MyException - 我的异常网
当前位置:我的异常网» 系统运维 » 服务治理——ssh

服务治理——ssh

www.MyException.Cn  网友分享于:2013-09-10  浏览:21次
服务管理——ssh

一 ssh相关知识

什么是SSH?

SSH 为 Secure Shell 的缩写,由 IETF 的网络工作小组(NetworkWorking Group)所制定;SSH 为建立在应用层和传输层基础上的安全协议。SSH 是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议。利用 SSH协议可以有效防止远程管理过程中的信息泄露问题。SSH最初是Unix系统上的一个程序,后来又迅速扩展到其他操作平台。SSH在正确使用时可弥补网络中的漏洞。SSH客户端适用于多种平台。几乎所有Unix平台—包括HP-UX、Linux、AIX、Solaris、Digital UNIX、Irix,以及其他平台—都可运行SSH


#带有d:守护
#查询安装包
[root@client01 opt]# rpm -qa|grep openssh
openssh-clients-5.3p1-52.el6.x86_64
openssh-5.3p1-52.el6.x86_64
openssh-server-5.3p1-52.el6.x86_64
       [root@client01opt]# rpm -ql openssh-server
/etc/pam.d/ssh-keycat
/etc/pam.d/sshd
/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd
/usr/libexec/openssh/sftp-server
/usr/libexec/openssh/ssh-keycat
/usr/sbin/.sshd.hmac
/usr/sbin/sshd
/usr/share/doc/openssh-server-5.3p1
/usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
/usr/share/man/man5/moduli.5.gz
/usr/share/man/man5/sshd_config.5.gz
/usr/share/man/man8/sftp-server.8.gz
/usr/share/man/man8/sshd.8.gz
/var/empty/sshd
      
#telnet:明文传输,不安全。不建议使用
[root@client01 opt]# cd /etc/ssh/
[root@client01 ssh]# ll
total 156
-rw-------. 1 root root 125811 Apr  5  2011moduli
-rw-r--r--. 1 root root   2047 Apr 5  2011 ssh_config
-rw-------. 1 root root   3872 Apr 5  2011 sshd_config
-rw-------. 1 root root    668 Jul 23 00:58 ssh_host_dsa_key
-rw-r--r--. 1 root root    590 Jul 23 00:58 ssh_host_dsa_key.pub
-rw-------. 1 root root    963 Jul 23 00:58 ssh_host_key
-rw-r--r--. 1 root root    627 Jul 23 00:58 ssh_host_key.pub
-rw-------. 1 root root   1675 Jul 23 00:58 ssh_host_rsa_key
-rw-r--r--. 1 root root    382 Jul 23 00:58 ssh_host_rsa_key.pub
#ssh_config:ssh命令的配置文件
#sshd_config:重点学习
 
[root@client01 ssh]# rm -rf~/.ssh/known_hosts
 
[root@larrywen /]# ssh 192.168.1.12
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@   WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOINGSOMETHING NASTY!
Someone could be eavesdropping on you rightnow (man-in-the-middle attack)!
It is also possible that the RSA host keyhas just been changed.
The fingerprint for the RSA key sent by theremote host is
3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71.
Please contact your system administrator.
Add correct host key in/root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:7
RSA host key for 192.168.1.12 has changedand you have requested strict checking.
Host key verification failed.
 
#出现上述问题,删除该文件
[root@client01 ssh]# rm -rf~/.ssh/known_hosts
#如果还是不行,本机也删除
[root@larrywen .ssh]# rm -rf known_hosts
[root@client01 ssh]# ll
total 156
-rw-------. 1 root root 125811 Apr  5  2011moduli
-rw-r--r--. 1 root root   2047 Apr 5  2011 ssh_config
-rw-------. 1 root root   3872 Apr 5  2011 sshd_config
-rw-------. 1 root root    668 Jul 23 00:58 ssh_host_dsa_key
-rw-r--r--. 1 root root    590 Jul 23 00:58 ssh_host_dsa_key.pub
-rw-------. 1 root root    963 Jul 23 00:58 ssh_host_key
-rw-r--r--. 1 root root    627 Jul 23 00:58 ssh_host_key.pub
-rw-------. 1 root root   1675 Jul 23 00:58 ssh_host_rsa_key
-rw-r--r—. 1 root root    382 Jul 23 00:58 ssh_host_rsa_key.pub
 
