• Archive by category "运维"

Blog Archives

mac下配置centos的ssh登录使用RSA公私钥

1. 在本地的mac生成密钥对

OpenSSH 提供了ssh-keygen用于生成密钥对,不加任何参数调用即可:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/user/.ssh/id_rsa):

如果你以前没有生成过密钥对,直接回车就行(vi ~/.ssh/id_rsa检查下,避免覆盖,如果生成过,请输入新的文件名)。

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/user/.ssh/_rsa
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
8a:77:ec:a1:77:42:8d:5d:ab:17:33:ac:87:06:20:3c user@mbp101
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|   .             |
|    E .     .    |
|     o .S+ o .   |
|     . o+ o *    |
|    . o.+. + +   |
|     . +o.* o    |
|      ...+ o     |
+-----------------+

如果你不想每次连接时都被问及密码(它是用来解开特定的公钥),在创建密钥对的时候,你只须按 enter 作为密码。创建密钥对时,是否以密码加密纯粹是你的决定。如何你不将密钥加密,任何人夺得你的本地机器后,便自动拥有远程服务器的 ssh 访问权。此外,本地机器上的 root 能够访问你的密钥:但假若你不能信任 root(或者 root 已被攻占),你已经大祸临头。将密钥加密舍弃了不用密码的 ssh 服务器,来换取额外的安全,得来的就是输入密码来使用这条密钥。

注意:在这里我并没有默认使用id_rsa,因为我的id_rsa已经有了东西,所以我用了xxx_rsa,这里需要额外配置~/.ssh/config

加入

Host yongyao.li
        User xxx
        Hostname yongyao.li
        PreferredAuthentications publickey
        IdentityFile ~/.ssh/yongyaoli_rsa

使ssh能正确查找到私钥,而且我为私钥设置了密码,在登录时mac的keychain会弹出,输入后keychain会记住,不用每次都输入私钥保护密码。

2. 上传密钥

把你的公钥用scp或者sftp上传到了远程远程ssh服务器,并把公钥的内容追加到ssh服务器的 ~/.ssh/authorized_keys:

$ scp ~/.ssh/id_rsa.pub user@host:
$ ssh root@host
$ cat id_rsa.pub >> ~/.ssh/authorized_keys

3. ~/.ssh 相关文件权限

现在为本地mac的私钥设置权限:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa

设置centos服务器上的文件权限:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys

如果 /etc/ssh/sshd_config 内的 StrictModes 被启用(缺省值),以上的权限是必须的。

4.一旦你检查过可以用密钥对来登录服务器,你可以在你的centos服务器的 /etc/ssh/sshd_conf 内加入以下设置来停用口令验证:
# 停用口令验证,强制使用密钥对

PasswordAuthentication no

重启sshd

# service sshd restart

这是换一台机器或者虚拟机进行登录,会提示以下

# ssh xxx@yongyao.li
Permission denied,  (publickey,gssapi-keyex,gssapi-with-mic)

centos 6.5安装git

#yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel perl-devel
#wget https://www.kernel.org/pub/software/scm/git/git-2.2.0.tar.gz
#tar -zxf git-2.2.0.tar.gz 
#cd git-2.2.0
#make prefix=/usr/local all
#make prefix=/usr/local install

如果出错下面错误

/usr/bin/perl Makefile.PL PREFIX='/usr/local' INSTALL_BASE='' --localedir='/usr/local/share/locale'
Can't locate ExtUtils/MakeMaker.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at Makefile.PL line 3.
BEGIN failed--compilation aborted at Makefile.PL line 3.
make[1]: *** [perl.mak] Error 2
make: *** [perl/perl.mak] Error 2

就是没装perl-devel导致

[转]linux netstat详解

1.功能与说明

netstat 用于显示linux中各种网络相关信息。如网络链接 路由表  接口状态链接 多播成员等等。

2.参数含义介绍

-a (all)显示所有选项,默认不显示LISTEN相关
-t (tcp)仅显示tcp相关选项
-u (udp)仅显示udp相关选项
-n 拒绝显示别名,能显示数字的全部转化成数字。
-l 仅列出有在 Listen (监听) 的服務状态

