The process of completing a project is a project document.
1. Project demand analysis
2. Project implementation plan
3. Project implementation stage
4. Project acceptance test
5. Project sorting Report

Remote service concept introduction:
Remote service can download and transmit data remotely
Using ssh Telnet service to connect host remotely
ssh encrypted data transmission mode (higher security and complexity) through Internet access port 22 supports root remote connection by default
Telnet plaintext data transmission mode (lower security and lower complexity) through LAN access port 23 does not support root remote connection by default

Remote service connection principle:
Client: send connection communication request
Server: reply key confirmation information
Client: confirm key information
Server: send public key information
Client: accept the public key to save and send the confirmation message (~ /. ssh/known_hosts)

Server: send password verification information (encryption processing)
Client: enter password information (encryption processing)
Data connection established
Transmission data (encryption processing)

Remote service connection mode
a connect based on password
b manage remote connection based on key mode

Implementation mode:
linux system
The first process: the management side establishes the key pair

[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Ii4d8NRnqHZK060T0kuc7tSgeekOOWgfX+obESQ1m9Y root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|    ..+          |
|     + *         |
|  . . B E        |
|   + * *         |
|    X % S        |
|   * & X         |
|  + @ X o        |
| . o X =         |
|    .oO.         |
+----[SHA256]-----+

The second process: the manager establishes the key pair

[root@localhost ~]# ssh-copy-id  -i /root/.ssh/id_rsa.pub  172.16.1.41
 SHA256:m7ABG4m+HEblor9jbpeXJEZJR27uDT6VvqiM3ldEOUA.
ECDSA key fingerprint is MD5:26:0d:d0:c0:ad:0f:c9:b7:34:dc:b3:ed:8e:65:dd:c5.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.41's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

[root@localhost ~]# 

The third process: remote connection test

[root@localhost ~]# ssh  172.16.1.41
Last login: Thu Jan 16 07:02:28 2020 from 10.0.0.1
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:23:40:1f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.41/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5590:99cf:aee7:bec0/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:23:40:29 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.41/16 brd 172.16.255.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::da9d:e0d7:a934:dd31/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[root@localhost ~]# 

PS: I haven't modified the host names of the two hosts here, so I will do the following according to the IP address
The operations in the example can also be written together:

[root@localhost ~]# ssh  172.16.1.41  ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:23:40:1f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.41/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5590:99cf:aee7:bec0/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:23:40:29 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.41/16 brd 172.16.255.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::da9d:e0d7:a934:dd31/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

How to batch manage multiple hosts based on password:
Management end 10.0.0.31

web 10.0.0.8
mysql 10.0.0.51
backup 10.0.0.41

Bulk distribution of public key scripts
Problem solving: how to realize the secret free interaction
1. Enter yes information when you need to connect

[root@localhost ~]# ssh  10.0.0.41
The authenticity of host '10.0.0.41 (10.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:m7ABG4m+HEblor9jbpeXJEZJR27uDT6VvqiM3ldEOUA.
ECDSA key fingerprint is MD5:26:0d:d0:c0:ad:0f:c9:b7:34:dc:b3:ed:8e:65:dd:c5.
Are you sure you want to continue connecting (yes/no)? yes

Solve:

[root@nfs ~]# ssh   10.0.0.41  -o  StrictHostKeyChecking=no
Warning: Permanently added '10.0.0.41' (ECDSA) to the list of known hosts.
root@10.0.0.41's password: 

2. Enter password information when you need to connect

[root@nfs ~]# ssh   10.0.0.41  -o  StrictHostKeyChecking=no
Warning: Permanently added '10.0.0.41' (ECDSA) to the list of known hosts.
root@10.0.0.41's password: 

Solve:

[root@lsy ~]# sshpass  -p000000 ssh 10.0.0.41
Last login: Thu Jan 16 07:17:43 2020 from 10.0.0.1

3. Enter port information when you need to connect
Modify port to 65535 for experiment

[root@backup ~]# vim /etc/ssh/sshd_config 
[root@backup ~]# 
[root@backup ~]# systemctl resetart sshd
Unknown operation 'resetart'.
[root@backup ~]# systemctl restart sshd

[root@lsy ~]# sshpass  -p000000 ssh 10.0.0.41 -p22
ssh: connect to host 10.0.0.41 port 22: Connection refused