#我们删除ssh_host_*文件,然后重启服务,发现文件自动生成了
[root@client01 ssh]# rm -f ssh_host_*
[root@client01 ssh]# ll
total 132
-rw-------. 1 root root 125811 Apr  5  2011moduli
-rw-r--r--. 1 root root   2047 Apr 5  2011 ssh_config
-rw-------. 1 root root   3872 Apr 5  2011 sshd_config
[root@client01 ssh]# /etc/init.d/sshdrestart
Stopping sshd:                                            [  OK  ]
Generating SSH1 RSA host key:                              [  OK  ]
Generating SSH2 RSA host key:                              [  OK  ]
Generating SSH2 DSA host key:                              [  OK  ]
Starting sshd:                                             [ OK  ]
[root@client01 ssh]# ll
total 156
-rw-------. 1 root root 125811 Apr  5  2011moduli
-rw-r--r--. 1 root root   2047 Apr 5  2011 ssh_config
-rw-------. 1 root root   3872 Apr 5  2011 sshd_config
-rw-------. 1 root root    672 Aug 6 10:38 ssh_host_dsa_key
-rw-r--r--. 1 root root    590 Aug 6 10:38 ssh_host_dsa_key.pub
-rw-------. 1 root root    963 Aug 6 10:38 ssh_host_key
-rw-r--r--. 1 root root    627 Aug 6 10:38 ssh_host_key.pub
-rw-------. 1 root root   1675 Aug 6 10:38 ssh_host_rsa_key
-rw-r--r--. 1 root root    382 Aug 6 10:38 ssh_host_rsa_key.pub
 
[root@client01 ssh]# man 5 sshd_config
 
#修改端口,然后重启,重新登录
[root@client01 ssh]# vim sshd_config
[root@client01 ssh]# grep "Port"sshd_config
#Port 22
Port 2222
#GatewayPorts no
[root@client01 ssh]# /etc/init.d/sshdrestart
Stopping sshd:                                            [  OK  ]
Starting sshd:                                            [  OK  ]
[root@client01 ~]# netstat -lanput | grepsshd
tcp       0      0 0.0.0.0:2222                0.0.0.0:*                   LISTEN      1814/sshd          
tcp       0      0 :::2222                     :::*                        LISTEN      1814/sshd   
 
#修改端口后按照以前的登录方式会出错
[root@larrywen /]# ssh 192.168.1.11
ssh: connect to host 192.168.1.11 port 22:Connection refused
 
#指定端口,参数可以放在前面或者后面
[root@larrywen /]# ssh 192.168.1.11 -p 2222
The authenticity of host'[192.168.1.11]:2222 ([192.168.1.11]:2222)' can't be established.
RSA key fingerprint is26:c7:6e:26:d8:9d:84:e4:25:46:d4:43:1f:d5:54:67.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added'[192.168.1.11]:2222' (RSA) to the list of known hosts.
root@192.168.1.11's password:
Last login: Tue Aug  6 09:54:46 2013 from 192.168.1.1
[root@client01 ~]# exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh -p 2222 192.168.1.11
root@192.168.1.11's password:
Last login: Tue Aug  6 10:42:48 2013 from 192.168.1.1
 
 
#scp:借助SSH服务
[root@larrywen begin]# scp ule-begin.pdf 192.168.1.11:/root-P 2222
2222: No such file or directory
[root@larrywen begin]# scp -P 2222ule-begin.pdf 192.168.1.11:/root
root@192.168.1.11's password:
ule-begin.pdf                                                                                      100%   14MB 13.6MB/s   00:00   

二 ssh修改端口

#修改端口:安全考虑
      
[root@client01 ~]# vim /etc/ssh/sshd_config
[root@client01 ~]# service sshd restart
Stopping sshd:                                            [  OK  ]
Starting sshd:                                             [  OK  ]
[root@client01 ~]# netstat -langput | grepsshd
tcp       0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1969/sshd          
tcp       0      0 :::22                       :::*                        LISTEN     1969/sshd     
 