-p 显示建立相关链接的程序名
-r 显示路由信息,路由表
-e 显示扩展信息,例如uid等
-s 按各个协议进行统计
-c 每隔一个固定时间,执行该netstat命令。

提示:LISTEN和LISTENING的状态只有用-a或者-l才能看到

3.常用实例

3.1  列出所有端口

 netstat -a
[root@zhz jiehun]# netstat -a|more 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 *:sunrpc                    *:*                         LISTEN      
tcp        0      0 *:webcache                  *:*                         LISTEN      
tcp        0      0 *:http                      *:*                         LISTEN      
tcp        0      0 192.168.122.1:domain        *:*                         LISTEN      
tcp        0      0 localhost.localdomain:d-s-n *:*                         LISTEN      
tcp        0      0 *:ssh                       *:*                         LISTEN      
tcp        0      0 localhost.loc:simplifymedia *:*                         LISTEN

3.2  列出所有tcp端口

[root@zhz jiehun]# netstat -at|more 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 *:sunrpc                    *:*                         LISTEN      
tcp        0      0 *:webcache                  *:*                         LISTEN      
tcp        0      0 *:http                      *:*                         LISTEN      
tcp        0      0 192.168.122.1:domain        *:*                         LISTEN      
tcp        0      0 localhost.localdomain:d-s-n *:*                         LISTEN      
tcp        0      0 *:ssh                       *:*                         LISTEN      
tcp        0      0 localhost.loc:simplifymedia *:*                         LISTEN

3.3 列出所有udp端口

 netstat -au
[root@zhz jiehun]# netstat -au|more 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
udp        0      0 *:ideafarm-panic            *:*                                     
udp        0      0 *:47005                     *:*                                     
udp        0      0 localhost.loca:memcache     *:*                                     
udp        0      0 *:55276                     *:*                                     
udp        0      0 192.168.122.1:domain        *:*                                     
udp        0      0 *:bootps                    *:*                                     
udp        0      0 *:bootpc                    *:*                                     
udp        0      0 *:sunrpc                    *:*                                     
udp        0      0 *:ipp                       *:*                                     
udp        0      0 *:44236                     *:*                                     
udp        0      0 *:722                       *:*

3.4 只显示监听端口 netstat -l

[root@zhz jiehun]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 *:sunrpc                    *:*                         LISTEN      
tcp        0      0 *:webcache                  *:*                         LISTEN      
tcp        0      0 *:http                      *:*                         LISTEN      
tcp        0      0 192.168.122.1:domain        *:*                         LISTEN      
tcp        0      0 localhost.localdomain:d-s-n *:*                         LISTEN      
tcp        0      0 *:ssh                       *:*                         LISTEN      
tcp        0      0 localhost.loc:simplifymedia *:*                         LISTEN      
tcp        0      0 localhost.localdomain:ipp   *:*                         LISTEN      
tcp        0      0 *:44343                     *:*                         LISTEN      
tcp        0      0 localhost.localdomain:smtp  *:*                         LISTEN

3.5 只显示监听的tcp端口 netstat -lt

[root@zhz jiehun]# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 *:sunrpc                    *:*                         LISTEN      
tcp        0      0 *:webcache                  *:*                         LISTEN      
tcp        0      0 *:http                      *:*                         LISTEN      
tcp        0      0 192.168.122.1:domain        *:*                         LISTEN      
tcp        0      0 localhost.localdomain:d-s-n *:*                         LISTEN      
tcp        0      0 *:ssh                       *:*                         LISTEN      
tcp        0      0 localhost.loc:simplifymedia *:*                         LISTEN      
tcp        0      0 localhost.localdomain:ipp   *:*                         LISTEN      
tcp        0      0 *:44343                     *:*                         LISTEN      
tcp        0      0 localhost.localdomain:smtp  *:*                         LISTEN

