Linux ❉ SSH服务器_there was 1 failed login attempt

一 介绍

        SSH - Secure Shell 安全外壳协议：SSH 为建立在应用层基础上的安全协议。SSH 是较可靠，专为远程登录会话和其他网络服务提供安全性的协议。利用 SSH 协议可以有效防止远程管理过程中的信息泄露问题；

        服务端口：TCP 22；

         此服务默认安装并开启，此处我们只研究其使用方法

[root@slave1 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2021-12-12 06:46:02 EST; 2 days ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1104 (sshd)
    Tasks: 1
   Memory: 1.9M
   CGroup: /system.slice/sshd.service
           └─1104 /usr/sbin/sshd -D
 
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

SSH和TELNET的区别

        SSH是加密的，基于SSL。而TELNET是明码传输的，发送的数据被监听后不需要解密就可以看到内容。两者本来端口也有差异，但是ssh的监听端口可以修改，所以这个也不能算是区别。

        一般不建议使用telnet。

二 配置文件内容详解

SSH服务配置路径：/etc/ssh/sshd_config

[root@slave1 ~]# cat /etc/ssh/sshd_config
#Port 22								/监听端口；
#AddressFamily any	       			    /兼用IPv4和IPv6；
#ListenAddress 0.0.0.0					/监听地址，0.0.0.0表示所有IPv4地址；
#ListenAddress ::						/监听地址，0.0.0.0表示所有IPv6地址；
HostKey /etc/ssh/ssh_host_rsa_key		/rsa私钥认证；
HostKey /etc/ssh/ssh_host_ecdsa_key		/ecdsa私钥认证；
HostKey /etc/ssh/ssh_host_ed25519_key	/ed25519私钥认证；
#SyslogFacility AUTH
SyslogFacility AUTHPRIV	       			 /当被登录时会记录登录信息；
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes						/允许root用户直接登录；
#StrictModes yes						/允许sshd检查用户主目录或相关文件的权限数据；
#MaxAuthTries 6							/最大登录尝试次数，全部失败需要等待；
#MaxSessions 10							/最大会话数；
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys	/服务器生成一对公私钥之后，会将公钥放到.ssh/authorized_keys里面，将公钥发给客户端；
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no			  				   /是否反解DNS；
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server	/支持sftp连接；
# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server    

 三 服务配置

1 修改登陆端口号

注意关闭防火墙和selinux

[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0

# 修改端口
[root@localhost ~]# cat /etc/ssh/sshd_config | grep Port
Port 222
[root@localhost ~]# systemctl restart sshd
 
 
 
# 验证结果，注意端口号和地址之间不需要冒号，否则会作为一个地址使用导致无法解析
# 用户名可加可不加，实验嘛
[c:\~]$ ssh root@192.168.247.134 222
 
 
Connecting to 192.168.247.134:222...
Connection established.

2 限制root账户直接登录

# 新建用户并创建密码
[root@localhost ~]# useradd wangjie
[root@localhost ~]# id wangjie
uid=1000(wangjie) gid=1000(wangjie) groups=1000(wangjie)
[root@localhost ~]# passwd wangjie
Changing password for user wangjie.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
 
# 修改配置
[root@localhost ~]# cat /etc/ssh/sshd_config | grep PermitRoot
PermitRootLogin no
 
[root@localhost ~]# systemctl restart sshd

验证结果：root不能主动登陆，但是新建的用户可以 

[c:\~]$ ssh wangjie@192.168.247.134 222
 
 
Connecting to 192.168.247.134:222...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
 
Last failed login: Thu Dec 16 03:19:07 CST 2021 from 192.168.247.1 on ssh:notty
There was 1 failed login attempt since the last successful login.
/usr/bin/xauth:  file /home/wangjie/.Xauthority does not exist
[wangjie@192 ~]$ 
[wangjie@192 ~]$ pwd
/home/wangjie
[wangjie@192 ~]$ su - root
Password: 
Last login: Thu Dec 16 01:38:47 CST 2021 on :0
Last failed login: Thu Dec 16 03:28:38 CST 2021 from 192.168.247.1 on ssh:notty
There were 2 failed login attempts since the last successful login.
[root@192 ~]# pwd
/root
# 输入Ctrl + D
[root@192 ~]# logout
[wangjie@192 ~]$ logout

3 限制登录账户

[root@localhost ~]# cat /etc/ssh/sshd_config | grep AllowUser
AllowUsers root
# #本配置sshd主配置文件没有相关语句，需要在后面自行添加，若多个账户需要被限制用空格隔开
[root@localhost ~]# systemctl restart sshd
 
 
# 测试结果：redhat不能主动登录，root可以主动登录
[c:\~]$ ssh root@192.168.247.134 222
 
 
Connecting to 192.168.247.134:222...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
 
Last login: Thu Dec 16 03:29:58 2021
/usr/bin/xauth:  file /root/.Xauthority does not exist
[root@192 ~]#