#跳板机平台搭建
10.10.87.117(内网跳板机) -> 103.56.195.xx(外网跳板机) -> (外网服务器)
内网跳板机:1.登录界面脚本 /root/new-change/login.sh
2.hosts文件 /root/new-change/hosts
3.登录跳转脚本 /root/new-change/server_login.sh
4.每台服务器密钥文件 /root/new-change/*-fortress,权限600
外网跳板机:/home/transfor/.ssh/authorized_keys 中包含有每台服务器的public key公钥,跳转。
外网服务器:1.生成key密钥公钥,ssh-keygen -t rsa -P ''
2.公钥重命名authorized_keys mv id_rsa.pub authorized_keys
3.私钥id_rsa拷到内网跳板机*-fortress,公钥auth拷到外网跳板机.ssh/authorized_keys,追加
4.修改ssh登录,PermitRootLogin no;RSAAuthentication yes;PubkeyAuthentication yes;PasswordAuthentication no
5.防火墙配置,只允许外网跳板机ip,port 22
#配置文件:
#内网跳板机
[iyunv@transfor new-change]# ll /root/new-change/
总用量 116
-rw------- 1 root root 1675 10月 24 18:41 Apache01-new-fortress
-rw------- 1 root root 1679 10月 24 18:45 Apache02-new-fortress
-rw------- 1 root root 1679 10月 24 18:49 Apache03-new-fortress
-rw------- 1 root root 1675 10月 24 18:52 Apache04-new-fortress
-rw------- 1 root root 1679 10月 24 19:48 CP-apache01-new-fortress
-rw------- 1 root root 1675 10月 24 19:53 CP-apache02-2-new-fortress
-rw------- 1 root root 1679 10月 24 19:56 CP-apache02-new-fortress
-rw------- 1 root root 1679 10月 24 20:04 CP-apache03-new-fortress
-rw------- 1 root root 1679 10月 24 20:12 CP-apache04-2-new-fortress
-rw------- 1 root root 1675 10月 24 20:09 CP-apache04-new-fortress
-rw------- 1 root root 1679 10月 24 19:36 CP-mysql01-new-fortress
-rw------- 1 root root 1675 10月 24 19:40 CP-mysql02-new-fortress
-rw------- 1 root root 1675 10月 24 19:43 CP-mysql03-new-fortress
-rw------- 1 root root 1675 10月 24 20:16 CP-redis-new-fortress
-rw------- 1 root root 1679 10月 24 18:33 Finance-new-fortress
-rw------- 1 root root 1679 10月 24 14:42 Fortress-new-fortress
-rw-r--r-- 1 root root 767 10月 26 14:27 hosts
-rwxr-xr-x 1 root root 6556 10月 26 14:25 login.sh
-rw------- 1 root root 1679 10月 24 15:18 Mongo01-new-fortress
-rw------- 1 root root 1675 10月 24 17:16 Mongo02-new-fortress
-rw------- 1 root root 1675 10月 24 17:43 Mongo03-new-fortress
-rw------- 1 root root 1675 10月 24 17:50 Mongolog-new-fortress
-rw------- 1 root root 1679 10月 24 17:55 Mysql01-new-fortress
-rw------- 1 root root 1679 10月 24 18:55 Redismem-new-fortress
-rwxr-xr-x 1 root root 216 10月 25 19:15 server_login.sh
-rw------- 1 root root 1675 10月 26 11:45 SZ-apache01-fortress
-rw------- 1 root root 1679 10月 26 12:01 SZ-git-fortress
-rw------- 1 root root 1675 10月 26 12:02 SZ-nginx01-fortress
[iyunv@transfor new-change]# cat login.sh
#!/bin/bash
function show(){
echo """
若需要发布版本,请先确认如下条目:
1、已在预发布测试无误;
2、已悉知新版本与旧版本要求系统配置的区别;
3、已通知客户发布内容及发布时间。
若同意,请输入“I agree!”, 否则请按Ctrl + C退出:
"""
read -p "输入您的选择: " b
if [ "$b" != "I agree!" ]; then
show
fi
}
echo "
***欢迎来到 Mopgaming Server Environment. 这里是内网跳板机平台。***
-------------------------------------------------------------------------------------------
