SSH带外管理
ssh服务,一种远程管理连接工具,在CentOS7系统中默认安装并开机自启的。
SSH(Secure Shell)是一种安全通道协议,主要用来实现字符界面的远程登录,远程复制等功能。
监听tcp的22号端口。软件包名称:openssh
配置文件目录:/etc/ssh,
sshd_config 服务端配置文件;
ssh_config 客户端配置文件。
客户端提供:ssh、scp、sftp命令
服务端提供:sftp服务、ssh服务
sshd_config:
Port 22 #监听端口
AddressFamily any #ip地址版本
ListenAddress 0.0.0.0 #监听地址,ipv4
ListenAddress :: #监听地址,ipv6
PermitRootLogin yes #是否允许root用户登录
MaxAuthTries 6 #重新连接最大次数
MaxSessions 10 #建立不同用户的会话的最大个数
PubkeyAuthentication yes #是否启用公钥对验证登录
AuthorizedKeysFile .ssh/authorized_keys #存储客户端公钥信息的文件
PasswordAuthentication yes #是否启用密码验证登录
PermitEmptyPasswords no #是否允许空密码登录
UsePAM yes #启用系统用户及密码进行验证登录
UseDNS no #是否启用ssh内部的解析,会影响连接速度
登录方式配置
用户名密码登录
默认方式,直接可以使用
公钥验证登录
数据加密:
使用对端的公钥加密,接收端收到数据后,使用自己的私钥解密。作用是保证数据完整性。
数字签名:
私用自己的私钥加密,接收端收到数据后,使用发送端的公钥解密。作用是保证发送者的身份唯一性。
ssh客户端生成密钥对(交互式 疯狂敲回车)
[w@localhost ~]$ ssh-keygen -t rsa -N '' -f ./.ssh/id_rsa
Generating public/private rsa key pair.
./.ssh/id_rsa already exists.
Overwrite (y/n)? y
Your identification has been saved in ./.ssh/id_rsa.
Your public key has been saved in ./.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:mPoQ5VHepMkS+xbH3uAqoHu/ucaoh+hOGtFtDhz9Qr4 [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| . . . |
| . * * |
| . o = * = |
| o = + * = o |
|. + B = S o . |
| . = * . . |
|.o..Eo. . |
|+...+ooo |
|+oo+ o*o |
+----[SHA256]-----+非交互式
w@localhost ~]$ ssh-keygen -t rsa -N '' -f /home/w/.ssh/id_rsa
Generating public/private rsa key pair.
/home/w/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Your identification has been saved in /home/w/.ssh/id_rsa.
Your public key has been saved in /home/w/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:BwcTIO5gWlt2icnh4Tr5yMhJEOEohMXZUOhHCzCdz94 [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|*BoB= ..+. |
|=oB=o* . o |
|+o+=X.o . . |
|o+.O=. o |
|..=o.. S . |
|oo.+. E . |
|.oo . |
| |
| |
+----[SHA256]-----+在生成密钥之后用ssh-copy-id命令发送密钥
[w@localhost ~]$ ssh-copy-id [email protected]
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/w/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.此时在目标主机的z用户下会生成一个文件
[root@localhost ssh]# su - z
上一次登录:三 6月 18 18:49:27 CST 2025从 192.168.44.7pts/1 上
[z@localhost ~]$ ls
[z@localhost ~]$ cd .ssh/
[z@localhost .ssh]$ ls
authorized_keys现在用户w可以无密码登录z用户
[w@localhost ~]$ ssh [email protected]
Last login: Wed Jun 18 19:13:24 2025
[z@localhost ~]$ Rsync+sersync实现数据实时同步
Rsync(Remote Sync)是Linux系统下的数据镜像备份工具。 该工具可以实现远程同步、不同主机之间的同步,也能实现全量备份 和增量备份 ,保持数据链接和权限,并采用优化的同步算法,传输前对数据进行压缩 ,故该工具非常适合架构集中式备份 或异地备份。也支持本地复制或与ssh、rsync同步。
优点:
-
scp无法备份大量数据,而rsync备份、统计、比较一起进行。
-
可以备份整个目录树和文件系统,并保持文件原来的权限、时间、软硬链接。
-
安装较容易,无需特殊权限。
-
同步快速,首次同步完全备份,再次同步增量备份。
-
可以使用scp和ssh等方式传输备份文件
-
支持匿名传输
-
选择性保持:符号链接、硬链接、文件属性、权限、时间等
-
传输速度快:压缩再传输、解压再使用,减少带宽。
运行原理
rsync采用C/S模式,即点到点的传输。通过xinetd服务监听873端口,再让xinetd服务下的rsync服务作出响应。
源主机:需要同步数据的服务器
目标主机:存放服务器同步数据的主机
数据同步方式:push 和 pull
- 推push :主动同步,把数据发送给目标主机。服务器开销大,适合后端服务器较少的情况。【服务器备份推给rsync客户端存放,主动模式】
目的主机配置为 rsync 服务端,源主机周期性的使用 rsync 命令把要同步的目录推过去。
- 拉pull :所有客户端主机去服务器上面拉数据,导致数据传输缓慢。【rsync客户端去服务器上拉数据,存放到客户端上,被动模式】
源主机配置为 rsync 服务端,目的主机周期性的使用 rsync 命令把要同步的目录拉过来。
在目标主机配置rsync:
[root@localhost backup]# cat /etc/rsyncd.conf
port=873
address=192.168.44.8 #目标主机的地址
uid = root #根据个人需要更改
gid = root #做演示方便根据个人需要更改
use chroot = yes #在传输过程中锁定目录
max connections = 4 #最大连接数
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log fiel = /etc/rsyncd.motd
hosts allow = 192.168.44.0/24 #允许的网段
[data] #网络ID
path = /data/backup #备份存放的路径