[root@client01 ~]# ifconfig eth0:1192.168.1.111 netmask 255.255.255.0
[root@client01 ~]# ifconfig
eth0     Link encap:Ethernet  HWaddr00:0C:29:07:DD:3B 
         inet addr:192.168.1.11 Bcast:192.168.1.255  Mask:255.255.255.0
         inet6 addr: fe80::20c:29ff:fe07:dd3b/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1
         RX packets:13261 errors:0 dropped:0 overruns:0 frame:0
         TX packets:2665 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:15228499 (14.5 MiB)  TXbytes:402371 (392.9 KiB)
 
eth0:1   Link encap:Ethernet  HWaddr00:0C:29:07:DD:3B 
         inet addr:192.168.1.111 Bcast:192.168.1.255 Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1
 
lo       Link encap:Local Loopback 
         inet addr:127.0.0.1 Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING MTU:16436  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:0 (0.0 b)  TX bytes:0(0.0 b)
 
 
[root@larrywen /]# ssh -p 2222192.168.1.111
ssh: connect to host 192.168.1.111 port2222: Connection refused
[root@larrywen /]# ssh 192.168.1.111
The authenticity of host '192.168.1.111(192.168.1.111)' can't be established.
RSA key fingerprint is26:c7:6e:26:d8:9d:84:e4:25:46:d4:43:1f:d5:54:67.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.111'(RSA) to the list of known hosts.
root@192.168.1.111's password:
Last login: Tue Aug  6 10:57:55 2013 from 192.168.1.1
[root@client01 ~]#
 
[root@client01 ssh]# grep "ListenAddress"sshd_config
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 192.168.1.111
 
[root@client01 ~]# exit
logout
Connection to 192.168.1.111 closed.
[root@larrywen /]# ssh 192.168.1.111
root@192.168.1.111's password:
Last login: Tue Aug  6 11:05:55 2013 from 192.168.1.1
[root@client01 ~]# netstat -langput | grepsshd
tcp       0      0 192.168.1.111:22            0.0.0.0:*                   LISTEN      2011/sshd        
 
[root@larrywen /]# ssh 192.168.1.11
ssh: connect to host 192.168.1.11 port 22:Connection refused

三 ssh实现只允许内网登录,不允许外网登录

 

#添加一张网卡,网段是172.16.1.0
#默认情况都可以访问
[root@larrywen /]# ssh 172.16.1.11
The authenticity of host '172.16.1.11(172.16.1.11)' can't be established.
RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '172.16.1.11'(RSA) to the list of known hosts.
root@172.16.1.11's password:
Last login: Tue Aug  6 19:15:21 2013 from 192.168.1.1
 
#绑定IP地址,内网可以访问,外网不绑定
[root@serv01 ~]# vim /etc/ssh/sshd_config
[root@serv01 ~]# grep "Address"/etc/ssh/sshd_config
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 192.168.1.11
#重启服务
[root@serv01 ~]# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                            [  OK  ]
[root@serv01 ~]# exit
logout
Connection to 172.16.1.11 closed.
#连接172.16.1.11,不可以
[root@larrywen /]# ssh 172.16.1.11
ssh: connect to host 172.16.1.11 port 22:Connection refused
 
#连接192.168.1.11,可以正常登录
[root@larrywen /]# ssh 192.168.1.11
root@192.168.1.11's password:
Last login: Tue Aug  6 19:13:51 2013
[root@serv01 ~]# exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh 192.168.1.11
root@192.168.1.11's password:
Last login: Tue Aug  6 19:15:33 2013 from 172.16.1.1
 
#查看网络状态
[root@serv01 ~]# netstat -lanput | grepsshd
tcp       0      0 192.168.1.11:22             0.0.0.0:*                   LISTEN      1375/sshd


四 ssh登录不需要密码实现

#不要密码
[root@serv01 ~]# vim /etc/ssh/sshd_config
[root@serv01 ~]# grep"#PermitEmptyPasswords" /etc/ssh/sshd_config -n
65:#PermitEmptyPasswords no
[root@serv01 ~]# grep"PermitEmptyPasswords" /etc/ssh/sshd_config -n
65:#PermitEmptyPasswords no
67:PermitEmptyPasswords yes
 
#添加用户
[root@serv01 ssh]# useradd hongyi
[root@serv01 ssh]# vim /etc/passwd
[root@serv01 ssh]# tail -n1 /etc/passwd
hongyi::500:500::/home/hongyi:/bin/bash
[root@serv01 ssh]# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                            [  OK  ]
 
