Linux教程網 >> Linux基礎 >> 關於Linux >> 服務管理——ssh

服務管理——ssh

日期：2017/3/1 14:49:09 编辑：關於Linux

服務管理——ssh 一 ssh相關知識什麼是SSH？ SSH 為 Secure Shell 的縮寫，由 IETF 的網絡工作小組（NetworkWorking Group）所制定；SSH 為建立在應用層和傳輸層基礎上的安全協議。SSH 是目前較可靠，專為遠程登錄會話和其他網絡服務提供安全性的協議。利用 SSH協議可以有效防止遠程管理過程中的信息洩露問題。SSH最初是Unix系統上的一個程序，後來又迅速擴展到其他操作平台。SSH在正確使用時可彌補網絡中的漏洞。SSH客戶端適用於多種平台。幾乎所有Unix平台—包括HP-UX、Linux、AIX、Solaris、Digital UNIX、Irix，以及其他平台—都可運行SSH。 [plain] #帶有d：守護 #查詢安裝包 [root@client01 opt]# rpm -qa|grep openssh openssh-clients-5.3p1-52.el6.x86_64 openssh-5.3p1-52.el6.x86_64 openssh-server-5.3p1-52.el6.x86_64 [root@client01opt]# rpm -ql openssh-server /etc/pam.d/ssh-keycat /etc/pam.d/sshd /etc/rc.d/init.d/sshd /etc/ssh/sshd_config /etc/sysconfig/sshd /usr/libexec/openssh/sftp-server /usr/libexec/openssh/ssh-keycat /usr/sbin/.sshd.hmac /usr/sbin/sshd /usr/share/doc/openssh-server-5.3p1 /usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat /usr/share/man/man5/moduli.5.gz /usr/share/man/man5/sshd_config.5.gz /usr/share/man/man8/sftp-server.8.gz /usr/share/man/man8/sshd.8.gz /var/empty/sshd #telnet：明文傳輸，不安全。不建議使用 [root@client01 opt]# cd /etc/ssh/ [root@client01 ssh]# ll total 156 -rw-------. 1 root root 125811 Apr 5 2011moduli -rw-r--r--. 1 root root 2047 Apr 5 2011 ssh_config -rw-------. 1 root root 3872 Apr 5 2011 sshd_config -rw-------. 1 root root 668 Jul 23 00:58 ssh_host_dsa_key -rw-r--r--. 1 root root 590 Jul 23 00:58 ssh_host_dsa_key.pub -rw-------. 1 root root 963 Jul 23 00:58 ssh_host_key -rw-r--r--. 1 root root 627 Jul 23 00:58 ssh_host_key.pub -rw-------. 1 root root 1675 Jul 23 00:58 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Jul 23 00:58 ssh_host_rsa_key.pub #ssh_config：ssh命令的配置文件 #sshd_config：重點學習 [root@client01 ssh]# rm -rf~/.ssh/known_hosts [root@larrywen /]# ssh 192.168.1.12 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOINGSOMETHING NASTY! Someone could be eavesdropping on you rightnow (man-in-the-middle attack)! It is also possible that the RSA host keyhas just been changed. The fingerprint for the RSA key sent by theremote host is 3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71. Please contact your system administrator. Add correct host key in/root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:7 RSA host key for 192.168.1.12 has changedand you have requested strict checking. Host key verification failed. #出現上述問題，刪除該文件 [root@client01 ssh]# rm -rf~/.ssh/known_hosts #如果還是不行，本機也刪除 [root@larrywen .ssh]# rm -rf known_hosts [root@client01 ssh]# ll total 156 -rw-------. 1 root root 125811 Apr 5 2011moduli -rw-r--r--. 1 root root 2047 Apr 5 2011 ssh_config -rw-------. 1 root root 3872 Apr 5 2011 sshd_config -rw-------. 1 root root 668 Jul 23 00:58 ssh_host_dsa_key -rw-r--r--. 1 root root 590 Jul 23 00:58 ssh_host_dsa_key.pub -rw-------. 1 root root 963 Jul 23 00:58 ssh_host_key -rw-r--r--. 1 root root 627 Jul 23 00:58 ssh_host_key.pub -rw-------. 1 root root 1675 Jul 23 00:58 ssh_host_rsa_key -rw-r--r—. 1 root root 382 Jul 23 00:58 ssh_host_rsa_key.pub #我們刪除ssh_host_*文件，然後重啟服務，發現文件自動生成了 [root@client01 ssh]# rm -f ssh_host_* [root@client01 ssh]# ll total 132 -rw-------. 1 root root 125811 Apr 5 2011moduli -rw-r--r--. 1 root root 2047 Apr 5 2011 ssh_config -rw-------. 1 root root 3872 Apr 5 2011 sshd_config [root@client01 ssh]# /etc/init.d/sshdrestart Stopping sshd: [ OK ] Generating SSH1 RSA host key: [ OK ] Generating SSH2 RSA host key: [ OK ] Generating SSH2 DSA host key: [ OK ] Starting sshd: [ OK ] [root@client01 ssh]# ll total 156 -rw-------. 