Article Directory
Preface
SSH (Secure Shell) is a secure channel protocol, which is mainly used to implement remote login and remote copy functions of a character interface. The SSH protocol encrypts the data transmission between the communicating parties, including the login password entered by the user when logging in. Compared with early applications such as telnet (remote login), rsh (Remote Shell, remote execution of commands), rcp (Remote File Copy, remote file copy), the SSH protocol provides better security.
1. SSH remote management
1. Configure the OpenSSH server
1.1 SSH service and configuration file
SSH (Secure Shell) protocol
- Is a secure channel protocol
- Encrypted communication data for remote management
OpenSSH
- Service name: sshd
- Server main program: /usr/sbin/sshd
- Server configuration file: /etc/ssh/sshd_config
systemctl restart sshd ##重启(刷新)sshd服务
1.2 Service monitoring options
The default port number used by the sshd service is 22. If necessary, it is recommended to modify this port number and specify the specific IP address of the listening service to improve the concealment in the network. In addition, version V2 of the SSH protocol is more secure than V1. Disabling reverse DNS resolution can improve the server's response speed.
1.3 User login control
The sshd service allows root users to log in by default, which is very insecure when used on the Internet. Common practice: First log in remotely as an ordinary user, and after entering the secure shell environment, use the su command to switch to the root user according to actual needs.
About user login control of sshd service:
- Disable root users, users with empty passwords
- Limit login verification time and number of retries
- AllowUsers、DenyUsers
When only allowing or prohibiting certain users to log in, you can use AllowUsers or DenyUsers configuration, the usage of the two is similar (be careful not to use them at the same time). For example, if only jerry, tesengyia and admin users are allowed to log in, and the admin user can only log in remotely from a host with an IP address of 61.23.24.25, you can add the following configuration in the /etc/ssh/sshd_config configuration file.
1.4 Login verification method
Password verification: check whether the user name and password match
Key pair verification: check whether the client's private key and server public key match
2. Use SSH client program
2.1 Command programs ssh, scp, sftp
ssh remote login
scp remote copy
(1) copy files remotely to the server
(2) copy files remotely from the server
(3) sftp secure FTP
put: upload; get: download
2.2 Graphical tool Xshell
3. Build an SSH system for key pair verification
The steps are as follows:
(1) Create a key pair on the client
(2) Upload the public key file to the server
(3) Import the public key on the server The
second and third steps can be combined into a simple command:
(4 ) Use the key pair on the client to verify that the
key pair is successfully verified. At this time, you can log in successfully without entering a password.
Two, TCP Wrappers access control
1. Overview of TCP Wrappers
How the protection mechanism is implemented
- Method 1: Package other service programs through the tcpd main program
- Method 2: Call libwrap.so.* link library by other service programs
Access control policy configuration file
/etc/hosts.allow
/etc/hosts.deny
2. TCP Wrappers access strategy
The protection objects of the TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service. The corresponding two policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set allow and deny policies respectively
2.1 Policy configuration format
Set access control policy:
- Strategy format: service program list: client address list
- Service program list
◆Multiple services are separated by commas, ALL means all services - Client address list
◆Multiple addresses are separated by commas, ALL means all services
◆Wildcards are allowed? and *
◆Network address, such as 192.168.1 or 192.168.1.0/255.255.255.0
◆Regional address, such as .benet.com
2.2 Basic principles of access control
(1) Check hosts.allow and allow access if a match is found
(2) Check hosts.deny again, and deny access
if found (3) If there is no matching policy in the two files, access is allowed by default
2.3 TCP Wrappers configuration example
Set on the host with the IP address of 20.0.0.11.
At this time, the 20.0.0.13 that can access the 20.0.0.11 server before cannot be accessed; but the 20.0.0.12 can be accessed.