[root@larrywen /]# ssh hongyi@192.168.1.11
[hongyi@serv01 ~]$

五 ssh不允许root用户登录

[root@serv01 ssh]# grep"PermitRootLogin" sshd_config -n
42:#PermitRootLogin yes
43:PermitRootLogin no
93:# the setting of "PermitRootLoginwithout-password".
[root@serv01 ssh]# man sshd_config
[root@serv01 ssh]# /etc/init.d/sshd restart
Stopping sshd:                                            [  OK  ]
Starting sshd:                                            [  OK  ]
[root@serv01 ssh]# vim /etc/passwd
[root@serv01 ssh]# tail -n1 /etc/passwd
hongyi:x:500:500::/home/hongyi:/bin/bash
[root@serv01 ssh]# passwd hongyi
 
[root@larrywen /]# ssh 192.168.1.11
root@192.168.1.11's password:
Permission denied, please try again.
[root@larrywen /]# ssh hongyi@192.168.1.11
hongyi@192.168.1.11's password:
Last login: Tue Aug  6 19:29:05 2013 from 192.168.1.1

六 ssh指定用户或者组登录

#允许用户 拒绝用户
AllowUsers hongyi
AllowUsers hongyi up01
DenyUsers zhink
AllowGroups
DenyGroups
 
[root@serv01 ssh]# useradd zhink
[root@serv01 ssh]# passwd zhink
 
[root@serv01 ssh]# useradd up01
[root@serv01 ssh]# passwd up01
 
[root@serv01 ssh]# grep "Users"sshd_config -n
47:AllowUsers hongyi up01
48:DenyUsers zhink
 
[root@serv01 ssh]# service sshd restart
Stopping sshd:                                            [  OK  ]
Starting sshd:                                            [  OK  ]
 
[root@serv01 ssh]# man sshd_config
[root@larrywen /]# ssh hongyi@192.168.1.11
hongyi@192.168.1.11's password:
Last login: Tue Aug  6 19:40:50 2013 from 192.168.1.1
[hongyi@serv01 ~]$ exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh up01@192.168.1.11
up01@192.168.1.11's password:
[up01@serv01 ~]$ exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh zhink@192.168.1.11
zhink@192.168.1.11's password:
Permission denied, please try again.
zhink@192.168.1.11's password:

七 ssh等效性

#不用密码登录别人的机器
#ssh等效性
 
#生成认证文件:公钥 私钥
 
[root@larrywen /]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
86:49:93:08:44:01:03:85:5c:f8:2b:de:2b:08:c2:4froot@larrywen.host.com
The key's randomart image is:
+--[ RSA 2048]----+
|**Oo             |
|.+ . . .         |
|  .. +          |
|   .. +         |
|.  . o S        |
|oo E  .         |
|= =              |
|.o o             |
| ...            |
+-----------------+
 
[root@larrywen /]# cd ~/.ssh/
[root@larrywen .ssh]# ls
id_rsa id_rsa.pub  known_hosts
 
[root@larrywen .ssh]# ssh-copy-id -iid_rsa.pub 192.168.0.217
root@192.168.0.217's password:
Now try logging into the machine, with"ssh '192.168.0.217'", and check in:
 
 .ssh/authorized_keys
 
[root@larrywen ssh]# ssh 192.168.0.217
Last login: Fri Aug  2 11:33:41 2013 from 192.168.0.10
[root@similar ~]#
 
 
to make sure we haven't added extra keysthat you weren't expecting.
 
[root@larrywen .ssh]# yum installopenssh-clients -y
 
#双向SSH等效性
[root@serv01 .ssh]# ssh-keygen
[root@serv01 .ssh]# ssh-copy-id -iid_rsa.pub 192.168.1.12
The authenticity of host '192.168.1.12(192.168.1.12)' can't be established.
RSA key fingerprint is3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.12'(RSA) to the list of known hosts.
root@192.168.1.12's password:
Now try logging into the machine, with"ssh '192.168.1.12'", and check in:
 
 .ssh/authorized_keys
 
to make sure we haven't added extra keysthat you weren't expecting.
 