Num | ServerName | IP |<==>| Num | ServerName | IP |<==>|
-------------------------------------------------------------------------------------------
1 | Mongo01-new| 103.56.195.xx |<==>| 2 | Mongo02-new| 103.56.195.xx |<==>|
-------------------------------------------------------------------------------------------
3 | Mongo03-new| 103.56.195.xx |<==>| 4 |Mongolog-new| 103.56.195.xx |<==>|
-------------------------------------------------------------------------------------------
5 | Finance-new| 103.56.195.xx |<==>| 6 |Mysql01-new | 103.56.195.xx |<==>|
-------------------------------------------------------------------------------------------
7 |Apache01-new| 103.56.195.xx |<==>| 8 |Apache02-new| 103.56.195.xx |<==>|
-------------------------------------------------------------------------------------------
9 |Apache03-new| 103.56.195.xx |<==>| 10 | pache04-new| 103.56.195.xx |<==>|
-------------------------------------------------------------------------------------------
11 |Redismem-new| 103.56.195.xx |<==>| 12 |Fortress-new |103.56.195.xx |<==>|
-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
13 |CP-mysql01-new 03.56.195.xx |<==>| 14 |CP-mysql02-new | 103.56.195.xx |<==>|
-------------------------------------------------------------------------------------------
15 |CP-mysql03-new|103.56.195.xx |<==>| 16 |CP-apache01-new| 103.56.195.xx |<==>|
-------------------------------------------------------------------------------------------
17 |CP-apache02-new|103.56.195.xx |<==>| 18 |CP-apache02-2-new|103.56.195.xx|<==>|
-------------------------------------------------------------------------------------------
19 |CP-apache03-new|103.56.195.xx |<==>| 20 |CP-apache04-new|03.56.195.xx |<==>|
-------------------------------------------------------------------------------------------
21 |CP-apache04-2-new|103.56.195.x|<==>| 22 |CP-redis-new | 103.56.195.xx |<==>|
-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
23 | SZ-apache01 | 45.116.147.xx |<==>| 24 | SZ-nginx01 | 45.116.147.xx |<==>|
-------------------------------------------------------------------------------------------
25 | SZ-git | 45.116.147.xx |<==>| 26 | | |<==>|
-------------------------------------------------------------------------------------------
27 | | |<==>| 28 | | |<==>|
-------------------------------------------------------------------------------------------
"
read -p "请选择服务器编号: " a
case $a in
1)
show
sh server_login.sh Mongo01-new
;;
2)
show
sh server_login.sh Mongo02-new
;;
3)
show
sh server_login.sh Mongo03-new
;;
4)
show
sh server_login.sh Mongolog-new
;;
5)
show
sh server_login.sh Finance-new
;; 。。。。
[iyunv@transfor new-change]# cat server_login.sh
#!/bin/bash
eval `ssh-agent `
ssh-add $1-fortress