1 root root 125811 Apr 5 2011moduli -rw-r--r--. 1 root root 2047 Apr 5 2011 ssh_config -rw-------. 1 root root 3872 Apr 5 2011 sshd_config -rw-------. 1 root root 672 Aug 6 10:38 ssh_host_dsa_key -rw-r--r--. 1 root root 590 Aug 6 10:38 ssh_host_dsa_key.pub -rw-------. 1 root root 963 Aug 6 10:38 ssh_host_key -rw-r--r--. 1 root root 627 Aug 6 10:38 ssh_host_key.pub -rw-------. 1 root root 1675 Aug 6 10:38 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Aug 6 10:38 ssh_host_rsa_key.pub [root@client01 ssh]# man 5 sshd_config #修改端口，然後重啟，重新登錄 [root@client01 ssh]# vim sshd_config [root@client01 ssh]# grep "Port"sshd_config #Port 22 Port 2222 #GatewayPorts no [root@client01 ssh]# /etc/init.d/sshdrestart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@client01 ~]# netstat -lanput | grepsshd tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 1814/sshd tcp 0 0 :::2222 :::* LISTEN 1814/sshd #修改端口後按照以前的登錄方式會出錯 [root@larrywen /]# ssh 192.168.1.11 ssh: connect to host 192.168.1.11 port 22:Connection refused #指定端口，參數可以放在前面或者後面 [root@larrywen /]# ssh 192.168.1.11 -p 2222 The authenticity of host'[192.168.1.11]:2222 ([192.168.1.11]:2222)' can't be established. RSA key fingerprint is26:c7:6e:26:d8:9d:84:e4:25:46:d4:43:1f:d5:54:67. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added'[192.168.1.11]:2222' (RSA) to the list of known hosts. [email protected]'s password: Last login: Tue Aug 6 09:54:46 2013 from 192.168.1.1 [root@client01 ~]# exit logout Connection to 192.168.1.11 closed. [root@larrywen /]# ssh -p 2222 192.168.1.11 [email protected]'s password: Last login: Tue Aug 6 10:42:48 2013 from 192.168.1.1 #scp：借助SSH服務 [root@larrywen begin]# scp ule-begin.pdf 192.168.1.11:/root-P 2222 2222: No such file or directory [root@larrywen begin]# scp -P 2222ule-begin.pdf 192.168.1.11:/root [email protected]'s password: ule-begin.pdf 100% 14MB 13.6MB/s 00:00 二 ssh修改端口 [plain] #修改端口：安全考慮 [root@client01 ~]# vim /etc/ssh/sshd_config [root@client01 ~]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@client01 ~]# netstat -langput | grepsshd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1969/sshd tcp 0 0 :::22 :::* LISTEN 1969/sshd [root@client01 ~]# ifconfig eth0:1192.168.1.111 netmask 255.255.255.0 [root@client01 ~]# ifconfig eth0 Link encap:Ethernet HWaddr00:0C:29:07:DD:3B inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe07:dd3b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13261 errors:0 dropped:0 overruns:0 frame:0 TX packets:2665 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:15228499 (14.5 MiB) TXbytes:402371 (392.9 KiB) eth0:1 Link encap:Ethernet HWaddr00:0C:29:07:DD:3B inet addr:192.168.1.111 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0(0.0 b) [root@larrywen /]# ssh -p 2222192.168.1.111 ssh: connect to host 192.168.1.111 port2222: Connection refused [root@larrywen /]# ssh 192.168.1.111 The authenticity of host '192.168.1.111(192.168.1.111)' can't be established. RSA key fingerprint is26:c7:6e:26:d8:9d:84:e4:25:46:d4:43:1f:d5:54:67. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '192.168.1.111'(RSA) to the list of known hosts. [email protected]'s password: Last login: Tue Aug 6 10:57:55 2013 from 192.168.1.1 [root@client01 ~]# [root@client01 ssh]# grep "ListenAddress"sshd_config #ListenAddress 0.0.0.0 #ListenAddress :: ListenAddress 192.168.1.111 [root@client01 ~]# exit logout Connection to 192.168.1.111 closed. [root@larrywen /]# ssh 192.168.1.111 [email protected]'s password: Last login: Tue Aug 6 11:05:55 2013 from 192.168.1.1 [root@client01 ~]# netstat -langput | grepsshd tcp 0 0 192.168.1.111:22 0.0.0.0:* LISTEN 2011/sshd [root@larrywen /]# ssh 192.168.1.11 ssh: connect to host 192.168.1.11 port 22:Connection refused 三 ssh實現只允許內網登錄，不允許外網登錄 [plain] #添加一張網卡，網段是172.16.1.0 #默認情況都可以訪問 [root@larrywen /]# ssh 172.16.1.11 The authenticity of host '172.16.1.11(172.16.1.11)' can't be established. RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '172.16.1.11'(RSA) to the list of known hosts. [email protected]'s password: Last login: Tue Aug 6 19:15:21 2013 from 192.168.1.1 #綁定IP地址，內網可以訪問，外網不綁定 [root@serv01 ~]# vim /etc/ssh/sshd_config [root@serv01 ~]# grep "Address"/etc/ssh/sshd_config #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ListenAddress 192.168.1.11 #重啟服務 [root@serv01 ~]# /etc/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@serv01 ~]# exit logout Connection to 172.16.1.11 closed. #連接172.16.1.11，不可以 [root@larrywen /]# ssh 172.16.1.11 ssh: connect to host 172.16.1.11 port 22:Connection refused #連接192.168.1.11，可以正常登錄 [root@larrywen /]# ssh 192.168.1.11 [email protected]'s password: Last login: Tue Aug 6 19:13:51 2013 [root@serv01 ~]# exit logout Connection to 192.168.1.11 closed. [root@larrywen /]# ssh 192.168.1.11 [email protected]'s password: Last login: Tue Aug 6 19:15:33 2013 from 172.16.1.1 #查看網絡狀態 [root@serv01 ~]# netstat -lanput | grepsshd tcp 0 0 192.168.1.11:22 0.0.0.0:* LISTEN 1375/sshd 四 ssh登錄不需要密碼實現 [plain] #不要密碼 [root@serv01 ~]# vim /etc/ssh/sshd_config [root@serv01 ~]# grep"#PermitEmptyPasswords" /etc/ssh/sshd_config -n 65:#PermitEmptyPasswords no [root@serv01 ~]# grep"PermitEmptyPasswords" /etc/ssh/sshd_config -n 65:#PermitEmptyPasswords no 67:PermitEmptyPasswords yes #添加用戶 [root@serv01 ssh]# useradd hongyi [root@serv01 ssh]# vim /etc/passwd [root@serv01 ssh]# tail -n1 /etc/passwd hongyi::500:500::/home/hongyi:/bin/bash [root@serv01 ssh]# /etc/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@larrywen /]# ssh [email protected] [hongyi@serv01 ~]$ 五 ssh不允許root用戶登錄 [plain] [root@serv01 ssh]# grep"PermitRootLogin" sshd_config -n 42:#PermitRootLogin yes 43:PermitRootLogin no 93:# the setting of "PermitRootLoginwithout-password". [root@serv01 ssh]# man sshd_config [root@serv01 ssh]# /etc/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@serv01 ssh]# vim /etc/passwd [root@serv01 ssh]# tail -n1 /etc/passwd hongyi:x:500:500::/home/hongyi:/bin/bash [root@serv01 ssh]# passwd hongyi [root@larrywen /]# ssh 192.168.1.11 [email protected]'s password: Permission denied, please try again. [root@larrywen /]# ssh [email protected] [email protected]'s password: Last login: Tue Aug 6 19:29:05 2013 from 192.168.1.1 六 ssh指定用戶或者組登錄 [plain] #允許用戶拒絕用戶 AllowUsers hongyi AllowUsers hongyi up01 DenyUsers zhink AllowGroups DenyGroups [root@serv01 ssh]# useradd zhink [root@serv01 ssh]# passwd zhink [root@serv01 ssh]# useradd up01 [root@serv01 ssh]# passwd up01 [root@serv01 ssh]# grep "Users"sshd_config -n 47:AllowUsers hongyi up01 48:DenyUsers zhink [root@serv01 ssh]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@serv01 ssh]# man sshd_config [root@larrywen /]# ssh [email protected] [email protected]'s password: Last login: Tue Aug 6 19:40:50 2013 from 192.168.1.1 [hongyi@serv01 ~]$ exit logout Connection to 192.168.1.11 closed. [root@larrywen /]# ssh [email protected] [email protected]'s password: [up01@serv01 ~]$ exit logout Connection to 192.168.1.11 