[root@serv01 .ssh]# ssh 192.168.1.12
Last login: Tue Aug  6 22:10:09 2013 from 192.168.1.11
[root@serv02 ~]#
 
 
[root@serv02 .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
54:6b:99:8a:21:2c:28:0d:2f:89:2e:1a:b1:b3:ef:9eroot@serv02.host.com
The key's randomart image is:
+--[ RSA 2048]----+
|.        .      |
|.* .    . +     |
|B + o . . =      |
|o+ . . + o       |
|=.   . S        |
|o+               |
|o                |
| . .             |
| oE              |
+-----------------+
[root@serv02 .ssh]# ssh-copy-id -iid_rsa.pub 192.168.1.11
The authenticity of host '192.168.1.11(192.168.1.11)' can't be established.
RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.11'(RSA) to the list of known hosts.
root@192.168.1.11's password:
Now try logging into the machine, with"ssh '192.168.1.11'", and check in:
 
 .ssh/authorized_keys
 
to make sure we haven't added extra keysthat you weren't expecting.
 
[root@serv02 .ssh]# ssh 192.168.1.11
Last login: Tue Aug  6 22:09:27 2013 from 192.168.1.12
[root@serv01 ~]#
 
 
 
#私钥被Serv03拿去,可以登录
#私密加密
[root@serv01 /]# ssh-keygen
[root@serv01 .ssh]# ssh-copy-id -iid_rsa192.168.1.13
 
[root@serv01 .ssh]# ssh-copy-id -i id_rsa192.168.1.13
The authenticity of host '192.168.1.13(192.168.1.13)' can't be established.
RSA key fingerprint isac:ca:a2:ca:b4:27:b5:aa:5d:1a:eb:6e:5f:3c:2e:51.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.13'(RSA) to the list of known hosts.
root@192.168.1.13's password:
Now try logging into the machine, with"ssh '192.168.1.13'", and check in:
 
 .ssh/authorized_keys
 
to make sure we haven't added extra keysthat you weren't expecting.
 
[root@serv01 .ssh]# ssh 192.168.1.13
Last login: Tue Aug  6 21:47:04 2013 from 192.168.1.1
[root@serv03 ~]#
 
#私密不需要密码——SSH代理
#重启后失效
[root@serv01 .ssh]# ssh-agent $SHELL
[root@serv01 .ssh]# ssh-add
 
[root@serv01 .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
bd:5d:d4:1b:52:32:2f:a3:4e:60:d1:7a:1d:91:c2:4croot@serv01.host.com
The key's randomart image is:
+--[ RSA 2048]----+
|        .=E +o. |
|         .= o=. |
|        o. o+oo.|
|       .o...o+ o|
|       S oo  .. |
|         oo .   |
|         ...    |
|                 |
|                 |
+-----------------+
[root@serv01 .ssh]# ssh-copy-id -i id_rsa192.168.1.12
The authenticity of host '192.168.1.12(192.168.1.12)' can't be established.
RSA key fingerprint is3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.12'(RSA) to the list of known hosts.
root@192.168.1.12's password:
Now try logging into the machine, with"ssh '192.168.1.12'", and check in:
 
 .ssh/authorized_keys
 
to make sure we haven't added extra keysthat you weren't expecting.
 
[root@serv01 .ssh]# ssh 192.168.1.12
Enter passphrase for key'/root/.ssh/id_rsa':
Last login: Tue Aug  6 22:14:11 2013 from 192.168.1.11
[root@serv02 ~]# exit
logout
Connection to 192.168.1.12 closed.
[root@serv01 .ssh]# ssh-agent $SHELL
[root@serv01 .ssh]# ssh-add
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa(/root/.ssh/id_rsa)
[root@serv01 .ssh]# ssh 192.168.1.12
Last login: Tue Aug  6 22:18:36 2013 from 192.168.1.11


八 xinetd和ssh结合使用

#进程:
#1.独立守护进程:单独的向外提供服务,有单独的端口
#2.超级守护进程:管理其他服务 xinetd
#xinetd:不对外提供服务,管理服务
[root@serv01 .ssh]# yum install xinetd* -y
[root@serv01 .ssh]# chkconfig
auditd                0:off       1:off       2:on       3:on       4:on       5:on       6:off
avahi-daemon         0:off       1:off       2:off       3:on       4:on       5:on       6:off
crond                0:off       1:off       2:on       3:on       4:on       5:on       6:off
ip6tables      0:off       1:off       2:off       3:off       4:off       5:off       6:off
iptables       0:off       1:off       2:off       3:off       4:off       5:off       6:off
messagebus          0:off       1:off       2:on       3:on       4:on       5:on       6:off
netconsole     0:off       1:off       2:off       3:off       4:off       5:off       6:off
netfs                 0:off       1:off       2:off       3:on       4:on       5:on       6:off
network              0:off       1:off       2:on       3:on       4:on       5:on       6:off
postfix        0:off       1:off       2:on       3:on       4:on       5:on       6:off
rdisc                 0:off       1:off       2:off       3:off       4:off       5:off       6:off
restorecond    0:off       1:off       2:off       3:off       4:off       5:off       6:off
rhnsd                0:off       1:off       2:on       3:on       4:on       5:on       6:off
rhsmcertd            0:off       1:off       2:off       3:on       4:on       5:on       6:off
rsyslog        0:off       1:off       2:on       3:on       4:on       5:on       6:off
saslauthd      0:off       1:off       2:off       3:off       4:off       5:off       6:off
sshd                 0:off       1:off       2:on       3:on       4:on       5:on       6:off
udev-post             0:off       1:on       2:on       3:on       4:on       5:on       6:off
xinetd                0:off       1:off       2:off       3:on       4:on       5:on       6:off
 