host=`grep "$1" hosts`
cmd=`sed "s/$1/ssh/" <<< "$host"`
expect -c "
spawn ssh transfor@103.56.195.14
expect \"fortress\"
send \"$cmd\\n\"
interact
"
[iyunv@transfor new-change]# cat hosts
Fortress-new 103.56.195.xx
Mongo01-new 103.56.195.xx
Mongo02-new 103.56.195.xx
Mongo03-new 103.56.195.xx
Mongolog-new 103.56.195.xx
Finance-new 103.56.195.xx
Mysql01-new 103.56.195.xx
Apache01-new 103.56.195.xx
Apache02-new 103.56.195.xx
Apache03-new 103.56.195.xx
Apache04-new 103.56.195.xx
Redismem-new 103.56.195.xx
CP-mysql01-new 103.56.195.xx
CP-mysql02-new 103.56.195.xx
CP-mysql03-new 103.56.195.xx
CP-apache01-new 103.56.195.xx
CP-apache02-new 103.56.195.xx
CP-apache02-2-new 103.56.195.xx
CP-apache03-new 103.56.195.xx
CP-apache04-new 103.56.195.xx
CP-apache04-2-new 103.56.195.xx
CP-redis-new 103.56.195.xx
SZ-apache01 45.116.147.xx
SZ-nginx01 45.116.147.xx
SZ-git 45.116.147.xx
[iyunv@transfor new-change]# cat Mongo01-new-fortress
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA6IHFHp/aj9XsbeTlANlJo50sTQdB+BdL+IEhwAk7BbZvgLnI
ALiwDiu1hsgAA9tam+yWvRjdZXYmAnZS/rBwjhIRGLnvhaLT4ZbgJ2ZFnHSNw3/w
216kmG/GzEi+PAqdF1lqIdMMHx/ExlzqANOCMIsG18qx5gAXfG3fiz0Lh73qRCfk
cuU97GEp4sRYvWGonZazGy6NeiRwKFT0mkN+bryUp5LMURqrYDPckS/Bm6F7UaS8
gcTX+V。。。。。。。。。。。。。。。。。。。G+VYUdYwjRT7j69kv6eFb
C068v/JBDpjUVnEUuarAdWnFzTuNEHGlLyPWl2qkt/LGqGKBKxkRVM28ixQoAQEB
P2DdeBECgYEAq0CG9Fxtvt3XgJuBOhvEunfzNkM46CEw04ZL4I5lfZ2HD4RyDAWV
jSXe1EcoIgSsrR9EpPeOV0YEn8we5A3tgLLA3K+nv0bm8A3jTgYRXNNoVHW2MUgE
X/UCHDN3+61PavEz3TvBATKkrw3HLMTuLc4cO7teUQdD4FPNTl9smnU=
-----END RSA PRIVATE KEY-----
#外网跳板机
[transfor@fortress-new ~]$ ll .ssh/
总用量 24
-rw-r--r--. 1 transfor transfor 10499 10月 26 12:01 authorized_keys
-rw-------. 1 transfor transfor 1679 10月 24 16:25 id_rsa
-rw-r--r--. 1 transfor transfor 4370 10月 26 12:02 known_hosts
[transfor@fortress-new .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzWRI...ArAtdN3yzYlae transfor@mysql-mongo-test
ssh-rsa AAAAB3NUZT/...OyKL9JHK7L root@localhost.localdomain
ssh-rsa AAAAB3N....9yRL8GboXtRpLyBxNf5WISuagh+bgPBX3 transfor@mongo01-new
...
#外网服务器
[transfor@mongo01-new ~]$ ll /home/transfor/.ssh/
总用量 8
-rw-r--r--. 1 transfor transfor 402 10月 24 03:16 authorized_keys
-rw-------. 1 transfor transfor 1679 10月 24 03:16 id_rsa
service firewalld start
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=103.56.195.xx port port=22 protocol=tcp accept'(防火墙只放开外网跳板机ip)
vim /etc/firewalld/zones/public.xml
。。。
#<service name="dhcpv6-client"/>
#<service name="ssh"/>
不允许对多有ip开放ssh服务,只允许指定ip登录。
。。。
service firewalld restart
firewall-cmd --list-all
#配置ssh服务,只允许key登录,不允许root和密码登录
vim /etc/ssh/sshd_config
...
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
...
RSAAuthentication yes
PubkeyAuthentication yes
...
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
...
