Remote Management Service (SSH)

1. Description of remote service concept

ssh	Remote secure connection	22	Internet server	The default root user can log in remotely
telnet	Remote Connection	23	The network equipment is connected to the LAN in the computer room	Cannot use root to log in remotely

Remote service can realize remote connection management host

  Remote service can realize remote download and transmission of data

Use SSH telnet service to achieve remote connection
SSH: Encrypted data transmission method (higher security, higher complexity) Access port via Internet connection: 22 Support root user remote connection to telnet by default
: Clear text transmission method (lower security, complicated Less access) Access port via LAN connection: 23 By default, root users are forbidden to connect remotely

telnet service

The telnet-server service in the Linux system does not support root user login and can only log in as a normal user, followed by the su command

ssh @ root 172.16 in Linux system . 1.41 represents the current user when no user is added

Second, the principle of remote service connection

2.1 ssh connection diagram

 

 

2.2 ssh connection process

Client: send connection establishment communication request
Server: reply key information confirmation
Client: perform key information confirmation
Server: send public key information to send
Client: receive public key to save, and send confirmation information (~ / .ssh / known_hosts)
Server: Send password verification information (encryption processing)
Server: Enter password information (encryption processing)
Data connection is established and
data is transmitted (encryption processing)

Three, remote connection

3.1 Remote connection based on password

Steps: 
①: ssh + IP address 
②: enter the user name (host name) 
③: enter the password (password of the corresponding host name) 

For example: 
①: ssh  10.0 . 0.8 
②: root 
③: abc123

3.2 Remote connection based on key

3.2.1 Simple configuration:

Management server (m01-192.168.81.161):

Step 1: Create a key pair

[root@m01 ~]# ssh-keygen -t dsa 生成公钥和私钥

[root@m01 ~]# ll ~/.ssh/id*

Step 2: The management end distributes the public key (interaction is required here)

[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub [email protected]

Step 3: Conduct remote connection test (you can connect directly without entering password information)

[root@m01 ~]# ssh [email protected] hostname

At this time, there are two problems: 1. How to manage multiple hosts in batches 2. How to write scripts to distribute public keys in batches?

The easiest way to write scripts: heap commands

#!/bin/bash
for ip in 163 164
do
    ssh-copy-id -i  /root/.ssh/id_dsa.pub root@192.168.81.$ip
done

But there are still problems:

1, need to confirm yes / no

2. Need to enter password information

3. The service port number has changed, how to distribute the public key?

3.2.2 Realize the interactive key-free input of password information to distribute the public key

The first step: download and install the software sshpass
 yum  install - y sshpass The 
second step: execute the exchange-free public key distribution command 
sshpass -p123456 ssh -copy- id -i / root /. Ssh / id_dsa.pub root @ 192.168 . 81.163 

service The port number has changed, how to distribute public keys in batches: 
sshpass -p123456 ssh -copy- id -i / root /. Ssh /id_dsa.pub root @ 192.168 . 81.163 -p 52113  " -o StrictHostKeyChecking = no "

3.2.3  Batch distribution of public key scripts:

1. Prepare the host address file to cooperate with the script:

cat /server/scripts/ip_list.txt
192.168.81.163
192.168.81.164
192.168.81.165

2. Script for public key distribution in batches :

# cat distribute_public_key.sh 
    #!/bin/bash
    for ip in $(cat /server/scripts/ip_list.txt)
    do
       sshpass -p654321 ssh-copy-id -i /root/.ssh/id_rsa.pub $ip -o StrictHostKeyChecking=no &>/dev/null
      if [ $? -eq 0 ]
        then
           echo  "to $ip distribute_key "
           echo  "public key distribute success"
           echo  ""
        else
           echo  "to $ip distribute_key"
           echo  "public key distribute faild"
           echo  ""
      fi
    done

3. Distribute the public key check script (batch management script)-serial serial management

[root@m01 scripts]# cat check_pub_key.sh 
#!/bin/bash
CMD=$1
for ip in $(cat /server/scripts/ip_list.txt)
do
    echo "==================== host $ip check ==================== "
    ssh $ip $CMD
    echo ""
    done

Four, SSH service configuration file analysis

/ etc / ssh / sshd_config
 Port 22                  --- Specify service start port information (default comment state default port is 22)    
 ListenAddress 0.0 . 0.0       --- Which network is allowed to connect through which network card ****** 
                              PS: Listening address It must be the address
 PermitRootLogin no on the local network card- whether to allow the root user to connect remotely, it is recommended to change to no
 PermitEmptyPasswords no --- whether to allow remote users to log in with an empty password, it is recommended to change to no
 PasswordAuthentication yes- whether to support Use password to remotely connect to
 GSSAPIAuthentication no- whether to turn off GSSAPI authentication mode, turn off UseDNS no when not in use-
 whether to turn on DNS reverse resolution, it is recommended to turn it off

 

Fifth, the enterprise environment batch distribution public key exercise

5.1 Corporate environment

m01 root   linux @ 123   ssh service port 22 
web01 root linux @ 123   ssh service port 65531 
web02 root linux @ 123   ssh service port 65532 
nfs01 root linux @ 123   ssh service port 65533 
backup root   linux @ 123   ssh service port 65534

5.2 Write host information file

cat /server/scripts/ip_list.txt
192.168.81.162:linxu@123:65531
192.168.81.163:linxu@123:65532
192.168.81.164:linxu@123:65533
192.168.81.165:linxu@123:65534
      

5.3 Writing public key files for batch distribution

# cat distribute_public_key.sh 
#!/bin/bash
      for host in $(cat /server/scripts/ip_list.txt)
      do
        host_ip=$(echo $host|awk -F ":" '{print $1}')
        host_pass=$(echo $host|awk -F ":" '{print $2}')
        host_port=$(echo $host|awk -F ":" '{print $3}')
        sshpass -p$host_pass ssh-copy-id -i /root/.ssh/id_rsa.pub $host_ip -o StrictHostKeyChecking=no -p$host_port  &>/dev/null
        if [ $? -eq 0 ]
        then
           echo  "to $host_ip distribute_key "
           echo  "public key distribute ok"
           echo  ""
        else
           echo  "to $host_ip distribute_key"
           echo  "public key distribute no"
           echo  ""
        fi
      done

 

Six, SSH remote service prevention intrusion program

1. Log in with a key and log in to the VPN / bastion machine without a password. 
2. Array method: solve the SSH security problem 
  a. Firewall closes SSH and specifies source IP restrictions (LAN, trusted public network) 
  b. Open SSH and only listen to the local Network IP (ListenAddress 192.168.81.162) 
3. Try not to give the server an external network IP 
4. Minimize (software installation-authorization) 
5. Make a fingerprint for important files or commands of the system / etc / profile /etc/rc.local 
/ etc / passwd md5sum 11110000aaaabbbb monitoring 
inotify / bin                           monitoring

6, important files are locked chattr + i + a

Seven, common problems with remote transmission

When reading file information using while read line, the loop is suddenly interrupted 
Analysis point 01: The loop is correct when the ssh command is not used 
Analysis point 02: As long as the ssh command has standard input, the loop correctly 
analyzes point 03: Change the loop mode circulating properly 
analyze point 04: the ssh command into the background, the loop correctly 

using the cat command to read a file, all the information will be put into the memory buffer in 
time but while read buffer read each line of information, the normal
 Read line by line while read line +   ssh   to read the buffer empty