closed. [root@larrywen /]# ssh [email protected] [email protected]'s password: Permission denied, please try again. [email protected]'s password: 七 ssh等效性 [plain] #不用密碼登錄別人的機器 #ssh等效性 #生成認證文件：公鑰私鑰 [root@larrywen /]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key(/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in/root/.ssh/id_rsa. Your public key has been saved in/root/.ssh/id_rsa.pub. The key fingerprint is: 86:49:93:08:44:01:03:85:5c:f8:2b:de:2b:08:c2:[email protected] The key's randomart image is: +--[ RSA 2048]----+ |**Oo | |.+ . . . | | .. + | | .. + | |. . o S | |oo E . | |= = | |.o o | | ... | +-----------------+ [root@larrywen /]# cd ~/.ssh/ [root@larrywen .ssh]# ls id_rsa id_rsa.pub known_hosts [root@larrywen .ssh]# ssh-copy-id -iid_rsa.pub 192.168.0.217 [email protected]'s password: Now try logging into the machine, with"ssh '192.168.0.217'", and check in: .ssh/authorized_keys [root@larrywen ssh]# ssh 192.168.0.217 Last login: Fri Aug 2 11:33:41 2013 from 192.168.0.10 [root@similar ~]# to make sure we haven't added extra keysthat you weren't expecting. [root@larrywen .ssh]# yum installopenssh-clients -y #雙向SSH等效性 [root@serv01 .ssh]# ssh-keygen [root@serv01 .ssh]# ssh-copy-id -iid_rsa.pub 192.168.1.12 The authenticity of host '192.168.1.12(192.168.1.12)' can't be established. RSA key fingerprint is3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '192.168.1.12'(RSA) to the list of known hosts. [email protected]'s password: Now try logging into the machine, with"ssh '192.168.1.12'", and check in: .ssh/authorized_keys to make sure we haven't added extra keysthat you weren't expecting. [root@serv01 .ssh]# ssh 192.168.1.12 Last login: Tue Aug 6 22:10:09 2013 from 192.168.1.11 [root@serv02 ~]# [root@serv02 .ssh]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key(/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in/root/.ssh/id_rsa. Your public key has been saved in/root/.ssh/id_rsa.pub. The key fingerprint is: 54:6b:99:8a:21:2c:28:0d:2f:89:2e:1a:b1:b3:ef:[email protected] The key's randomart image is: +--[ RSA 2048]----+ |. . | |.* . . + | |B + o . . = | |o+ . . + o | |=. . S | |o+ | |o | | . . | | oE | +-----------------+ [root@serv02 .ssh]# ssh-copy-id -iid_rsa.pub 192.168.1.11 The authenticity of host '192.168.1.11(192.168.1.11)' can't be established. RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '192.168.1.11'(RSA) to the list of known hosts. [email protected]'s password: Now try logging into the machine, with"ssh '192.168.1.11'", and check in: .ssh/authorized_keys to make sure we haven't added extra keysthat you weren't expecting. [root@serv02 .ssh]# ssh 192.168.1.11 Last login: Tue Aug 6 22:09:27 2013 from 192.168.1.12 [root@serv01 ~]# #私鑰被Serv03拿去，可以登錄 #私密加密 [root@serv01 /]# ssh-keygen [root@serv01 .ssh]# ssh-copy-id -iid_rsa192.168.1.13 [root@serv01 .ssh]# ssh-copy-id -i id_rsa192.168.1.13 The authenticity of host '192.168.1.13(192.168.1.13)' can't be established. RSA key fingerprint isac:ca:a2:ca:b4:27:b5:aa:5d:1a:eb:6e:5f:3c:2e:51. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '192.168.1.13'(RSA) to the list of known hosts. [email protected]'s password: Now try logging into the machine, with"ssh '192.168.1.13'", and check in: .ssh/authorized_keys to make sure we haven't added extra keysthat you weren't expecting. [root@serv01 .ssh]# ssh 192.168.1.13 Last login: Tue Aug 6 21:47:04 2013 from 192.168.1.1 [root@serv03 ~]# #私密不需要密碼——SSH代理 #重啟後失效 [root@serv01 .ssh]# ssh-agent $SHELL [root@serv01 .ssh]# ssh-add [root@serv01 .ssh]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key(/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in/root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: bd:5d:d4:1b:52:32:2f:a3:4e:60:d1:7a:1d:91:c2:[email protected] The key's randomart image is: +--[ RSA 2048]----+ | .