#实例,添加新增一台服务器到跳板机系统
生产环境:增加外网一台服务器到外网跳板机中,只允许外网跳板机连接,其它任何机器都不能连接,内网用户连接外网跳板机
(1)在服务器端上生成公钥和私钥
[iyunv@nginx03 ~]# rm -f 1.sh 先初始化好,参照apache03部署
[iyunv@nginx03 ~]# useradd transfor
[iyunv@nginx03 ~]# passwd transfor
[iyunv@nginx03 ~]# su - transfor
[transfor@nginx03 ~]$ ssh-keygen -t rsa -P ''
[transfor@nginx03 ~]$ mv .ssh/id_rsa.pub .ssh/authorized_keys
[transfor@nginx03 ~]$ su
[iyunv@nginx03 transfor]# chmod 700 /home/transfor
[iyunv@nginx03 transfor]# chmod 700 /home/transfor/.ssh/
[iyunv@nginx03 transfor]# ls -rtl /home/transfor/.ssh
-rw------- 1 transfor transfor 1675 Sep 30 15:13 id_rsa
-rw-r--r-- 1 transfor transfor 398 Sep 30 15:13 authorized_keys
[iyunv@nginx03 transfor]# cat /home/transfor/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAtAQmdNCyboUDBTYF5Im3Gamq2pWx75F+wg9/GgZV6pnaX2jM
H0S9/duZKXRxW/wtj4DTVzrCT81ila2/lIjrGpeWTgBSuOaYlW19lF2r9xeYDfwR
HvHsbckniG4h0EK8vwx6OQIvXXctAP8IOgLaLg5srTBu0zGIJMgZ2BJ4Fd8EtwNi
R6rKVutZB24HbUXGx8c+MIiWUPVMFPUvdzaT+WnRzWJrPTE82byue7Jib1K3UFcL
HXcUmKterObQ/1ij4icly/FJQUnsIZGY6KcN2UlhmOveXjHNuB6LqLSsdqs2Hz+o
Dvl/AWMIvnIjekyI1t5uLsDsTHooZL3fOuuEAwIDAQABAoIBAHZhjFChtdWMTzIs
Fq/2CJ0t....................................g8GpwCXzW81NDuXIHBU+
qMUBAoGAfotybbdMwb1JU/fo7KIhuWAIYaZqV7d5al+89i6aVjX6Ni8YzkNQGgDD
IkjAopwd2llHpzrAdwQFYdhk4t0C1Ep1ewYfukmwv0orlwwAR+bdBONVCiagamSQ
7uMAV+PeOGyFlqSoWVbvMatiWsWzSrkMiGi9BSBd43XL/thVPrk=
-----END RSA PRIVATE KEY-----
[iyunv@nginx03 transfor]# cat /home/transfor/.ssh/authorized_keys
ssh-rsa AAA..........P6gO+X8BYwi+ciN6TIjW3m4uwOxMeihkvd8664QD transfor@nginx03
[iyunv@nginx03 transfor]#
(2)将第(1)步服务器端nginx03生成的id_rsa复制到内网跳板机10.10.86.117上
[iyunv@localhost NEW]# pwd
/root/NEW
[iyunv@localhost NEW]# ls
Apache03-fortress Fortress-fortress hosts login.sh Nginx01-fortress Nginx02-fortress server_login.sh server_login.sh.old
[iyunv@localhost NEW]# vi hosts
[iyunv@localhost NEW]# cat hosts
Nginx01 122.10.70.xx
Nginx02 122.10.70.xx
Nginx03 122.10.70.xx 加这一行
Apache03 122.10.70.xx
Fortress 122.10.70.xx
[iyunv@localhost NEW]# vi Nginx03-fortress 将nginx03的id_rsa复制过来
[iyunv@localhost NEW]# chmod 600 Nginx03-fortress
[iyunv@localhost NEW]#
[iyunv@localhost NEW]# vi login.sh
[iyunv@localhost NEW]# cat login.sh
#! /bin/bash
echo "*This is a login server's scripts*
------------------------------------------------------------------------------------------ Num |ServerName| IP |<==>| Num | ServerName | IP |<==>| ------------------------------------------------------------------------------------------- 1 | Nginx01 | 122.10.70.xx |<==>| 2 | Nginx02 | 122.10.70.xx |<==>| ------------------------------------------------------------------------------------------- 3 | Nginx03 | 122.10.70.xx |<==>| 4 | | |<==>| ------------------------------------------------------------------------------------------ 10 | Apache03 | 122.10.70.xx |<==>| 12 | Fortress | 122.10.70.xx |<==>| ------------------------------------------------------------------------------------------- read -p "Please input a Num:" a
case $a in
1)
sh server_login.sh Nginx01
;;
2)
sh server_login.sh Nginx02
;;
3)
sh server_login.sh Nginx03
;;
10)
sh server_login.sh Apache03
;;
12)
sh server_login.sh Fortress
;;
esac
[iyunv@localhost NEW]# ll
-rw-------. 1 root root 1679 9月 30 12:42 Apache03-fortress
-rw-------. 1 root root 1675 9月 30 12:43 Fortress-fortress
-rw-r--r--. 1 root root 147 9月 30 15:17 hosts
-rwxr-xr-x. 1 root root 1554 9月 30 15:32 login.sh
