Shulou(Shulou.com)06/02 Report--

This article will explain in detail how the ssh service protects the web production server. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Scene

We set up a site for our blog and configure the lnmp/lamp environment to run, and we're almost done. But when we are working on a medium-sized or large-scale project, what do we need to do with account security when it needs to be deployed to a production server?

Ssh installation apt-get install openssh-server startup / etc/init.d/ssh start uses ssh martist@192.168.123.3//ssh to remotely connect to the server, you need to enter a user password to apply hostname management

A medium-sized or even large-scale project often needs to manage multiple servers, such as production server, test server, management server and so on. Therefore, you need to manage the hostname of each server, and you can see the restart by modifying the local system name by modifying the / etc/hostname file of each server.

Key ssh login

The command to generate keys under linux or Mac is the default generation path of ssh-keygen-t rsa under the .ssh directory of the home directory. The id_rsa file holds the local private key, while the id_rsa.pub file holds the public key.

Ifconfig command to check the IP address of the server. Note that if you are using Aliyun ECS, what you see here is private network IP rather than public network IP.

Create an authorized_keys file in the .ssh directory under the home directory of the logged-in server (create one if it doesn't exist), and put the contents of the generated public key file in it, and you can log in to the server locally using the key.

Ssh martist@192.168.123.3// does not need to enter a user name and password at this time

If we close the password login and log in with the ssh key instead, we can ensure the security of the service (note: before closing the password login, make sure you can log in normally using the ssh key).

Turn off password login

Find / etc/ssh/sshd_config to modify the PasswordAuthentication property yes.

On line 52, yes is changed to no and password login is disabled (use with caution).

Detailed actual combat analysis

Online: Ali Cloud ECS CVM Ubuntu14.04lts

Manager server generates ssh key

Ssh-keygen-t rsa / / enter all the way

Save the generated key in the home directory and enter the .ssh directory

Ls// View File id_rsa id_rsa.pub know_hosts

Add a redirect name to the / etc/hosts file on the Manager server, such as the test server, DB server and Manager server with a redirect name to facilitate the management of multiple web servers.

Modify the file of the local directional network ip (Ali Cloud's intranet ip)

Vi / etc/hosts / / write 10.162.48.184 FWEB1// every time you enter 'FWEB1', represents' 10.162.48.184'at the terminal.

On the mannager server, try logging in to the web1 server with ssh

Ssh root@FWEB1

Quit

Exit

On the mannager server, try the file upload web1 server

Scp. / id_rsa.pub root@FWEB1:/root

You still need to enter the password now, but you don't need to enter the password when you add the key to the web server later, and then log in to the web server from manager.

On the web1 server, create a .ssh directory under the home directory

Ssh root@FWEB1 / / enter the password mkdir ~ / .ssh

On the web1 server, pass id_rsa.pub to the .ssh / directory

Cat id_rsa.pub > > .ssh / id_rsa.pub

At this point, set up from id_rsa.pub to the local web server (FWEB1).

File renaming

Mv id_rsa.pub authorized_keys

Give executive authority

Chmod 600. / authorized_keys

Log out of ssh remote login

Exit

Return to the manager server at this point

Ssh root@FWEB1// can enter FWEB1 without entering the password at this time.

Upload any file and try it.

Scp know_hosts root@FWEB1:/tmp/

After that, the manager server sends something to the web server, scp, without the need to enter a password.

Principle: keep the private key of the manager server, give the public key to all web,DB, back up the server, and you can easily manage it.

Close the password login of the web server

Find / etc/ssh/sshd_config to modify the PasswordAuthentication property yes. On line 52, yes is changed to no and password login is disabled.

Modify the ssh port in the sshd_config file. The SSH port defaults to 22. 0. Change the port number to a value above 1000.

Default: Port:22 changed to: Port 1678

: wq / / exit the vi editor.

Reboot / / restart takes effect

Ssh login destination server command

Root@FWEB1

A little bit of trouble? You can create your own aliases

Vi ~ / .bash_profile// writes alias fewb1='ssh root@FWEB1-p 1678hammer / (- p is the port number)

OK,: wq save exit.

Put him into effect.

Source .bash _ profile

View alias

Alias

Under the manager server, push all files under a folder to the web server.

Scp-p 1678. / * root@FWEB1:/tmp/ ~ ~

/ / (this folder is available on the web server that needs to transfer files)

Upload the things on the server, it is written like this, download the things of the web server to the local, as long as the two directories upside down, it is OK.

Tips:

Cd ~ mkdir sh vi pushcode.sh// writes shell scripts here

The shell script is written at the beginning of'#!' Followed by the location of the shell executable command

#! / bin/shscp-p 1678. / var/www.machuang.name/* root@FWEB1:/var/www/machuang.name

good! Wq is saved and launched.

Give executive authority

Chmod 755 / root/sh/pushcode.sh

Ls, check.

Ls / root/sh

It's right to see the pushcode.sh turn green at this point. After typing this command, you can complete the function of uploading the code.

/ root/sh/pushcode.sh

You can execute the commands in the script, adding an alias at this time.

Cd ~ vi .bash _ profile// write alias pushcode='/root/sh/pushcode.sh'//:wq save exit

Okay, make it work, otherwise you have to restart it to take effect.

Source .bash _ profile

Upload code:

Pushcode

Such a business logic of the use of ssh services in front of you, a single use of a tool does not appear three-dimensional, a variety of linux software and commands can be organically combined to burst out more energy.

So much for sharing about how the ssh service protects the web production server. I hope the above content can be helpful to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.