一网段下可以以远程用户身份（remoteuser）在远程主机（remotehost）上通过将输出返回到本地显示器的方式来执行单一命令 [root@lnh ~]# w 17:41:09 up 38 min, 2 users, load average: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE J
   CPU PCPU WHAT root tty1 - 17:02 38:20 0.28s 0.28s -bash root pts/0 192.168.222.1 17:06 0.00s 0.13s 0.02s w //w命令可以显示当前登录到计算机的用户列表。这对于显示哪些用户使用ssh从哪些远程位置进行了登录以及执行了何种操作等内容特别有用 
  
 

SSH 主机密钥

[root@lnh ~]# cat ~/.ssh/known_hosts 
192.168.222.251 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKh5FAHxXc6ck4NXY9q32oHHoZrK1+aMTpEo6smApoMbBUfvSd9YxtlRhd9TdPy8qfPwBg6ZdRkEFeRxlIzaSh8=
//192.168.222.251是客户端远程服务端的ip地址 ecdsa-sha2-nistp256 是算法，AAAA这里是公钥
//主机ID存储在本地客户端系统上的 ~/.ssh/known_hosts 中
//此处也可以换ip地址，之后还是可以进行登录，因为公钥没有发生改变
[root@xbz ~]# cd /etc/ssh/
[root@xbz ssh]# ll
total 600
-rw-r--r--. 1 root root     577388 Apr 27  2020 moduli
-rw-r--r--. 1 root root       1770 Apr 27  2020 ssh_config
drwxr-xr-x. 2 root root         28 Jul 19 16:14 ssh_config.d
-rw-------. 1 root root       4269 Apr 27  2020 sshd_config
-rw-r-----. 1 root ssh_keys    492 Jul 19 16:18 ssh_host_ecdsa_key
-rw-r--r--. 1 root root        162 Jul 19 16:18 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    387 Jul 19 16:18 ssh_host_ed25519_key
-rw-r--r--. 1 root root         82 Jul 19 16:18 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys   2578 Jul 19 16:18 ssh_host_rsa_key
-rw-r--r--. 1 root root        554 Jul 19 16:18 ssh_host_rsa_key.pub
[root@xbz ssh]# less ssh_host_ecdsa_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSoeRQB8V3OnJODV2Pat9qBx6Gaytfm
jE6RKOrJgKaDGwVH70nfWMbZUYXfU3T8vKnz8AYOmXUZBBXkcZSM2kofAAAAoP4DJvj+Ay
b4AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKh5FAHxXc6ck4NX
Y9q32oHHoZrK1+aMTpEo6smApoMbBUfvSd9YxtlRhd9TdPy8qfPwBg6ZdRkEFeRxlIzaSh
8AAAAhAP8Fsmj6nWXKoVWYgPeuv22eYQK8hQn4Wrr7PTXRlztaAAAAAAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----
//可以在服务端查看是否一样
[root@lnh ~]# ls /etc/ssh/*key*
/etc/ssh/ssh_host_ecdsa_key      /etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub  /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_ed25519_key    /etc/ssh/ssh_host_rsa_key.pub
//主机密钥存储在SSH服务器上的 /etc/ssh/ssh_host_key* 中
//有pub的是公钥，其他的是私钥

配置基于 SSH 密钥的身份验证

在客户端上面的操作:
[root@lnh ~]# ssh-keygen -t rsa  //-t是指定算法 rsa算法
Enter file in which to save the key (/root/.ssh/id_rsa):  //确认这个秘钥保存在括号里面那个目录里面？id_rsa是私钥
Enter passphrase (empty for no passphrase): //请设置私钥的密码
Enter same passphrase again: //重新输入私钥密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Tgi3RqIiIw0nt3uMxeuyw3J3DM3uN8PUK4ItiDoWlXM root@lnh
The key's randomart image is:
+---[RSA 3072]----+    //rsa算法 长度3072
|                 |
|                 |
|o o + o          |
| * B E o         |
|= = =o+ S.       |
|o+ =.ooo. .      |
| o+.+* o.  .     |
|+.*o+ * * .      |
|++.=.+.o +       |
+----[SHA256]-----+
[root@lnh ~]# ls .ssh/
id_rsa  id_rsa.pub  known_hosts
//可以查看到私钥，pub结尾的是公钥
把这个客户机上面的公钥发送给服务端
[root@lnh ~]# ssh-copy-id root@192.168.222.251
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.222.251's password: 

Number of key(s) added: 1

Now try logging into the MAChine, with:   "ssh 'root@192.168.222.251'"
and check to make sure that only the key(s) you wanted were added.
//因为我的公钥就是叫id_rsa.pub 这个名字所以直接用这个
//如果公钥不叫id_rsa.pub ，那么要指定位置 [root@lnh ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.222.251
在服务端查看：
[root@xbz ~]# ls .ssh/
authorized_keys
//这个就是传过来的公钥
在客户端：
[root@lnh ~]# ssh root@192.168.222.251
Last login: Tue Jul 19 1736 2022 from 192.168.222.1
//可以查看到可以直接免密登录
在服务端也进行设置秘钥
[root@xbz ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:FppTggRIQaZOQGlZHVBCOyG5RicFG80NYUU9xl8wCys root@xbz
The key's randomart image is:
+---[RSA 3072]----+
|=@&%@=+. o.      |
|=B==++ =o o.     |
|+o+o.Eo.=..      |
|oo  . .= o       |
|..    + S        |
|       o         |
|                 |
|                 |
|                 |
+----[SHA256]-----+
[root@xbz ~]# ls .ssh/
authorized_keys  id_rsa  id_rsa.pub
[root@xbz ~]# ssh-copy-id  root@192.168.222.250
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.222.250 (192.168.222.250)' can't be established.
ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.222.250's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.222.250'"
and check to make sure that only the key(s) you wanted were added.
在客户端查看:
[root@xbz ~]# ls .ssh/
authorized_keys  id_rsa  id_rsa.pub  known_hosts
在服务端登录验证:
[root@xbz ~]# ssh root@192.168.222.250
Last login: Tue Jul 19 1754 2022 from 192.168.222.1
//直接免密登录

//scp命令常用选项
-r //递归复制
-p //保持权限
-P //端口
-q //静默模式
-a //全部复制

链接：https://www.cnblogs.com/tushanbu/p/16495244.html