https://blog.z6z8.cn/tags/ssh/ Recent content in Ssh on 编程技术记录 Hugo zh-Hans Fri, 27 Nov 2020 10:02:24 +0000 https://blog.z6z8.cn/2020/11/27/macos-%E9%85%8D%E7%BD%AE-git-ssh%E8%AE%BF%E9%97%AE%E6%96%B9%E5%BC%8F/ Fri, 27 Nov 2020 10:02:24 +0000 http://blog.z6z8.cn/?p=933 <h2 id="生成-ssh-key">生成 ssh key</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>$ ssh-keygen -t rsa -C <span style="color:#e6db74">&#34;git服务端留存的邮箱地址&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Generating public/private rsa key pair. </span></span><span style="display:flex;"><span>Enter file in which to save the key <span style="color:#f92672">(</span>~/.ssh/id_rsa<span style="color:#f92672">)</span>: <span style="color:#e6db74">&#34;这里输入ssh key保存路径，不建议使用默认地址&#34;</span> </span></span><span style="display:flex;"><span>Enter passphrase <span style="color:#f92672">(</span>empty <span style="color:#66d9ef">for</span> no passphrase<span style="color:#f92672">)</span>: <span style="color:#e6db74">&#34;这里输入密码，建议输入空（方便后续配置）&#34;</span> </span></span><span style="display:flex;"><span>Enter same passphrase again: <span style="color:#e6db74">&#34;再输入一遍密码,建议输入空（方便后续配置）&#34;</span> </span></span></code></pre></div><p>应生成两个文件，公钥和私钥，文件名形式为 <code>xxx</code>(私钥)， <code>xxx_pub</code> 或者 <code>xxx.pub</code>(公钥)。记住ssh key生成的文件路径。</p> <blockquote> <p>默认情况下，ssh会使用 <code>~/.ssh/id_rsa</code> 这个私钥，但无法处理访问多个ssh远端的场景。</p> </blockquote> <h2 id="配置本地ssh访问git使用的私钥">配置本地ssh访问git使用的私钥</h2> <p>打开 <code>~/.ssh/config</code> 文件，如果没有则创建一个文本文件，添加如下内容</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#75715e"># 请保证 Host 和 HostName 的值相同 （macos11 实测不相同时，git ssh 访问失败）</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 远端ssh主机别名</span> </span></span><span style="display:flex;"><span>Host bitbucket.cmbc.com.cn </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 远端ssh主机名（域名或者ip都可以）</span> </span></span><span style="display:flex;"><span> HostName bitbucket.cmbc.com.cn </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 鉴权文件 ，这填写ssh私钥文件路径</span> </span></span><span style="display:flex;"><span> IdentityFile <span style="color:#e6db74">&#34;ssh 私钥文件路径&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 使用公钥算法进行鉴权</span> </span></span><span style="display:flex;"><span> PreferredAuthentications publickey </span></span></code></pre></div><p>关于 ssh config 更多细节参考 <a href="https://linux.die.net/man/5/ssh_config">https://linux.die.net/man/5/ssh_config</a></p> https://blog.z6z8.cn/2020/06/27/%E3%80%90%E8%BD%AC%E3%80%91ssh%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%EF%BC%8C%E5%A4%9A%E6%AC%A1%E5%A4%B1%E8%B4%A5%E7%99%BB%E5%BD%95%E5%8D%B3%E5%B0%81%E6%8E%89ip%EF%BC%8C%E9%98%B2%E6%AD%A2%E6%9A%B4/ Sat, 27 Jun 2020 00:29:20 +0000 http://blog.z6z8.cn/?p=872 <p>读取/var/log/secure，查找关键字 Failed，例如：</p> <p>Sep 17 09:08:09 localhost sshd[29087]: Failed password for root from 13.7.3.6 port 44367 ssh2 Sep 17 09:08:20 localhost sshd[29087]: Failed password for root from 13.7.3.6 port 44367 ssh2 Sep 17 09:10:02 localhost sshd[29223]: Failed password for root from 13.7.3.6 port 56482 ssh2 Sep 17 09:10:14 localhost sshd[29223]: Failed password for root from 13.7.3.6 port 56482 ssh2</p> <p>从这些行中提取IP地址，如果次数达到10次(脚本中判断次数字符长度是否大于1)则将该IP写到 <code>/etc/hosts.deny</code> 中。</p> <p>步骤：</p> <p>1、先把始终允许的IP填入 /etc/hosts.allow ，这很重要！