xinetd based services:
       chargen-dgram:       off
       chargen-stream: off
       daytime-dgram:       off
       daytime-stream: off
       discard-dgram: off
       discard-stream:   off
       echo-dgram:          off
       echo-stream:   off
       tcpmux-server:  off
       time-dgram:           off
       time-stream:   off
 
#服务被频繁地使用:不需要管理;比如Apache
#当然服务使用少,需要被管理
 
#包含文件:yum源 日志切换
#配置文件
[root@serv01 etc]# ls /etc/xinetd.conf
/etc/xinetd.conf
 
[root@serv01 etc]# cd xinetd.d/
[root@serv01 xinetd.d]# ll
total 44
-rw-r--r--. 1 root root 1157 Feb 28  2011 chargen-dgram
-rw-r--r--. 1 root root 1159 Feb 28  2011 chargen-stream
-rw-r--r--. 1 root root 1157 Feb 28  2011 daytime-dgram
-rw-r--r--. 1 root root 1159 Feb 28  2011 daytime-stream
-rw-r--r--. 1 root root 1157 Feb 28  2011 discard-dgram
-rw-r--r--. 1 root root 1159 Feb 28  2011 discard-stream
-rw-r--r--. 1 root root 1148 Feb 28  2011 echo-dgram
-rw-r--r--. 1 root root 1150 Feb 28  2011 echo-stream
-rw-r--r--. 1 root root 1212 Feb 28  2011 tcpmux-server
-rw-r--r--. 1 root root 1149 Feb 28  2011 time-dgram
-rw-r--r--. 1 root root 1150 Feb 28  2011 time-stream
 
[root@serv01 xinetd.d]# man xinetd.conf
#stream:TCP
#dgram:UDP
 
#让xinetd服务管理sshd
[root@serv01 xinetd.d]# vim ssh
[root@serv01 xinetd.d]# cat ssh
service ssh
{
       socket_type         = stream
       wait                = no
       nice                = 10
       user                = root
       server              =/usr/sbin/sshd
       disable             = no
}
#查看服务,可以看到显示on
[root@serv01 xinetd.d]# chkconfig
xinetd                0:off       1:off       2:off       3:on       4:on       5:on       6:off
 
xinetd based services:
       chargen-dgram:       off
       chargen-stream: off
       daytime-dgram:       off
       daytime-stream: off
       discard-dgram: off
       discard-stream:   off
       echo-dgram:          off
       echo-stream:   off
       ssh:                  on
       tcpmux-server:  off
       time-dgram:           off
       time-stream:   off
 
#禁止,查看服务,可以看到显示off
[root@serv01 xinetd.d]# vim ssh
[root@serv01 xinetd.d]# cat ssh
service ssh
{
       socket_type         = stream
       wait                = no
       nice                = 10
       user                = root
       server              =/usr/sbin/sshd
       disable             = yes
}
 
[root@serv01 xinetd.d]# chkconfig
 
xinetd                0:off       1:off       2:off       3:on       4:on       5:on       6:off
 
xinetd based services:
       chargen-dgram:       off
       chargen-stream: off
       daytime-dgram:       off
       daytime-stream: off
       discard-dgram: off
       discard-stream:   off
       echo-dgram:          off
       echo-stream:   off
       ssh:                  off
       tcpmux-server:  off
       time-dgram:           off
       time-stream:   off
 
