Linux remote access and control

Remote access and control

SSH protocol

It is a secure channel protocol
to provide a secure shell environment for clients for remote management.
Default port: TCP 22

OpenSSH service

Service name: sshd
server main program: /usr/sbin/sshd
server configuration file: /etc/ssh/sshd_config

Key
Symmetric key: The same key is used for encryption and decryption. AES DES 3DES encryption is fast, but insecure.
Asymmetric key: Encryption and decryption use different keys, divided into public key and private key. It is not possible to derive another key from one key. RSA encryption is slow and safe

ssh_config: for the client
sshd_config: for the server
Access mode port number
SSH: ciphertext access default port TCP: 22, general WAN
Telnet: plain text access TCP 23, general LAN
service monitoring options
Port number, protocol version, listening IP address

Disable reverse resolution
for remote login

[root@localhost ~]# hostnamectl set-hostname test01
[root@localhost ~]# su
[root@test01 ~]# netstat -ntap | grep 22
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      9748/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      9135/sshd           
tcp        0      0 20.0.0.41:22            20.0.0.1:50684          ESTABLISHED 73425/sshd: root@pt 
tcp6       0      0 :::22                   :::*                    LISTEN      9135/sshd           
[root@test01 ~]# grep  "bash" /etc/passwd
root:x:0:0:root:/root:/bin/bash
hu:x:1000:1000:hu:/home/hu:/bin/bash
[root@test01 ~]# useradd zhangsan
[root@test01 ~]# passwd zhangsan
在另一台主机上
[root@localhost ~]# hostnamectl set-hostname test02
[root@localhost ~]# su
[root@test02 ~]# ssh [email protected]
The authenticity of host '20.0.0.41 (20.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:W+MleaejDosjJJV1F2noJPAGWA/d2qESydwosqTqWWw.
ECDSA key fingerprint is MD5:68:5f:ee:e5:76:ca:96:01:5d:d8:b9:1f:4b:5a:58:91.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.41' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Last login: Mon Jul 13 11:26:09 2020
[root@test01 ~]# 
[root@test01 ~]# exit  //退出当前bash环境
登出
Connection to 20.0.0.41 closed.

[root@test01 ~]# vim /etc/ssh/sshd_config
...
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

User login control
Prohibit root users, users with empty passwords
Limit login authentication time and the number of retries
AllowUsers (whitelist, only allow certain users, deny everyone, high security occasions)
DenyUsers (blacklist, only deny certain users, allow all Low safety occasions with people)

Do not use AllowUsers and DenyUsers at the same time

[root@localhost ~]# vim /etc/ssh/sshd_config 
……
#LoginGraceTime 2m  //会话时间
#PermitRootLogin yes  //允许管理员进行登录
#StrictModes yes
#MaxAuthTries 6  //最大尝试次数
#MaxSessions 10  //最大会话连接
AllowUsers zhangsan [email protected]

Authentication method
Password authentication: check whether the user name and password match
Key pair authentication: check whether the client's private key and server public key match
[root@localhost ~]# vim /etc/ssh/sshd_config
……
PasswordAuthentication yes Whether to use a password
PermitEmptyPasswords no Prohibit empty password
PubkeyAuthentication yes Enable public key authentication
AuthorizedKeysFile .ssh/authorized_keys Specify the location of the public key store

Build an ssh system for key pair verification

Overall realization process

Build an SSH system for key pair verification.
Create a key pair
ssh-keygen command on the client.
Available encryption algorithms: RSA, ECDSA or DSA
. Upload the public key file to the server in
any way (FTP, Email, SCP, HTTP... )
Import the public key text in the server.
Add the public key text to the target user’s public key store.
Default public key store location: ~/.ssh/authorized_keys
[root@test01 ~]# vim /etc/ssh/sshd_config

[root@test01 ~]# systemctl restart sshd

[root@test02 ~]# useradd lisi
[root@test02 ~]# passwd lisi
[root@test02 ~]# su lisi
[lisi@test02 root]$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/lisi/.ssh/id_ecdsa): 
Created directory '/home/lisi/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/lisi/.ssh/id_ecdsa.
Your public key has been saved in /home/lisi/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:h1Nb+dtsaNr/+oDgDc9gbtKDX+63gas3cZ9yyxPdX30 lisi@test02
The key's randomart image is:
+---[ECDSA 256]---+
|                 |
|             .   |
|          . o    |
|         o o .   |
|        S B   . +|
|         O B.o.*E|
|        o * Bo*.X|
|         + +o*oBo|
|          o+=o*BB|
+----[SHA256]-----+
[lisi@test02 root]$ cd ~
[lisi@test02 ~]$ cd .ssh/
[lisi@test02 .ssh]$ ls -a
.  ..  id_ecdsa  id_ecdsa.pub
[lisi@test02 .ssh]$ ssh-copy-id -i id_ecdsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"
The authenticity of host '20.0.0.41 (20.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:W+MleaejDosjJJV1F2noJPAGWA/d2qESydwosqTqWWw.
ECDSA key fingerprint is MD5:68:5f:ee:e5:76:ca:96:01:5d:d8:b9:1f:4b:5a:58:91.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

[root@test01 ~]# cd /home/zhangsan
[root@test01 zhangsan]# ls -a
.  ..  .bash_history  .bash_logout  .bash_profile  .bashrc  .cache  .config  .mozilla  .ssh
[root@test01 zhangsan]# cd .ssh/
[root@test01 .ssh]# ls -a
.  ..  authorized_keys
[root@test01 .ssh]# cat authorized_keys 
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDUz9pe7DeEX87424oxSLxGB7RCbr0KwA6mDMaq4oyuU0FfgeQ7J9+VusH1+UgPVAwvCtoLUT+W8xi12dvHtmdQ= lisi@test02
[root@test01 .ssh]# 

[lisi@test02 .ssh]$ ssh [email protected]
Enter passphrase for key '/home/lisi/.ssh/id_ecdsa': 
Last login: Mon Jul 13 11:48:11 2020
[zhangsan@test01 ~]$ 

Set up password-free login

[lisi@test02 .ssh]$ ssh-agent bash  //代理终端
[lisi@test02 .ssh]$ ssh-add  //添加免密密码
Enter passphrase for /home/lisi/.ssh/id_ecdsa: 
Identity added: /home/lisi/.ssh/id_ecdsa (/home/lisi/.ssh/id_ecdsa)

[lisi@test02 .ssh]$ ssh [email protected]
Last login: Mon Jul 13 12:10:36 2020 from 20.0.0.51
[zhangsan@test01 ~]$ 

Use the SSH client program
ssh command-remote secure login
scp command-remote secure copy
sftp command-secure FTP download

Overview of TCP Wrappers

Protection principle

The realization of the protection mechanism
Method 1: Package other service programs through the tcpd program
Method 2: Other service programs call libwrap.so.*. link library
Access control policy configuration file
/etc/hosts.allow
/etc/ hosts.deny

Set access control policy
Policy format
Service list: Client address list
Service list
Multiple services are separated by commas, ALL means all services
Client address list
Multiple addresses are separated by commas, ALL means all services
Wildcards * and?
Network segment address, such as 192.168.1 or 192.168.1.0/255.255.255.0
area address, such as .benet.com

The order of policy application
First check hosts.allow, if a match is found, access is allowed,
then check hosts.deny,
if found, access is denied. If there is no matching policy in the two files, access is allowed by default