比如： sshd:19.16.18.1:allow sshd:19.16.18.2:allow</p> <p>2、脚本 /usr/local/bin/secure_ssh.sh</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">#! /bin/bash </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>cat /var/log/secure|awk <span style="color:#e6db74">&#39;/Failed/{print $(NF-3)}&#39;</span>|sort|uniq -c|awk <span style="color:#e6db74">&#39;{print $2&#34;=&#34;$1;}&#39;</span> &gt; /usr/local/bin/black.list </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> i in &lt;code&gt;cat /usr/local/bin/black.list&lt;/code&gt; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> IP<span style="color:#f92672">=</span>&lt;code&gt;echo $i |awk -F<span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;{print $1}&#39;</span>&lt;/code&gt; </span></span><span style="display:flex;"><span> NUM<span style="color:#f92672">=</span>&lt;code&gt;echo $i|awk -F<span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;{print $2}&#39;</span>&lt;/code&gt; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">[</span> <span style="color:#e6db74">${#</span>NUM<span style="color:#e6db74">}</span> -gt <span style="color:#ae81ff">1</span> <span style="color:#f92672">]</span>; <span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> grep $IP /etc/hosts.deny &gt; /dev/null </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">[</span> $? -gt <span style="color:#ae81ff">0</span> <span style="color:#f92672">]</span>;<span style="color:#66d9ef">then</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;sshd:</span>$IP<span style="color:#e6db74">:deny&#34;</span> &gt;&gt; /etc/hosts.deny </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">fi</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span></code></pre></div><p>3、将secure_ssh.sh脚本放入cron计划任务，每1分钟执行一次。</p> https://blog.z6z8.cn/2019/09/21/windows10%EF%BC%9A%E9%85%8D%E7%BD%AEvisual-studio-code-%E4%BB%A5ssh%E6%96%B9%E5%BC%8F%E8%AE%BF%E9%97%AE%E8%BF%9C%E7%A8%8B%E4%B8%BB%E6%9C%BA/ Sat, 21 Sep 2019 02:49:16 +0000 http://139.155.43.7:8000/?p=348 <p>Windows10上遇到过ssh的坑，记录下过程</p> <p>参考 <a href="https://code.visualstudio.com/docs/remote/troubleshooting#_installing-a-supported-ssh-client">https://code.visualstudio.com/docs/remote/troubleshooting#_installing-a-supported-ssh-client</a></p> <h1 id="环境和知识准备">环境和知识准备</h1> <ul> <li>远程主机，并开启ssh-server服务（通常端口22）</li> <li>Windows环境（本文Windwos10家庭版）</li> <li>Visual Studio Code</li> <li>公钥加密算法，对SSH，通常为RSA</li> <li>已经生成好的ssh公钥文件和私有文件</li> </ul> <h1 id="步骤">步骤</h1> <h2 id="安装ssh-client">安装ssh-client</h2> <p>对于Windows10的一些版本，可以通过 <code>设置--系统--应用和功能--管理可选功能--添加功能</code> 来开启ssh-client，奈何本穷的Windows10不支持。</p> <p>还有两种方法来安装ssh-client</p> <p>通过PowerShell安装，以管理员方式启动PowerShell，具体参考 <a href="https://docs.microsoft.com/zh-cn/windows-server/administration/openssh/openssh_install_firstuse" title="这里">这里</a>，反正本穷是没有成功。</p> <p>于是，只有通过安装Git for Windows来安装ssh-client了， <a href="https://git-scm.com/download/win" title="下载地址">下载地址</a></p> <h2 id="安装remotessh">安装RemoteSSH</h2> <p>这里需要给Visual Studio Code 安装扩展包，以支持RemoteSSH。 <code>Visual Studio Code -- 查看 --扩展</code>,在扩展中搜索 <code>Remote Development</code>，然后安装这个扩展包，会自动安装相关依赖包。</p> <h2 id="配置vistual-studio-code-ssh">配置Vistual Studio Code SSH</h2> <p><code>Visual Studio Code -- 设置</code>，搜索SSH，在结果列表中找到 <code>扩展--Remote-SSH -- Remote.SSH:Config File</code>，自定义RemoteSSH的配置文件路径，然后创建这个配置文件，内容如下:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Host 自定义别名 </span></span><span style="display:flex;"><span> User 远程主机ssh登陆的用户名 </span></span><span style="display:flex;"><span> HostName 远程主机名字，可以是ip地址 </span></span><span style="display:flex;"><span> Port 远程主机ssh端口号，一般是22 </span></span><span style="display:flex;"><span> IdentityFile 身份验证文件路径，即ssh私钥文件路径 </span></span></code></pre></div><h2 id="访问">访问</h2> <p>Vistual Studio Code &ndash; 查看 &ndash;命令面板 &ndash;Remote-SSH：Connect ToHost</p> <p>选择配置文件中配置好的主机即可。</p>