#关闭sshd服务
[root@serv01 xinetd.d]# /etc/init.d/sshdstop
Stopping sshd:                                            [  OK  ]
#重启xinetd服务
[root@serv01 xinetd.d]# /etc/init.d/xinetdrestart
Stopping xinetd:                                          [FAILED]
Starting xinetd:                                           [ OK  ]
#查看网络状态,发现没有xinetd
[root@serv01 xinetd.d]# netstat -langput
Active Internet connections (servers andestablished)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp       0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1144/master        
tcp       0      0 192.168.1.11:22             192.168.1.1:37741           ESTABLISHED 1377/0             
tcp       0      0 ::1:25                      :::*                        LISTEN      1144/master        
udp       0      0 0.0.0.0:5353                0.0.0.0:*                               1034/avahi-daemon: 
udp       0      0 0.0.0.0:54455               0.0.0.0:*                               1034/avahi-daemon: 
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ---------------------------
lo              1      224.0.0.1
eth1           1      224.0.0.251
eth1            1      224.0.0.1
eth0            1      224.0.0.251
eth0            1      224.0.0.1
lo              1      ff02::1
eth1            1      ff02::1:ff07:dd45
eth1            1      ff02::1
eth0            1      ff02::1:ff07:dd3b
eth0            1      ff02::1
 
#远程连接,发生失败
[root@larrywen .ssh]# ssh 192.168.1.11
ssh: connect to host 192.168.1.11 port 22:Connection refused
#再次编辑,加上     server_args      = -I
#可以通过man xinetd.conf查看server_args
[root@serv01 xinetd.d]# man xinetd.conf
server_args
[root@serv01 xinetd.d]# vim ssh
[root@serv01 xinetd.d]# cat ssh
service ssh
{
       socket_type         = stream
       wait                = no
       nice                = 10
       user                = root
       server              =/usr/sbin/sshd
       disable             = no
       server_args      = -i
}
#重启服务
[root@serv01 xinetd.d]# /etc/init.d/xinetdrestart
Stopping xinetd:                                          [  OK  ]
Starting xinetd:                                           [  OK  ]
#再次查看,发现有xinetd服务
[root@serv01 xinetd.d]# netstat -langput
Active Internet connections (servers andestablished)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp       0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1144/master        
tcp       0      0 192.168.1.11:22             192.168.1.1:37741           ESTABLISHED 1377/0             
tcp       0      0 :::22                       :::*                        LISTEN      2410/xinetd        
tcp       0      0 ::1:25                      :::*                        LISTEN      1144/master        
udp       0      0 0.0.0.0:5353                0.0.0.0:*                               1034/avahi-daemon: 
udp       0      0 0.0.0.0:54455               0.0.0.0:*                               1034/avahi-daemon: 
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ---------------------------
lo              1      224.0.0.1
eth1            1      224.0.0.251
eth1            1      224.0.0.1
eth0            1      224.0.0.251
eth0            1      224.0.0.1
lo              1      ff02::1
eth1            1      ff02::1:ff07:dd45
eth1            1      ff02::1
eth0           1      ff02::1:ff07:dd3b
eth0            1      ff02::1
 
#远程连接
[root@larrywen .ssh]# ssh 192.168.1.11
The authenticity of host '192.168.1.11(192.168.1.11)' can't be established.
RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.11'(RSA) to the list of known hosts.
root@192.168.1.11's password:
Last login: Tue Aug  6 22:15:35 2013 from 192.168.1.12
[root@serv01 ~]#
#再次查看,发现有xinetd服务
[root@serv01 xinetd.d]# netstat -langput
Active Internet connections (servers andestablished)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp       0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1144/master        
tcp       0      0 192.168.1.11:22             192.168.1.1:37741           ESTABLISHED 1377/0             
tcp       0      0 192.168.1.11:22             192.168.1.1:52605           ESTABLISHED 2413/1             
tcp       0      0 :::22                       :::*                        LISTEN      2410/xinetd        
tcp       0      0 ::1:25                      :::*                        LISTEN      1144/master        
udp       0      0 0.0.0.0:5353                0.0.0.0:*                               1034/avahi-daemon: 
udp       0      0 0.0.0.0:54455               0.0.0.0:*                               1034/avahi-daemon: 
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ---------------------------
lo              1      224.0.0.1
eth1            1      224.0.0.251
eth1            1      224.0.0.1
eth0            1      224.0.0.251
eth0            1      224.0.0.1
lo              1      ff02::1
eth1            1      ff02::1:ff07:dd45
eth1            1      ff02::1
eth0            1      ff02::1:ff07:dd3b
eth0            1      ff02::1
 