-rw-------. 1 root root 1675 9月 30 14:37 Nginx01-fortress
-rw-------. 1 root root 1675 9月 30 15:00 Nginx02-fortress
-rw-------. 1 root root 1675 9月 30 15:19 Nginx03-fortress
-rwxr-xr-x. 1 root root 216 9月 30 12:44 server_login.sh
-rwxr-xr-x. 1 root root 217 9月 30 13:04 server_login.sh.old
[iyunv@localhost NEW]#
(3)将第(1)步服务器端nginx03生成的id_rsa.pub(即authorized_keys)复制到外网跳板机122.10.70.66上
[iyunv@fortress ~]# vi /home/transfor/.ssh/authorized_keys 将nginx03的authorized_keys(即原来的id_rsa.pub)复制过来
[iyunv@fortress ~]# cat /home/transfor/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2E.....ix0fdRf/hz/B+PqCCVlzQZHEUV8l transfor@fortress.com
#Nginx02
ssh-rsa AA............pqq6OSTpez0Vuyfee1b7Cy5FS2ogvMeV4l6Tl3f transfor@nginx02
#Nginx03
ssh-rsa AAAAB........P6gO+X8BYwi+ciN6TIjW3m4uwOxMeihkvd8664QD transfor@nginx03
[iyunv@fortress ~]#
(4)修改服务器端即nginx03的防火墙和/etc/ssh/sshd_config文件只允许证书登录
service firewalld start
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=103.56.195.xx port port=22 protocol=tcp accept'(防火墙只放开外网跳板机ip)
vim /etc/firewalld/zones/public.xml
。。。
#<service name="dhcpv6-client"/>
#<service name="ssh"/>
不允许对多有ip开放ssh服务,只允许指定ip登录。
。。。
service firewalld restart
firewall-cmd --list-all
[iyunv@nginx03 transfor]# vi /etc/ssh/sshd_config 更改以下几个地方,6处必需改的
PermitRootLogin no (1)
RSAAuthentication yes (1) T1
PubkeyAuthentication yes (1) T2
AuthorizedKeysFile .ssh/authorized_keys (1) T3
PermitEmptyPasswords no (1)
PasswordAuthentication no (1)把yes修改为no,禁止密码登陆(如果后期要推送文件的话,那么这里就不能修改为no了用yes) T4
GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
UseDNS no
UsePAM yes (1)加上这一条,不然日志中会报警告信息 用PAM管理认证
[iyunv@nginx03 transfor]# systemctl restart sshd
(5)在内网跳板机10.10.86.117上测试登录
[iyunv@localhost NEW]# ./login.sh
*This is a login server's scripts*
------------------------------------------------------------------------------------------
Num |ServerName| IP |<==>| Num | ServerName | IP |<==>|
-------------------------------------------------------------------------------------------
1 | Nginx01 | 122.10.70.xx |<==>| 2 | Nginx02 | 122.10.70.xx |<==>|
-------------------------------------------------------------------------------------------
3 | Nginx03 | 122.10.70.xx |<==>| 4 | | |<==>|
------------------------------------------------------------------------------------------
10 | Apache03 | 122.10.70.xx |<==>| 12 | Fortress | 122.10.70.xx |<==>|
-------------------------------------------------------------------------------------------
Please input a Num:3
Agent pid 2177
Identity added: Nginx03-fortress (Nginx03-fortress)
spawn ssh transfor@122.10.70.xx
Last login: Tue Sep 30 03:11:06 2014 from 192.249.85.167
[transfor@fortress ~]$ ssh 122.10.70.xx
The authenticity of host '122.10.70.xx (122.10.70.xx)' can't be established.
ECDSA key fingerprint is f7:b9:e6:34:e5:15:6e:3f:c1:e1:2e:6a:97:f9:a4:6c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '122.10.70.218' (ECDSA) to the list of known hosts.
Last login: Tue Sep 30 15:13:00 2014
[transfor@nginx03 ~]$ su
密码:
[iyunv@nginx03 transfor]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:a0:d1:ea:8a:6c brd ff:ff:ff:ff:ff:ff
inet 122.10.70.xx/29 brd 122.10.70.223 scope global em1
valid_lft forever preferred_lft forever
inet 123.60.134.218/29 brd 123.60.134.223 scope global em1:4
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2015-10-27 09:07:35
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