Linux登录不上相关教程

liunx登录不上相关教程

安装openssh

ubuntu

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
apt-get -y install openssh openssh-server openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package openssh

dpkg -l | grep ssh # 查看ssh相关组件包

ubuntu默认root 链接不上需要x修改配置文件
sudo su -
passwd root
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
修改成
egrep -v "^$|^#" /etc/ssh/sshd_config
AddressFamily any
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
PasswordAuthentication yes
root@VM-3-9-ubuntu:/# egrep -v "^$|^#" /etc/ssh/sshd_config
AddressFamily any
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
PasswordAuthentication yes

# 重启服务就可以正常登录了

# sshd日志查看
tail -f /var/log/auth.log

CentOS

1
2
# sshd日志查看
tail -f /var/log/secure

rsync

1
rsync -av /opt/rsyuc_aa/ root@172.16.3.9:./

scp/sftp

1
2
3
4
5
6
7
8
9
10
11
12
scp -P 22 /etc/resolv.conf root@172.16.3.9:/tmp/
scp -P 22 root@172.16.3.9:/tmp/resolv.conf /tmp/
sftp -P22 root@172.16.3.9
root@172.16.3.9's password:
Permission denied, please try again.
root@172.16.3.9's password:
Connected to 172.16.3.9.
sftp>
sftp> cd /etc/ssh/
sftp> put resolv.conf
sftp> get sshd_config

1
2
3
# ssh登录提示
编写提示文件 /etc/iss.txt
在sshd配置文件Banner填写路径
1
2
3
# 更改端口
更改配置文件
Port 22

ssh登录慢问题优化

1
2
3
4
sed -i "/UseDNS/s/yes/no/g" /etc/ssh/sshd_config 
sshd -t
systemctl restart sshd

免密登录

1
2
3
ssh-keygen
ssh-copy-id root@172.16.3.9

allowuser/denyuser

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 只允许tom登录
useradd tom
echo nzsb|passwd --stdin tom
Changing password for user tom.
passwd: all authentication tokens updated successfully.
echo "AllowUsers tom" >> /etc/ssh/sshd_config
sshd -t
systemctl restart sshd
# 允许tom和root登录
sed -i "s/AllowUsers tom.*/AllowUsers tom root/g" /etc/ssh/sshd_config
sshd -t
systemctl restart sshd
[root@VM-1-3-centos tom]# grep AllowU /etc/ssh/sshd_config
AllowUsers tom root
# 限制只能在特定主机登录
sed -i "s/AllowUsers.*/AllowUsers tom@172.16.3.9 root/g" /etc/ssh/sshd_config
sshd -t
systemctl restart sshd
# 验证
tom@172.16.1.3's password:
Permission denied, please try again.

Allowusers允许root登录但PermitRootLogin no

1
2
3
4
5
6
7
8
 sed -i '/PermitRootLogin/s/yes/no/g' /etc/ssh/sshd_config 
systemctl restart sshd
# 验证
Permission denied, please try again.
root@172.16.1.3's password:
tom@172.16.1.3's password:
Last login: Tue Jun 13 15:25:38 2023 from 172.16.3.9

设置客户端会话超时

1
2
3
4
5
6
7
8
9
# 默认
ClientAliveInterval 0
ClientAliveCountMax 3
cat <<EOF >>/etc/ssh/sshd_config
> ClientAliveInterval 10
> ClientAliveCountMax 60
> EOF
sshd -t
systemctl restart sshd

设置禁用客户端连接SSH:黑名单

1
2
3
4
5
echo "sshd:172.16.3.9" >>/etc/hosts.deny

############
> /etc/hosts.deny # 清空所有拒绝策略(黑名单)
> /etc/hosts.allow # 清空所有允许策略(白名单)

指定IP登录其他拒绝

1
2
3
4
5
6
7
8
9
10
11
12
https://www.cip.cc/  查看自己ip地址
echo "sshd:222.90.156.52" >>/etc/hosts.allow
echo "sshd:ALL" >>/etc/hosts.deny
cat /etc/hosts.allow
sshd:222.90.156.52
cat /etc/hosts.deny
sshd:ALL
systemctl restart sshd
# 验证
ssh tom@172.16.1.3
ssh_exchange_identification: read: Connection reset by peer

锁定账户

1
2
3
4
5
6
7
8
9
passwd -l tom  # 锁定账号
Locking password for user tom.
passwd: Success
passwd -S tom # 查看状态
tom LK 2023-06-13 0 99999 7 -1 (Password locked.)
passwd -u tom # 解除锁定
Unlocking password for user tom.
passwd: Success