 
#查看sshd命令的位置
[root@serv01 xinetd.d]# grep"SSHD" /etc/init.d/sshd -n
41:SSHD=/usr/sbin/sshd

九 参考资料

http://baike.baidu.com/link?url=1JbtdcFEXFNeck5GgVjNU8SYvH81MP8M2bv_MOHjDk-eII_BuXRozGcIZ4agMK0B



  我的邮箱wgbno27@163.com
  新浪微博@Wentasy27         
  微信公众平台:JustOracle(微信号:justoracle)
  数据库技术交流群:336882565(加群时验证 From CSDN XXX)
  By Larry Wen


katoon Sina CSDN
@Wentasy 博文仅供参考,欢迎大家来访。如有错误之处,希望批评指正。原创博文如需转载请注明出处,谢谢 :) [CSDN博客]

文章评论

 程序员的样子
程序员的样子
Java程序员必看电影
Java程序员必看电影
每天工作4小时的程序员
每天工作4小时的程序员
10个帮程序员减压放松的网站
10个帮程序员减压放松的网站
老程序员的下场
老程序员的下场
中美印日四国程序员比较
中美印日四国程序员比较
代码女神横空出世
代码女神横空出世
程序员的鄙视链
程序员的鄙视链
旅行,写作,编程
旅行,写作,编程
Web开发人员为什么越来越懒了?
Web开发人员为什么越来越懒了?
“懒”出效率是程序员的美德
“懒”出效率是程序员的美德
程序员眼里IE浏览器是什么样的
程序员眼里IE浏览器是什么样的
鲜为人知的编程真相
鲜为人知的编程真相
我的丈夫是个程序员
我的丈夫是个程序员
程序员的一天:一寸光阴一寸金
程序员的一天:一寸光阴一寸金
为啥Android手机总会越用越慢?
为啥Android手机总会越用越慢?
程序员必看的十大电影
程序员必看的十大电影
我跳槽是因为他们的显示器更大
我跳槽是因为他们的显示器更大
什么才是优秀的用户界面设计
什么才是优秀的用户界面设计
编程语言是女人
编程语言是女人
科技史上最臭名昭著的13大罪犯
科技史上最臭名昭著的13大罪犯
要嫁就嫁程序猿—钱多话少死的早
要嫁就嫁程序猿—钱多话少死的早
总结2014中国互联网十大段子
总结2014中国互联网十大段子
程序员周末都喜欢做什么?
程序员周末都喜欢做什么?
如何成为一名黑客
如何成为一名黑客
程序员都该阅读的书
程序员都该阅读的书
如何区分一个程序员是“老手“还是“新手“?
如何区分一个程序员是“老手“还是“新手“?
那些争议最大的编程观点
那些争议最大的编程观点
Web开发者需具备的8个好习惯
Web开发者需具备的8个好习惯
不懂技术不要对懂技术的人说这很容易实现
不懂技术不要对懂技术的人说这很容易实现
亲爱的项目经理,我恨你
亲爱的项目经理,我恨你
聊聊HTTPS和SSL/TLS协议
聊聊HTTPS和SSL/TLS协议
程序员和编码员之间的区别
程序员和编码员之间的区别
我是如何打败拖延症的
我是如何打败拖延症的
程序员最害怕的5件事 你中招了吗?
程序员最害怕的5件事 你中招了吗?
团队中“技术大拿”并非越多越好
团队中“技术大拿”并非越多越好
初级 vs 高级开发者 哪个性价比更高?
初级 vs 高级开发者 哪个性价比更高?
“肮脏的”IT工作排行榜
“肮脏的”IT工作排行榜
当下全球最炙手可热的八位少年创业者
当下全球最炙手可热的八位少年创业者
10个调试和排错的小建议
10个调试和排错的小建议
程序员应该关注的一些事儿
程序员应该关注的一些事儿
5款最佳正则表达式编辑调试器
5款最佳正则表达式编辑调试器
老美怎么看待阿里赴美上市
老美怎么看待阿里赴美上市
写给自己也写给你 自己到底该何去何从
写给自己也写给你 自己到底该何去何从
为什么程序员都是夜猫子
为什么程序员都是夜猫子
软件开发程序错误异常ExceptionCopyright © 2009-2015 MyException 版权所有