Solve:

[root@lsy ~]# sshpass  -p000000 ssh 10.0.0.41 -p65535
Last login: Thu Jan 16 07:24:52 2020 from 10.0.0.31

Supplement:
ssh command parameters and use

sshpass command parameters and use

Bulk distribution public key script:

Management end

root@lsy scripts]# sh distribute_public_key.sh 
to 10.0.0.8 distribute_key 
public key distribute ok

to 10.0.0.51 distribute_key 
public key distribute ok

to 10.0.0.41 distribute_key
public key distribute no

[root@lsy scripts]# cat distribute_public_key.sh
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
sshpass -p000000 ssh-copy-id -i /root/.ssh/id_rsa.pub $ip -o StrictHostKeyChecking=no &>/dev/null
if [ $? -eq 0 ]
then
   echo  "to $ip distribute_key "
   echo  "public key distribute ok"
   echo  ""
else
   echo  "to $ip distribute_key"
   echo  "public key distribute no"
   echo  ""
fi
      done

Batch distribution validation script:

Script content
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
    ssh $ip $1
done



//Verification results:
[root@lsy scripts]# sh Verification.sh hostname

web
mysql
backup

PS: $1 is the meaning of passing parameters, which is why there is a hostname after sh Verification.sh. The general meaning is to log in to the corresponding host, query the hostname and exit

Batch distribution validation script:

Script content
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
ssh $ip $1
done

Verification results:
[root@lsy scripts]# sh Verification.sh hostname

web
mysql
backup

PS: $1 is the meaning of passing parameters, which is why sh verification.sh is followed by hostname
The general meaning is to log in to the corresponding host, find out the host name and exit

When distributing public key information in bulk:
1. If the password information of the controlled end host is inconsistent
2. If the port information of the controlled end host is inconsistent
3. If the user information of the controlled end host is inconsistent

Public key distribution for hosts with different passwords and ports
Write host information file:
web 10.0.0.8:123123:65531
mysql 10.0.0.51:321321:65532
backup 10.0.0.41:654321:65534

ssh service profile: modify port number

 vim /etc/ssh/sshd_config 

Modified script

[root@lsy scripts]# cat distribute_public_key.sh
#!/bin/bash
for host in $(cat /server/scripts/ip_list.txt)
    do
     host_ip=$(echo $host|awk -F ":" '{print $1}')
     host_pass=$(echo $host|awk -F ":" '{print $2}')
     host_port=$(echo $host|awk -F ":" '{print $3}')
     sshpass -p$host_pass ssh-copy-id -i /root/.ssh/id_rsa.pub $host_ip -o StrictHostKeyChecking=no -p$host_port  &>/dev/null
   if [ $? -eq 0 ]
     then
      echo  "to $host_ip distribute_key "
      echo  "public key distribute ok"
      echo  ""
    else
      echo  "to $host_ip distribute_key"
      echo  "public key distribute no"
      echo  ""
    fi
done

-eq is equal to
If the last command of $0 is executed successfully, it is 0; otherwise, it returns a value that is not 0.

Test scripts with different ports

[root@lsy scripts]# cat Verification.sh 
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
    ip_1=$(echo $ip|awk -F ":" '{print $1}')
    ip_port=$(echo $ip|awk -F ":" '{print $3}')
    ssh $ip_1 -p$ip_port  $1
done
[root@lsy scripts]# cat ip_list.txt 
10.0.0.8:123123:65531:root
10.0.0.51:321321:65532:lsy
10.0.0.41:654321:65534:lyh

Write host information file

[root@lsy scripts]# cat ip_list.txt 
10.0.0.8:123123:65531
10.0.0.51:321321:65532
10.0.0.41:654321:65534

Different login user names, port numbers and passwords

[root@lsy scripts]# cat ip_list.txt
10.0.0.8:123123:65531:root
10.0.0.51:321321:65532:lsy
10.0.0.41:654321:65534:lyh

There is a problem with the test script: the root user can use no password, but other users can't

[root@lsy scripts]# ssh  root@10.0.0.8 -p65531   hostname
web
[root@lsy scripts]# ssh  lsy@10.0.0.51 -p65532   hostname
lsy@10.0.0.51's password: 

Solve:

[root@lsy scripts]# cat Verification.sh 
#!/bin/bash
for ip in $(cat /server/scripts/ip_list.txt)
do
    ip_1=$(echo $ip|awk -F ":" '{print $1}')
    ip_port=$(echo $ip|awk -F ":" '{print $3}')
    ip_hostname=$(echo $ip|awk -F ":" '{print $4}')
    ip_pass=$(echo $ip|awk -F ":" '{print $2}')
    sshpass -p$ip_pass  ssh $ip_hostname@$ip_1 -p$ip_port   $1
done

[root@lsy scripts]# sh Verification.sh  hostname
web
mysql
backup
[root@lsy scripts]# 

windows system (xshell) - > linux system
The first process: the management side establishes the key pair
xshell tools - new key Wizard
The second process: editing public key information
ID? RSA? 2048.pub - edit information to - linux host authorized? Keys
The third process: modifying connection session settings
Connect in public key mode - load key information

Environment preparation for batch management software: ansible

[root@lsy ~]# yum install -y ansible

Question:

The phenomenon is so confusing

[root@lsy ~]# exit 
exit
[root@localhost ~]# ll
total 12
-rw-------. 1 root root 1326 Jan  7 08:12 anaconda-ks.cfg
-rwxr-xr-x. 1 root root 1111 Jan  7 06:26 centos.sh
-rwxr-xr-x. 1 root root  651 Jan  7 11:58 modifynetwork.sh
[root@localhost ~]# 
[root@localhost ~]# 
[root@localhost ~]# bash
[root@lsy ~]# 
[root@lsy ~]# 

Solution: form a good habit and arrange the windows in order

The principle of ssh Remote Login:
Control terminal:

[root@backup ssh]# cat ssh_host_ed25519_key.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG44onV97IMGk22GAt+p3SWrXjkM2BMDg7jjJq5JWAeZ 
[root@backup ssh]# cat ssh_host_ecdsa_key.pub 
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJB5reN8WckuBVYsXG3O9hx3LJqNG5+jY2Txk2BYntQHa1fh5aNEALXNLAhnyEgg9LO7geFg7m2d07RbGvCu0Us= 
[root@backup ssh]# ssh  10.0.0.8
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:m7ABG4m+HEblor9jbpeXJEZJR27uDT6VvqiM3ldEOUA.
ECDSA key fingerprint is MD5:26:0d:d0:c0:ad:0f:c9:b7:34:dc:b3:ed:8e:65:dd:c5.
Are you sure you want to continue connecting (yes/no)? yes         
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
root@10.0.0.8's password: 

Client:
The key values of other clients in this directory are transmitted by the control end

[root@web ssh]# cat ~/.ssh/known_hosts 
172.16.1.41 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJB5reN8WckuBVYsXG3O9hx3LJqNG5+jY2Txk2BYntQHa1fh5aNEALXNLAhnyEgg9LO7geFg7m2d07RbGvCu0Us=
[root@web ssh]# 

Extension:
DOS attack: from Baidu Encyclopedia
DOS is the abbreviation of Denial of Service, that is, Denial of Service. The attack of DOS is called DoS attack, which aims to make computers or networks unable to provide normal services. The most common DoS attacks are broadband attacks and connectivity attacks. [1]
DoS attack refers to the intentional attack on the defect of network protocol implementation or the brutal exhaustion of the resources of the attacked object directly through barbaric means. The purpose is to make the target computer or network unable to provide normal services or resource access, so that the service system of the target system stops responding or even collapses, but this attack does not include the invasion of the target server or the target network equipment. These service resources include network bandwidth, file system space capacity, open processes or allowed connections. This kind of attack will lead to the lack of resources. No matter how fast the computer processes, how large the memory capacity and how fast the network bandwidth are, the consequences of this attack cannot be avoided.

DDoS: from Baidu Encyclopedia
Distributed denial of service attacks can make many computers suffer attacks at the same time, so that the target of the attacks can not be used normally. Distributed denial of service attacks have occurred many times, resulting in many large websites are unable to operate, which will not only affect the normal use of users, but also cause huge economic losses. [1]
The distributed denial of service attack can forge the source IP address when it is attacking, which makes the concealment of this attack very good, and it is also very difficult to detect the attack, so this attack has become a very difficult attack to prevent