centos7搭建sshd隧道转发服务

目的

通过隧道实现访问私域目标服务。

1.新增隧道认证用户

groupadd tunnel  # 新增隧道组
useradd u03
 
su  - u03
ssh-keygen   # 生成密钥对

cp .ssh/id_rsa.pub  .ssh/authorized_keys
chmod 600 .ssh/authorized_keys

exit
usermod -s /sbin/nologin u03  # 修改禁止登录
usermod -aG tunnel u03  # 添加组

2.优化系统配置(支持高并发隧道建立)

/etc/sysctl.d/99-ssh-tunnel.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# 文件句柄优化
fs.file-max = 2097152

# 网络连接优化
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.ipv4.tcp_max_syn_backlog = 65535
#net.ipv4.ip_local_port_range = 1024 65535

# TCP 长连接优化
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5

# 刷新内核参数
sysctl --system
sysctl -a && sysctl -p

/etc/security/limits.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
/etc/security/limits.d/tunnel-user.conf 
* soft nproc 102400
* hard nproc 102400
* soft nofile 102400
* hard nofile 102400

[root@xxx ~]# cat /etc/security/limits.d/20-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.

#* soft nproc 4096
root soft nproc unlimited

3.优化sshd配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
[root@xxx ~]# cat /etc/ssh/sshd_config 
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 22
Port 11506
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server


# 最大会话数/半开连接优化
MaxSessions 10000
MaxStartups 5000:50:10000

# TCP KeepAlive/长连接优化
ClientAliveInterval 30
ClientAliveCountMax 3
TCPKeepAlive yes

# root 禁止通过 11506
Match User root LocalPort 11506
ForceCommand /bin/false
PermitTTY no

Match User tunnel_user LocalPort 22
PasswordAuthentication no
ForceCommand /bin/false
PermitTTY no

# 隧道用户11506端口的规则
Match User tunnel_user LocalPort 11506
PasswordAuthentication no
PubkeyAuthentication yes
AllowTcpForwarding yes
X11Forwarding no
PermitTTY no
ForceCommand /bin/false

# 降低抖动
RekeyLimit 4G 2h

精简版

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
[root@xxx ~]# cat /etc/ssh/sshd_config |egrep -v '^#|^$' 
Port 22
Port 11506
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server

MaxSessions 10000
MaxStartups 5000:50:10000

ClientAliveInterval 30
ClientAliveCountMax 3
TCPKeepAlive yes

Match User root LocalPort 11506
ForceCommand /bin/false
PermitTTY no

Match User tunnel_user LocalPort 22
PasswordAuthentication no
ForceCommand /bin/false
PermitTTY no
Match User tunnel_user LocalPort 11506
PasswordAuthentication no
PubkeyAuthentication yes
AllowTcpForwarding yes
X11Forwarding no
PermitTTY no
ForceCommand /bin/false
RekeyLimit 4G 2h

基于组隧道配置

[root@c7-100 ssh]# cat sshd_config
Port 22
Port 11506
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server

MaxSessions 10000
MaxStartups 5000:50:10000

ClientAliveInterval 30
ClientAliveCountMax 3
TCPKeepAlive yes

RekeyLimit 4G 2h

Match LocalPort 22
    DenyGroups tunnel
    PasswordAuthentication no
    PubkeyAuthentication yes

Match LocalPort 11506
    AllowGroups tunnel
    DenyUsers root
    PasswordAuthentication no
    PubkeyAuthentication yes
    AllowTcpForwarding yes
    X11Forwarding no
    PermitTTY no
    ForceCommand /bin/false

测试sshd_config配置

sshd -t
systemctl restart sshd

tail -F /var/log/secure # 查看安全日志

4.测试隧道

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
chmod 600 u03  # id_rsa

# Local
ssh -i ./u03 -L 9999:127.0.0.1:8000 u03@172.24.20.100 -p 11506 -N

#127.0.0.1:8000
python -m SimpleHTTPServer

curl 127.0.0.1:9999 # 反向代理

ssh -vvv -i .\id_rsa -L 9090:127.0.0.1:8000 u01@1.1.1.1 -p 11506 -N

# 换行命令
ssh -i private_key_tunnel02 \
-L 10001:1.1.11:5555 \
-o ServerAliveInterval=30 -o ServerAliveCountMax=2 \
-o RekeyLimit=4G,2h \
-Nf tunnel_user@1.1.1.2 -p 11506

ssh -i private_key_zjyj -L 2096:1.1.1.1:5555 -o ServerAliveinterval=30 -o ServerAliveCountMax=2 -o RekeyLimit=4G,2h root@1.1.1.2 -p 11506 -Nf
``