3.6 只显示所有监听udp端口 netstat -lu

[root@zhz jiehun]# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
udp        0      0 *:ideafarm-panic            *:*                                     
udp        0      0 *:47005                     *:*                                     
udp        0      0 *:47551                     *:*                                     
udp        0      0 localhost.loca:memcache     *:*                                     
udp        0      0 *:55276                     *:*                                     
udp        0      0 192.168.122.1:domain        *:*                                     
udp        0      0 *:bootps                    *:*                                     
udp        0      0 *:bootpc                    *:*                                     
udp        0      0 *:sunrpc                    *:*

3.7  只列出所有监听unix端口 netstat -lx

[root@zhz jiehun]# netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     21941  /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     34096  /tmp/orbit-haozheng/linc-cd2-0-5b33fa1ecf0c9
unix  2      [ ACC ]     STREAM     LISTENING     22263  @/tmp/gdm-greeter-cBlQsyRF
unix  2      [ ACC ]     STREAM     LISTENING     32728  /tmp/.ICE-unix/3103
unix  2      [ ACC ]     STREAM     LISTENING     36866  @/tmp/dbus-AcJrBlWF
unix  2      [ ACC ]     STREAM     LISTENING     20454  /tmp/mysql.sock

3.8  显示所有端口的统计信息 netstat -s

[root@zhz jiehun]# netstat -s
Ip:
    1943780 total packets received
    2 forwarded
    0 incoming packets discarded
    1769532 incoming packets delivered
    1121573 requests sent out
    132 outgoing packets dropped
    45867 dropped because of missing route
Tcp:
    64002 active connections openings
    7632 passive connection openings
    2309 failed connection attempts
    498 connection resets received
    8 connections established
    1018564 segments received
    1022700 segments send out
    16835 segments retransmited
    2 bad segments received.
    552 resets sent
Udp:
    133420 packets received
    7845 packets to unknown port received.
    0 packet receive errors
    74841 packets sent
    0 receive buffer errors
    0 send buffer errors

3.9 显示所有tcp(netstat -st)或udp(netstat -su)的统计信息

[root@zhz jiehun]# netstat -su
IcmpMsg:
    InType0: 11
    InType3: 13506
    OutType3: 13679
    OutType8: 11
Udp:
    133462 packets received
    7869 packets to unknown port received.
    0 packet receive errors
    74888 packets sent
    0 receive buffer errors
    0 send buffer errors
UdpLite:
IpExt:
    InNoRoutes: 991
    InMcastPkts: 24308
    OutMcastPkts: 2353
    InBcastPkts: 630615
    OutBcastPkts: 1546
    InOctets: 755319900
    OutOctets: 296705252
    InMcastOctets: 2908748
    OutMcastOctets: 93173
    InBcastOctets: 99500419
    OutBcastOctets: 299980

3.10 显示pid/进程名称 netstat -p   -p可以与其他参数一起使用 比如 显示tcp的进程id信息

[root@zhz jiehun]# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 192.168.0.52:44784          123.150.49.20:http          FIN_WAIT2   4207/VirtualBox     
tcp        0      0 192.168.0.52:46715          ie-in-f125.1e100.net:https  ESTABLISHED 4207/VirtualBox     
tcp        0      0 192.168.0.52:43415          geotrust-ocsp-mtv.veri:http FIN_WAIT2   4207/VirtualBox

3.11  在 netstat 输出中不显示主机,端口和用户名 (host, port or user)当你不想让主机,端口和用户名显示,使用 netstat -n。将会使用数字代替那些名称。同样可以加速输出,因为不用进行比对查询。netstat -nltp  显示tcp的监听端口 不显示主机端口用户名 用数字代替

