配置rsyslog服務(wù)器

目錄

• 日志管理
• 配置rsyslog服務(wù)器
• openssh
• Secure Shell 示例
• SSH 主機密鑰
• 配置基于 SSH 密鑰的身份驗證

[root@lnh ~]# cat /etc/redhat-release 
CentOS Stream release 8  //查看當前系統(tǒng)版本
[root@lnh ~]# uname -r
4.18.0-257.el8.x86_64
//查看當前系統(tǒng)內(nèi)核版本
[root@lnh ~]# dmesg 
...
[    5.273545] XFS (dm-2): Starting recovery (logdev: internal)
[    5.323019] XFS (dm-2): Ending recovery (logdev: internal)
[    5.397922] XFS (sda1): Ending clean mount
[    7.026122] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    7.031966] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[    7.034521] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    7.034533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    7.045958] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[    7.050984] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[    7.052685] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[    7.052696] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
//可以查看系統(tǒng)所有的調(diào)試信息,日志(此處是centos8里面的)
[root@lnh ~]# tail -f /var/log/messages 
Jul 19 16:39:01 lnh systemd-logind[976]: New session 1 of user root.
Jul 19 16:39:01 lnh systemd[1268]: Reached target Paths.
Jul 19 16:39:01 lnh systemd[1268]: Reached target Timers.
Jul 19 16:39:01 lnh systemd[1268]: Starting D-Bus User Message Bus Socket.
Jul 19 16:39:02 lnh systemd[1268]: Listening on D-Bus User Message Bus Socket.
Jul 19 16:39:02 lnh systemd[1268]: Reached target Sockets.
Jul 19 16:39:02 lnh systemd[1268]: Reached target Basic System.
Jul 19 16:39:02 lnh systemd[1268]: Reached target Default.
Jul 19 16:39:02 lnh systemd[1268]: Startup finished in 71ms.
Jul 19 16:39:02 lnh systemd[1]: Started User Manager for UID 0.
//系統(tǒng)標準錯誤日志信息；非內(nèi)核產(chǎn)生的引導(dǎo)信息；各子系統(tǒng)產(chǎn)生的信息
[root@lnh ~]# cat /var/log/secure 
Jul 19 16:18:44 localhost polkitd[962]: Loading rules from directory /etc/polkit-1/rules.d
Jul 19 16:18:44 localhost polkitd[962]: Loading rules from directory /usr/share/polkit-1/rules.d
Jul 19 16:18:44 localhost polkitd[962]: Finished loading, compiling and executing 2 rules
Jul 19 16:18:44 localhost polkitd[962]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Jul 19 16:18:44 localhost sshd[1062]: Server listening on 0.0.0.0 port 22.
Jul 19 16:18:44 localhost sshd[1062]: Server listening on :: port 22.
Jul 19 16:19:51 localhost systemd[1304]: pam_unix(systemd-user session opened for user root by (uid=0)
Jul 19 16:19:51 localhost login[1083]: pam_unix(login session opened for user root by LOGIN(uid=0)
Jul 19 16:19:51 localhost login[1083]: ROOT LOGIN ON tty1
Jul 19 16:20:53 localhost polkitd[935]: Loading rules from directory /etc/polkit-1/rules.d
...
//與安全相關(guān)的日志信息
// /var/log/maillog：郵件系統(tǒng)產(chǎn)生的日志信息

syslog和rsyslog服務(wù)均有兩個進程：
syslogd：系統(tǒng)，非內(nèi)核產(chǎn)生的日志信息。
klogd：內(nèi)核，專門負責記錄內(nèi)核產(chǎn)生的日志信息。

[root@lnh ~]# ps aux |grep syslogd
root        1194  0.0  0.2 218472  5768 ?        Ssl  16:37   0:00 /usr/sbin/rsyslogd -n
root        1355  0.0  0.0  12108  1088 pts/0    S+   16:48   0:00 grep --color=auto syslogd
//一直都在
[root@lnh ~]# ps aux |grep klogd
root        1362  0.0  0.0  12108  1080 pts/0    S+   16:51   0:00 grep --color=auto klogd
//當前沒有

配置rsyslog服務(wù)器

我們首先要關(guān)閉虛擬機創(chuàng)建一個克隆，記住是完整克隆

lnh作為客戶端，ip是192.168.222.250
xbz作為服務(wù)端，ip是192.168.222.251
在客戶端：
[root@lnh ~]# vim /etc/rsyslog.conf 

在客戶端賦予權(quán)限訪問服務(wù)端

[root@lnh ~]# systemctl restart rsyslog.service
//重啟服務(wù)
在服務(wù)端：
[root@xbz ~]# vim /etc/rsyslog.conf 