comment = backup data
read only = false #关闭只读
list = yes
auth users = rsyncuser #自定义用户名
secrets file = /etc/rsync.passwd #独立密码存放位置配置密码文件:
[root@localhost data]# echo "rsyncuser:123456" > /etc/rsync.passwd更改密码文件的权限为600
[root@localhost /]# chmod 600 /etc/rsync.passwd配置motd文件
[root@localhost data]# echo "Welcome to Backup Server" > /etc/rsyncd.motd #内容自定义在本机创建配置文件相同的备份路径
[root@localhost ~]# mkdir -p /data/backup在客户机建立需要备份的文件并测试备份
[root@localhost data]# mkdir -p /data
[root@localhost data]# touch 111
[root@localhost data]# rsync -avz /data/* [email protected]::data
Password:
sending incremental file list
111
sent 82 bytes received 35 bytes 33.43 bytes/sec
total size is 0 speedup is 0.00
返回目标主机查看备份目录
[root@localhost backup]# ls
111下载sersync服务
#安装sersync
cd /app/local
wget https://sersync.googlecode.com/files/sersync2.5.4_64bit_binary_stable_final.tar.gz
tar zxf sersync2.5.4_64bit_binary_stable_final.tar.gz
mv /app/local/GNU-Linux-x86/ /app/local/sersync
cd /app/local/sersync写好密码文件:
[root@localhost GNU-Linux-x86]# echo "123456" > /etc/rsync.passwd #仅用于密码验证所以不需要加用户名只需要写好和目标主机相同的密码更改配置文件
[root@localhost GNU-Linux-x86]# vim confxml.xml #仅写入需要更改的部分
.....
<inotify>
<delete start="true"/>
<createFolder start="true"/>
<createFile start="true"/>
<closeWrite start="true"/>
<moveFrom start="true"/>
<moveTo start="true"/>
<attrib start="true"/>
<modify start="true"/>
</inotify>
<sersync>
<localpath watch="/data">
<remote ip="192.168.44.8" name="data"/>
<!--<remote ip="192.168.8.39" name="tongbu"/>-->
<!--<remote ip="192.168.8.40" name="tongbu"/>-->
</localpath>
<rsync>
<commonParams params="-artuz"/>
<auth start="true" users="rsyncuser" passwordfile="/etc/rsync.passwd"/>
<userDefinedPort start="false" port="874"/><!-- port=874 -->
....启用sersync服务
[root@localhost GNU-Linux-x86]# ./sersync2 -d -r -o ./confxml.xml #在GNU-Linux-x86文件的路径中使用此命令,否则需要输入confxml.xml的绝对路径
set the system param
execute:echo 50000000 > /proc/sys/fs/inotify/max_user_watches
execute:echo 327679 > /proc/sys/fs/inotify/max_queued_events
parse the command param
option: -d run as a daemon
option: -r rsync all the local files to the remote servers before the sersync work
option: -o config xml name: ./confxml.xml
daemon thread num: 10
parse xml config file
host ip : localhost host port: 8008
will ignore the inotify createFile event
daemon start,sersync run behind the console
use rsync password-file :
user is rsyncuser
passwordfile is /etc/rsync.passwd
config xml parse success
please set /etc/rsyncd.conf max connections=0 Manually
sersync working thread 12 = 1(primary thread) + 1(fail retry thread) + 10(daemon sub threads)
Max threads numbers is: 22 = 12(Thread pool nums) + 10(Sub threads)
please according your cpu ,use -n param to adjust the cpu rate
------------------------------------------
rsync the directory recursivly to the remote servers once
working please wait...
execute command: cd /data && rsync -artuz -R --delete ./ [email protected]::data --password-file=/etc/rsync.passwd >/dev/null 2>&1
run the sersync:
watch path is: /data验证是否成功
[root@localhost data]# mkdir aljfjkankfdnkldgslin
[root@localhost data]# ls
111 aljfjkankfdnkldgslin
#在源主机创建一个目录
[root@localhost backup]# ls
111 aljfjkankfdnkldgslin
#返回目标主机查看是否同步成功后将sersync设置为开机自启动
[root@localhost backup]# vim /etc/rc.d/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
rsync --daemon --config=/etc/rsyncd.conf
/opt/sersync/sersync2 -d -r -o /opt/sersync/confxml.xml