=E +o. | | .= o=. | | o. o+oo.| | .o...o+ o| | S oo .. | | oo . | | ... | | | | | +-----------------+ [root@serv01 .ssh]# ssh-copy-id -i id_rsa192.168.1.12 The authenticity of host '192.168.1.12(192.168.1.12)' can't be established. RSA key fingerprint is3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '192.168.1.12'(RSA) to the list of known hosts. [email protected]'s password: Now try logging into the machine, with"ssh '192.168.1.12'", and check in: .ssh/authorized_keys to make sure we haven't added extra keysthat you weren't expecting. [root@serv01 .ssh]# ssh 192.168.1.12 Enter passphrase for key'/root/.ssh/id_rsa': Last login: Tue Aug 6 22:14:11 2013 from 192.168.1.11 [root@serv02 ~]# exit logout Connection to 192.168.1.12 closed. [root@serv01 .ssh]# ssh-agent $SHELL [root@serv01 .ssh]# ssh-add Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa(/root/.ssh/id_rsa) [root@serv01 .ssh]# ssh 192.168.1.12 Last login: Tue Aug 6 22:18:36 2013 from 192.168.1.11 八 xinetd和ssh結合使用 [plain] #進程： #1.獨立守護進程：單獨的向外提供服務，有單獨的端口 #2.超級守護進程：管理其他服務 xinetd #xinetd：不對外提供服務，管理服務 [root@serv01 .ssh]# yum install xinetd* -y [root@serv01 .ssh]# chkconfig auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off rhnsd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rhsmcertd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off xinetd based services: chargen-dgram: off chargen-stream: off daytime-dgram: off daytime-stream: off discard-dgram: off discard-stream: off echo-dgram: off echo-stream: off tcpmux-server: off time-dgram: off time-stream: off #服務被頻繁地使用：不需要管理；比如Apache #當然服務使用少，需要被管理 #包含文件：yum源日志切換 #配置文件 [root@serv01 etc]# ls /etc/xinetd.conf /etc/xinetd.conf [root@serv01 etc]# cd xinetd.d/ [root@serv01 xinetd.d]# ll total 44 -rw-r--r--. 1 root root 1157 Feb 28 2011 chargen-dgram -rw-r--r--. 1 root root 1159 Feb 28 2011 chargen-stream -rw-r--r--. 1 root root 1157 Feb 28 2011 daytime-dgram -rw-r--r--. 1 root root 1159 Feb 28 2011 daytime-stream -rw-r--r--. 1 root root 1157 Feb 28 2011 discard-dgram -rw-r--r--. 1 root root 1159 Feb 28 2011 discard-stream -rw-r--r--. 1 root root 1148 Feb 28 2011 echo-dgram -rw-r--r--. 1 root root 1150 Feb 28 2011 echo-stream -rw-r--r--. 1 root root 1212 Feb 28 2011 tcpmux-server -rw-r--r--. 1 root root 1149 Feb 28 2011 time-dgram -rw-r--r--. 1 root root 1150 Feb 28 2011 time-stream [root@serv01 xinetd.d]# man xinetd.conf #stream：TCP #dgram：UDP #讓xinetd服務管理sshd [root@serv01 xinetd.d]# vim ssh [root@serv01 xinetd.d]# cat ssh service ssh { socket_type = stream wait = no nice = 10 user = root server =/usr/sbin/sshd disable = no } #查看服務，可以看到顯示on [root@serv01 xinetd.d]# chkconfig xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off xinetd based services: chargen-dgram: off chargen-stream: off daytime-dgram: off daytime-stream: off discard-dgram: off discard-stream: off echo-dgram: off echo-stream: off ssh: on tcpmux-server: off time-dgram: off time-stream: off #禁止，查看服務，可以看到顯示off [root@serv01 xinetd.d]# vim ssh [root@serv01 xinetd.d]# cat ssh service ssh { socket_type = stream wait = no nice = 10 user = root server =/usr/sbin/sshd disable = yes } [root@serv01 xinetd.d]# chkconfig xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off xinetd based services: chargen-dgram: off chargen-stream: off daytime-dgram: off daytime-stream: off discard-dgram: off discard-stream: off echo-dgram: off echo-stream: off ssh: off tcpmux-server: off time-dgram: off time-stream: off #關閉sshd服務 [root@serv01 xinetd.d]# /etc/init.d/sshdstop Stopping sshd: [ OK ] #重啟xinetd服務 [root@serv01 xinetd.d]# /etc/init.d/xinetdrestart Stopping xinetd: [FAILED] Starting xinetd: [ OK ] #查看網絡狀態，發現沒有xinetd [root@serv01 xinetd.d]# netstat -langput Active Internet connections (servers andestablished) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1144/master tcp 0 0 192.168.1.11:22 192.168.1.1:37741 ESTABLISHED 1377/0 tcp 0 0 ::1:25 :::* LISTEN 1144/master udp 0 0 0.0.0.0:5353 0.0.0.0:* 1034/avahi-daemon: udp 0 0 0.0.0.0:54455 0.0.0.0:* 1034/avahi-daemon: IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- --------------------------- lo 1 224.0.0.1 eth1 1 224.0.0.251 eth1 1 224.0.0.1 eth0 1 224.0.0.251 eth0 1 224.0.0.1 lo 1 ff02::1 eth1 1 ff02::1:ff07:dd45 eth1 1 ff02::1 eth0 1 ff02::1:ff07:dd3b eth0 1 ff02::1 #遠程連接，發生失敗 [root@larrywen .ssh]# ssh 192.168.1.11 ssh: connect to host 192.168.1.11 port 22:Connection refused #再次編輯，加上 server_args = -I #可以通過man xinetd.conf查看server_args [root@serv01 xinetd.d]# man xinetd.conf server_args [root@serv01 xinetd.d]# vim ssh [root@serv01 xinetd.d]# cat ssh service ssh { socket_type = stream wait = no nice = 10 user = root server =/usr/sbin/sshd disable = no server_args = -i } #重啟服務 [root@serv01 xinetd.d]# /etc/init.d/xinetdrestart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] #再次查看，發現有xinetd服務 [root@serv01 xinetd.d]# netstat -langput Active Internet connections (servers andestablished) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1144/master tcp 0 0 192.168.1.11:22 192.168.1.1:37741 ESTABLISHED 1377/0 tcp 0 0 :::22 :::* LISTEN 2410/xinetd tcp 0 0 ::1:25 :::* LISTEN 1144/master udp 0 0 0.0.0.0:5353 0.0.0.0:* 1034/avahi-daemon: udp 0 0 0.0.0.0:54455 0.0.0.0:* 1034/avahi-daemon: IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- --------------------------- lo 1 224.0.0.1 eth1 1 224.0.0.251 eth1 1 224.0.0.1 eth0 1 224.0.0.251 eth0 1 224.0.0.1 lo 1 ff02::1 eth1 1 ff02::1:ff07:dd45 eth1 1 ff02::1 eth0 1 ff02::1:ff07:dd3b eth0 1 ff02::1 #遠程連接 [root@larrywen .ssh]# ssh 192.168.1.11 The authenticity of host '192.168.1.11(192.168.1.11)' can't be established. RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '192.168.1.11'(RSA) to the list of known hosts. [email protected]'s password: Last login: Tue Aug 6 22:15:35 2013 from 192.168.1.12 [root@serv01 ~]# #再次查看，發現有xinetd服務 [root@serv01 xinetd.d]# netstat -langput Active Internet connections (servers andestablished) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1144/master tcp 0 0 192.168.1.11:22 192.168.1.1:37741 ESTABLISHED 1377/0 tcp 0 0 192.168.1.11:22 192.168.1.1:52605 ESTABLISHED 2413/1 tcp 0 0 :::22 :::* LISTEN 2410/xinetd tcp 0 0 ::1:25 :::* LISTEN 1144/master udp 0 0 0.0.0.0:5353 0.0.0.0:* 1034/avahi-daemon: udp 0 0 0.0.0.0:54455 0.0.0.0:* 1034/avahi-daemon: IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- --------------------------- lo 1 224.0.0.1 eth1 1 224.0.0.251 eth1 1 224.0.0.1 eth0 1 224.0.0.251 eth0 1 224.0.0.1 lo 1 ff02::1 eth1 1 ff02::1:ff07:dd45 eth1 1 ff02::1 eth0 1 ff02::1:ff07:dd3b eth0 1 ff02::1 #查看sshd命令的位置 [root@serv01 xinetd.d]# grep"SSHD" /etc/init.d/sshd -n 41:SSHD=/usr/sbin/sshd