取消這四行的注釋

[root@xbz ~]# systemctl restart rsyslog.service 
//重啟服務(wù)
[root@xbz ~]# systemctl stop firewalld.service 
[root@xbz ~]# setenforce 0
//關(guān)閉防火墻
[root@xbz ~]# tail -f /var/log/secure 
Jul 19 17:02:19 lnh sshd[1012]: Server listening on :: port 22.
Jul 19 17:03:03 lnh systemd[1258]: pam_unix(systemd-user session opened for user root by (uid=0)
Jul 19 17:03:03 lnh login[1032]: pam_unix(login session opened for user root by LOGIN(uid=0)
Jul 19 17:03:03 lnh login[1032]: ROOT LOGIN ON tty1
Jul 19 17:03:16 lnh sshd[1294]: Accepted password for root from 192.168.222.1 port 55495 ssh2
Jul 19 17:03:16 lnh sshd[1294]: pam_unix(sshd session opened for user root by (uid=0)
Jul 19 17:03:22 lnh sshd[1320]: Accepted password for root from 192.168.222.1 port 55497 ssh2
Jul 19 17:03:22 lnh sshd[1320]: pam_unix(sshd session opened for user root by (uid=0)
Jul 19 17:05:36 lnh sshd[1474]: Accepted password for root from 192.168.222.1 port 55524 ssh2
Jul 19 17:05:36 lnh sshd[1474]: pam_unix(sshd session opened for user root by (uid=0)
//記錄安全相關(guān)的東西
驗證:
我們在客戶端進行登錄用戶故意輸入錯誤密碼然后再登錄
可以在服務(wù)的看到下面的信息
[root@xbz ~]# tail -f /var/log/secure 
ser root by (uid=0)
Jul 19 17:24:37 lnh sshd[1410]: pam_unix(sshd session closed for user root
Jul 19 17:24:41 lnh unix_chkpwd[1441]: password check failed for user (root)
Jul 19 17:24:41 lnh sshd[1439]: pam_unix(sshd authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.222.1  user=root
Jul 19 17:24:44 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:45 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:46 lnh unix_chkpwd[1442]: password check failed for user (root)
Jul 19 17:24:48 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:50 lnh unix_chkpwd[1443]: password check failed for user (root)
Jul 19 17:24:52 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:54 lnh sshd[1439]: Accepted password for root from 192.168.222.1 port 55818 ssh2
Jul 19 17:24:54 lnh sshd[1439]: pam_unix(sshd session opened for user root by (uid=0)

openssh

Secure Shell 示例

lnh作為客戶端，ip是192.168.222.250
xbz作為服務(wù)端，ip是192.168.222.251

[root@lnh ~]# ssh root@192.168.222.251 '/usr/sbin/ip a' //接命令的絕對路徑，防止沒有識別出命令
The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established.             
ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts.
root@192.168.222.251's password: 
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:2925:ce brd ffffff:ff
    inet 192.168.222.251/24 brd 192.168.222.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff25ce/64 scope link 
       valid_lft forever preferred_lft forever
//在同一網(wǎng)段下可以以遠程用戶身份（remoteuser）在遠程主機（remotehost）上通過將輸出返回到本地顯示器的方式來執(zhí)行單一命令
[root@lnh ~]# w
 17:41:09 up 38 min,  2 users,  load average: 0.02, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1     -                17:02   38:20   0.28s  0.28s -bash
root     pts/0    192.168.222.1    17:06    0.00s  0.13s  0.02s w
//w命令可以顯示當前登錄到計算機的用戶列表。這對于顯示哪些用戶使用ssh從哪些遠程位置進行了登錄以及執(zhí)行了何種操作等內(nèi)容特別有用