[root@zhz jiehun]# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      971/rpcbind         
tcp        0      0 0.0.0.0:8080                0.0.0.0:*                   LISTEN      1526/nginx: master  
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      1526/nginx: master  
tcp        0      0 192.168.122.1:53            0.0.0.0:*                   LISTEN      1248/dnsmasq        
tcp        0      0 127.0.0.1:8086              0.0.0.0:*                   LISTEN      1553/python         
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1163/sshd           
tcp        0      0 127.0.0.1:8087              0.0.0.0:*                   LISTEN      1553/python         
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      1140/cupsd          
tcp        0      0 0.0.0.0:44343               0.0.0.0:*                   LISTEN      1151/rpc.statd      
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      18573/sendmail: acc 
tcp        0      0 127.0.0.1:3002              0.0.0.0:*                   LISTEN      1004/ruby           
tcp        0      0 0.0.0.0:8000                0.0.0.0:*                   LISTEN      1526/nginx: master

个人最常用就是这个

3.12  一秒钟输出一次tcp监听端口信息 netstat -ntplc

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      971/rpcbind         
tcp        0      0 0.0.0.0:8080                0.0.0.0:*                   LISTEN      1526/nginx: master  
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      1526/nginx: master  
tcp        0      0 192.168.122.1:53            0.0.0.0:*                   LISTEN      1248/dnsmasq        
tcp        0      0 127.0.0.1:8086              0.0.0.0:*                   LISTEN      1553/python         
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1163/sshd

3.13  显示路由信息 netstat -r

[root@zhz jiehun]# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         vrouter         0.0.0.0         UG        0 0          0 eth0
192.168.0.0     *               255.255.255.0   U         0 0          0 eth0
192.168.122.0   *               255.255.255.0   U         0 0          0 virb

3.14 显示网络接口列表 netstat -i

[root@zhz jiehun]# netstat -i
Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500   0  4943885      0      0      0   901773      0      0      0 BMRU
lo        16436   0   236931      0      0      0   236931      0      0      0 LRU
virbr0     1500   0        0      0      0      0        0      0      0      0 BMU

 

 

linode vps之centos 6.5配置pptp

之前参考Linode官方文档配置OpenVPN了,但是在Mac上老是连不上,决定改用PPTP试下。

PPTP依赖iptables、ppp、pptpd

1.安装iptables,如果已装跳过

yum install -y iptables

2.安装ppp

yum install -y ppp

3.安装pptpd
先安装epel源,如果已装跳过

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

然后

yum install -y pptpd

4.编辑/etc/pptpd.conf

#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245

修改成

localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245

5.编辑/etc/ppp/options.pptpd

#ms-dns 10.0.0.1
#ms-dns 10.0.0.2

改成

ms-dns 8.8.8.8
ms-dns 8.8.4.4

这里使用的是Google发布的Public DNS,您也可以修改为OpenDNS的IP,即

ms-dns 208.67.222.222
ms-dns 208.67.220.220

6.编辑/etc/ppp/chap-secrets添加pptp的用户名和密码

打开后只有两行,而且一个账号都没有

# Secrets for authentication using CHAP
# client server secret IP addresses

根据您的需要添加账号,每行一个,另一行添加
按照:“用户名 pptpd 密码 ip地址”的格式输入,每一项之间用空格分开,例如:

yongyao1 pptpd 1234 *
yongyao2 pptpd 1234 *

7.修改内核设置,使其支持转发

编辑/etc/sysctl.conf

net.ipv4.ip_forward=0

改为

net.ipv4.ip_forward=1

执行以下命令使修改后的内核生效

sysctl –p

8.添加iptables转发规则

(1)适合于OpenVZ架构的VPS,12.34.56.78为您VPS的公网IP地址

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT –to-source 12.34.56.78

(2)适合于XEN架构的VPS

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

以上两条命令分别对应OpenVZ架构和XEN架构的VPS,您的VPS是什么架构需要询问供应商。Linode采用的是XEN架构,所以输入

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

保存,并重启iptables

service iptables save
service iptables restart

回报一下错

Setting chains to policy ACCEPT: security raw nat [FAILED] filter

这个出错信息可以忽略,想消除可以自行搜索解决。

9.启动pptp服务

service pptpd start