國外VPS的好處就是能開SSH Tunnel或者VPN來越過某牆,設置上不少是結構化,於是記下
1.準備工作
1)安裝make
2)下載編譯安裝zlib、openssl、openssh
wget http://zlib.net/zlib-1.2.5.tar.gz
tar -zxvf zlib-1.2.5.tar.gz
cd zlib-1.2.5
./configure
make && make install
cd /
wget http://www.openssl.org/source/openssl-1.0.0.tar.gz
tar -zxvf openssl-1.0.0.tar.gz
cd openssl-1.0.0
./config shared zlib
make && make install
cd /
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig -v
wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.5p1.tar.gz
tar -zxvf openssh-5.5p1.tar.gz
cd openssh-5.5p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib=/usr/local --with-md5-passwords
make && make install
cd /
如果使用了kloxo控制面板,可能會因為openssl的版本問題而無法啟動,解決辦法是用yum把openssl降級。
2.SSH設置
1)修改配置文件
添加以下內容並保存:
AllowTcpForwarding yes
Match Group sshTunnelGroup
ForceCommand sh /home/sshTunnelGroup/tunnelshell.sh
2)添加SSH用戶組、關閉SFTP等
groupadd sshTunnelGroup
mkdir /home/sshTunnelGroup
chmod 700 /usr/libexec/openssh/sftp-server
ln -s /home/sshTunnelGroup/tunnelshell.sh /home/sshTunnelGroup/.profile
service sshd restart
3)添加SSH Shell登錄腳本
vi /home/sshTunnelGroup/tunnelshell.sh
添加以下內容並保存:
#!/bin/sh
echo ""
echo " ****************************************************************"
echo " * Welcome to OUR SSH Tunnel , what do you want to do . *"
echo " ****************************************************************"
echo ""
echo "a. Change your password"
echo "x. Exit"
read -p "Please input: " n
if [ "$n" == "A" ] || [ "$n" == "a" ]; then
passwd
echo "## All finished , press any key to exit . ##"
elif [ "$n" == "X" ] || [ "$n" == "x" ]; then
echo "## All finished , press any key to exit . ##"
else
echo "## Wrong choice , press and key to exit . ##"
fi
read x
exit 0
4)如果需要限定同一時間只能登錄一個SSH帳號,可以再添加一個腳本
vi /home/sshGroup/sshlimit.pl
添加以下內容並保存:
#!/usr/bin/perl -w
use strict;
sub main
{
my @lines = `ps -eo user,pid,etime,cmd | grep sshd`;
my $users;
for my $line (@lines) {
if(my ($user, $pid, $etime, $cmd) = $line =~ /^([^\s]+)\s+(\d+)\s+([^\s]+)\s+(sshd:.+)$/) {
next if($user eq 'root');
my $proc = {'pid', $pid, 'etime', $etime, 'cmd', $cmd};
push @{$users->{$user}}, $proc;
}
}
for my $key(keys(%$users)) {
my @sshs = sort {
my ($lb, $la) = (length($b->{'etime'}), length($a->{'etime'}));
if($lb == $la) {
$b->{'etime'} cmp $a->{'etime'};
} else {
$lb <=> $la;
}
} @{$users->{$key}};
for (1 .. 1) { shift @sshs; };
for my $ssh (@sshs) {
kill 9, $ssh->{'pid'};
}
}
}
while(1) {
main;
sleep 3;
}
執行並在後臺運行
perl /home/sshTunnelGroup/sshlimit.pl &
注意:上面的腳本是自動斷開後登錄的帳號
如果要自動斷開先前登錄的帳號,可以把for (1 .. 1) { shift @sshs; };中的shift改為pop即可。
3.添加SSH帳號
例如添加一個在2010年12月31日過期的名為username的SSH帳號並設置密碼
useradd -e 2010-12-31 -g sshTunnelGroup -s /bin/bash -d /home/sshTunnelGroup username
passwd username
暫停用戶時使用chage -E 0 username
刪除用戶時使用userdel username
總的說來SSH Tunnel的設置是比較簡單的,如果願意的話可以繼續擴展登錄腳本。