SSH 主機密鑰

[root@lnh ~]# cat ~/.ssh/known_hosts 
192.168.222.251 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKh5FAHxXc6ck4NXY9q32oHHoZrK1+aMTpEo6smApoMbBUfvSd9YxtlRhd9TdPy8qfPwBg6ZdRkEFeRxlIzaSh8=
//192.168.222.251是客戶端遠程服務(wù)端的ip地址 ecdsa-sha2-nistp256 是算法，AAAA這里是公鑰
//主機ID存儲在本地客戶端系統(tǒng)上的 ~/.ssh/known_hosts 中
//此處也可以換ip地址，之后還是可以進行登錄，因為公鑰沒有發(fā)生改變
[root@xbz ~]# cd /etc/ssh/
[root@xbz ssh]# ll
total 600
-rw-r--r--. 1 root root     577388 Apr 27  2020 moduli
-rw-r--r--. 1 root root       1770 Apr 27  2020 ssh_config
drwxr-xr-x. 2 root root         28 Jul 19 16:14 ssh_config.d
-rw-------. 1 root root       4269 Apr 27  2020 sshd_config
-rw-r-----. 1 root ssh_keys    492 Jul 19 16:18 ssh_host_ecdsa_key
-rw-r--r--. 1 root root        162 Jul 19 16:18 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    387 Jul 19 16:18 ssh_host_ed25519_key
-rw-r--r--. 1 root root         82 Jul 19 16:18 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys   2578 Jul 19 16:18 ssh_host_rsa_key
-rw-r--r--. 1 root root        554 Jul 19 16:18 ssh_host_rsa_key.pub
[root@xbz ssh]# less ssh_host_ecdsa_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSoeRQB8V3OnJODV2Pat9qBx6Gaytfm
jE6RKOrJgKaDGwVH70nfWMbZUYXfU3T8vKnz8AYOmXUZBBXkcZSM2kofAAAAoP4DJvj+Ay
b4AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKh5FAHxXc6ck4NX
Y9q32oHHoZrK1+aMTpEo6smApoMbBUfvSd9YxtlRhd9TdPy8qfPwBg6ZdRkEFeRxlIzaSh
8AAAAhAP8Fsmj6nWXKoVWYgPeuv22eYQK8hQn4Wrr7PTXRlztaAAAAAAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----
//可以在服務(wù)端查看是否一樣
[root@lnh ~]# ls /etc/ssh/*key*
/etc/ssh/ssh_host_ecdsa_key      /etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub  /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_ed25519_key    /etc/ssh/ssh_host_rsa_key.pub
//主機密鑰存儲在SSH服務(wù)器上的 /etc/ssh/ssh_host_key* 中
//有pub的是公鑰，其他的是私鑰

配置基于 SSH 密鑰的身份驗證

在客戶端上面的操作:
[root@lnh ~]# ssh-keygen -t rsa  //-t是指定算法 rsa算法
Enter file in which to save the key (/root/.ssh/id_rsa):  //確認這個秘鑰保存在括號里面那個目錄里面？id_rsa是私鑰
Enter passphrase (empty for no passphrase): //請設(shè)置私鑰的密碼
Enter same passphrase again: //重新輸入私鑰密碼
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Tgi3RqIiIw0nt3uMxeuyw3J3DM3uN8PUK4ItiDoWlXM root@lnh
The key's randomart image is:
+---[RSA 3072]----+    //rsa算法 長度3072
|                 |
|                 |
|o o + o          |
| * B E o         |
|= = =o+ S.       |
|o+ =.ooo. .      |
| o+.+* o.  .     |
|+.*o+ * * .      |
|++.=.+.o +       |
+----[SHA256]-----+
[root@lnh ~]# ls .ssh/
id_rsa  id_rsa.pub  known_hosts
//可以查看到私鑰，pub結(jié)尾的是公鑰
把這個客戶機上面的公鑰發(fā)送給服務(wù)端
[root@lnh ~]# ssh-copy-id root@192.168.222.251
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.222.251's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.222.251'"
and check to make sure that only the key(s) you wanted were added.
//因為我的公鑰就是叫id_rsa.pub 這個名字所以直接用這個
//如果公鑰不叫id_rsa.pub ，那么要指定位置 [root@lnh ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.222.251
在服務(wù)端查看：
[root@xbz ~]# ls .ssh/
authorized_keys
//這個就是傳過來的公鑰
在客戶端：
[root@lnh ~]# ssh root@192.168.222.251
Last login: Tue Jul 19 1736 2022 from 192.168.222.1
//可以查看到可以直接免密登錄
在服務(wù)端也進行設(shè)置秘鑰
[root@xbz ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:FppTggRIQaZOQGlZHVBCOyG5RicFG80NYUU9xl8wCys root@xbz
The key's randomart image is:
+---[RSA 3072]----+
|=@&%@=+. o.      |
|=B==++ =o o.     |
|+o+o.Eo.=..      |
|oo  . .= o       |
|..    + S        |
|       o         |
|                 |
|                 |
|                 |
+----[SHA256]-----+
[root@xbz ~]# ls .ssh/
authorized_keys  id_rsa  id_rsa.pub
[root@xbz ~]# ssh-copy-id  root@192.168.222.250
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.222.250 (192.168.222.250)' can't be established.
ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.222.250's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.222.250'"
and check to make sure that only the key(s) you wanted were added.
在客戶端查看:
[root@xbz ~]# ls .ssh/
authorized_keys  id_rsa  id_rsa.pub  known_hosts
在服務(wù)端登錄驗證:
[root@xbz ~]# ssh root@192.168.222.250
Last login: Tue Jul 19 1754 2022 from 192.168.222.1
//直接免密登錄

//scp命令常用選項
-r //遞歸復(fù)制
-p //保持權(quán)限
-P //端口
-q //靜默模式
-a //全部復(fù)制

鏈接：https://www.cnblogs.com/tushanbu/p/16495244.html