空密码默认不允许登录

1
2
passwd -d tom  # 清空密码
sshd -T |grep empty # 查看sshd空密码设定

当系统中有/etc/noligin时普通用户无法登录,但root不受影响

1
2
3
4
5
6
7
8
9
10
11
touch /etc/nologin # 在/etc/创建nologin文件,普通用户无法登录
tom@172.16.1.3's password:
Permission denied, please try again.
rm -rf /etc/nologin # 删除nologin,恢复正常
tom@172.16.1.3's password:
Last failed login: Tue Jun 13 16:07:57 CST 2023 from 172.16.3.9 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Tue Jun 13 15:26:37 2023 from 172.16.3.9
[tom@VM-1-3-centos ~]$ exit
logout

下次登录修改密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
chage -d 0 tom 
chage -l tom
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
# 验证
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to 172.16.1.3 closed.


pam相关设置与sshd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@VM-1-3-centos ~]# sed -i '2aauth required pam_tally2.sodeny=3 onerr=fail unlock_time=300' /etc/pam.d/sshd 
[root@VM-1-3-centos ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth required pam_tally2.sodeny=3 onerr=fail unlock_time=300
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare

# 验证
[root@VM-1-3-centos ~]# pam_tally2
Login Failures Latest failure From
tom 3 06/13/23 16:24:17 172.16.3.9
# root不受影响

selinux、iptabs/Firewalls/uwf、openssl依赖库、本地网络、安全组、网络ACL等

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

getenforce
Disabled
setenforce 0 # 临时关闭selinux状态
sed -i "s/SELINUX=.*/SELINUX=disabled/g" /etc/selinux/config
cat /etc/selinux/config

防火墙演示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
iptables是红帽7前的防火墙工具,firewall是红帽7后的防火墙工具 ufw是Debian分支的防火墙
iptables的基本结构:表-->链-->规则
iptables-save >/opt/ipt.txt # 保存防火墙规则 相当于备份
systemctl status firewalld # 查看防火墙
iptables -P INPUT ACCEPT # 设置入站默认策略为允许
iptables -P FORWARD ACCEPT #设置转发默认策略为允许
iptables -P OUTPUT ACCEPT # 设置出站默认策略为允许

iptables -F
iptables -X
iptables -L -n -v
Chain INPUT (policy ACCEPT 53 packets, 3780 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 47 packets, 6521 bytes)
pkts bytes target prot opt in out source destination

iptables规则管理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
[root@VM-1-3-centos ~]# iptables -A INPUT -m state --state NEW -p tcp -m multiport --dport 80,443,20,21,39000:40000 -j ACCEPT
[root@VM-1-3-centos ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 17 packets, 1140 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,20,21,39000:40000

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 15 packets, 2232 bytes)
pkts bytes target prot opt in out source destination
[root@VM-1-3-centos ~]# iptables -A INPUT -s 222.90.156.52,172.16.0.0 -p tcp --dport 22 -j ACCEPT
# 只允许 222.90.156.52,172.16.0.0 访问ssh
[root@VM-1-3-centos ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 17 packets, 1208 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,20,21,39000:40000
0 0 ACCEPT tcp -- * * 222.90.156.52 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 172.16.0.0 0.0.0.0/0 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 16 packets, 3127 bytes)
pkts bytes target prot opt in out source destination
[root@VM-1-3-centos ~]#
# 保存规则与恢复规则
[root@VM-1-3-centos ~]# iptables-save > /opt/ipt.txt
# 保存规则
[root@VM-1-3-centos ~]# iptables -F
# 清除规则
[root@VM-1-3-centos ~]# iptables -L -n -v
# 查看规则
Chain INPUT (policy ACCEPT 10 packets, 632 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 7 packets, 660 bytes)
pkts bytes target prot opt in out source destination
[root@VM-1-3-centos ~]# iptables-restore /opt/ipt.txt
# 恢复规则
[root@VM-1-3-centos ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 10 packets, 588 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,20,21,39000:40000
0 0 ACCEPT tcp -- * * 222.90.156.52 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 172.16.0.0 0.0.0.0/0 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 9 packets, 1608 bytes)
pkts bytes target prot opt in out source destination

CVM救援模式与单用户模式

1
进入救援模式

单用户模式

1
2
3
重启后按e 进入grub 将ro 该为 rw init=/bin/bash 按ctrl+x 进入单用户模式
退出单用户模式
exec /sbin/init
1
2
# lsof -p $(ps aux | grep -v PID|grep httpd | awk '{print $2}' | head -1)
# 查看打开进程打开了哪些文件 httpd查看日志路径

日志文件误删恢复

1
2
3
4
5
6
7
8
9
10
> /var/log/messages
rm -rf /var/log/messages
systemctl restart sshd
lsof | grep messages
rsyslogd 1229 root 8w REG 252,1 978 393797 /var/log/messages (deleted)
in:imjour 1229 1247 root 8w REG 252,1 978 393797 /var/log/messages (deleted)
rs:main 1229 1267 root 8w REG 252,1 978 393797 /var/log/messages (deleted)

cat /proc/1229/fd/5 >/var/log/messages
tail -f /var/log/messages