Linux-remote access and control (SSH remote management and TCP Wrappers access control) (configure OPenSSH server; SSH client program, ssh remote login, scp remote copy and sftp secure FTP) (build key pair verification)

---

Preface

• Most enterprise servers are managed by remote login
• When hundreds of server hosts need to be managed from one workstation, remote maintenance will be more advantageous
• Below we will learn how to use a secure remote management approach for the Linux environment, and provide access control for applications through the TCP Wrappers mechanism

---

1. SSH remote management

• SSH (Secure Shell) is a secure channel protocol, which is mainly used to implement remote login and remote copy functions of the character interface
• The SSH protocol encrypts the data transmission between the communication parties, including the user password entered when the user logs in, providing better security
  
  • SSH client: Xshell
  • SSH server: OpenSSH
• OpenSSH is an open source software project that implements the SSH protocol and is suitable for various UNIX and Linux operating systems

1. Configure the OpenSSH server

1.1 SSH service and configuration file

• First check if OpenSSH has been installed by default

-Execute the "systemctl start sshd" command to start the sshd service according to the default configuration (same for restart and shutdown)

• The configuration file of the sshd service is located in the /etc/ssh/sshd_config directory by default
• For more configuration of the sshd_config file, please refer to the man page
• Both ssh_config and sshd_config are configuration files of the ssh server. The difference between the two is that the former is the configuration file for the client, and the latter is the configuration for the server.
  

1.2 Service monitoring options

• The default port number used by the sshd service is TCP port 22. If necessary, it is recommended to modify this port number and specify the specific IP address of the listening service to improve the concealment in the network
• Disabling DNS reverse resolution can improve server response speed

[root@localhost ~]# vim /etc/ssh/sshd_config
...略
#Port 22        ##监听端口为22
#ListenAddress 0.0.0.0        ##监听地址为任意网段，也可以指定OpenSSH服务器的具体IP
...略
#UseDNS no        ##禁用DNS反向解析，以提高服务器的响应速度

1.3 User login control

• The sshd service allows root users to log in by default, but this is very insecure when used on the Internet
• The common practice is to log in remotely as an ordinary user, and after entering the secure shell environment, use the su command to switch to the root user according to actual needs
• Regarding the user login control of the sshd service, the root user or the user with an empty password should usually be prohibited from logging in
• In addition, you can also limit the login verification time (the default is 2 minutes) and the maximum number of retries. If you fail to log in after exceeding the limit, the connection will be disconnected
• You need to delete the first "#" comment, and then modify
  it. After the modification is completed, you need to restart the service with "systemctl restart sshd" to take effect
• The picture below shows the actual operation

[root@localhost ~]# vim /etc/ssh/sshd_config 
...略
LoginGraceTime 2m        ##登录验证时间为2分钟
PermitRootLogin no        ##禁止root用户登录
MaxAuthTries 6        ##最大重试次数为6
...略
PermitEmptyPasswords no        禁止空密码用户登录
...略

• After the above configuration is set, now test the results
  • First create three users "chengfei, sicong, gcc" and set the passwords to "123123"
    
  • Create a new session in Xshell with the IP address of the host just now for testing
    
  • Then enter the user name and password we just created to test, and found that they can log in
  • First test the first one, prohibit users with empty passwords from logging in,
    
    switch back to the host just now, clear the password and try again, click Disconnect, and then reconnect to see if the "chengfei" user can log in
    
  • Let’s test it again. Enter 6 times in a row.
    
    Here you can see that the connection is directly disconnected.
  • Of course, we have also configured to prohibit login for "root" users. Here you can try it, it must be unable to log in; the previous setting prohibits login with empty password, so chengfei user can not log in, we can log in to the other two After the user "su root", then enter the password to switch to the root user
  • There is another point here. You will find that the root user cannot log in in Xshell, but it can be returned to the VM virtual machine. Because of the sshd server we modified earlier, if you want the VM to log in to root, you can go to the ssd to modify the related
• When you want to only allow or prohibit certain users to log in, you can use AllowUsers or DenyUsers configuration, the two users are similar (be careful not to use them at the same time!)
  • Let’s ban the "sicong" user from logging in
  • vim /etc/ssh/sshd_config
  • i add a line "Denyusers sicong" and then save and exit wq, remember to restart "systemctl restart sshd" to take effect
  • Try it yourself, no more stickers

1.4 Login verification method

• For remote management of the server, in addition to the security control of the user account, the method of login verification is also very important
• The sshd service supports two authentication methods-password authentication and key pair authentication. You can set one method or enable both methods

1.4.1 Password verification

• Verify with the login name and password of the local system user in the server
• This method is the easiest to use, but from the point of view of the client, the connecting host may be faked; from the point of view of the server, the defense ability is relatively weak when encountering a password brute force (brute force) attack

1.4.2 Key Pair Verification

• Requires matching key information to pass verification
• Usually now a pair of key files (public key, private key) are created in the client, and then the public key file is placed in the specified location on the server
• When logging in remotely, the system will use public and private keys to perform encryption/decryption correlation verification, which greatly increases the security of remote management
• And can log in without interactive

1.4.3 The relationship between public key and private key

• The public key and private key are generated in pairs. The two keys are different from each other and can be mutually encrypted and decrypted.
• Can’t deduce another key from one key
• The public key is public, and the private key is only known to the holder of the private key
• The public key and the private key must be paired. If the public key is used to encrypt data, only the corresponding private key can be used to decrypt it; vice versa
• When both password verification and key pair verification are enabled, the server will give priority to using key pair verification
• For servers with high security requirements, it is recommended to disable password verification and only allow key pair verification methods; if there are no special requirements, both methods can be enabled; the verification method can be set according to the actual situation

[root@localhost ~]# vim /etc/ssh/sshd_config 
PasswordAuthentication yes        ##启用密码验证
PubkeyAuthentication yes        ##启用密钥对验证
AuthorizedKeysFile      .ssh/authorized_keys        ##指定公钥库文件， .ssh是在/目录下的隐藏文件，需要使用ls -a来查看

• Among them, the public key library file is used to save the public key text uploaded by each client to match the client's local private key file

2. Use SSH client program

• Any client program that supports the SSH protocol can communicate with the OpenSSH server, such as graphical tools such as Xshell in the Windows platform

2.1 SSH remote login

• The ssh command can be used to remotely log in to the sshd service to provide users with a secure shell environment to manage and maintain the server
• When using, specify the login user and target host address as parameters
• Then turn on another host, the following host 7-1 is 192.168.126.11, 7-2 is 192.168.126.12, the example is as follows,
  
  after logging in, enter exit to log out of the current user
  • When the user logs in to the SSH server for the first time, he must accept the ECDSA key sent by the server (enter "yes" according to the prompt) before continuing to verify
  • The received key information will be saved to ~/.ssh/known_hosts file
  • After the password verification is successful, you can log in to the command line environment of the target server
  • If the sshd server uses a non-default port number (such as 2345), you must specify the port number through the "-p" option when logging in (default port 22 is used by default)
• Note that if you try to log in to the root user of 7-1, you will find that you cannot log in ==, you know the reason
  

2.2 scp remote replication

• Through the scp command, you can use the SSH secure connection to copy files with the remote host
• When using the scp command, in addition to specifying the copy source and destination, you should also specify the destination host address and login user. After execution, you will be prompted to verify the password.
• For example, the following operations demonstrate the operation process of downlink and uplink copy respectively (when uploading or downloading is a directory, you need to add -r for recursion)
  
• After I finish the operation here, you can try to disconnect and reconnect in Xshell and find that it can't be connected. Here I log in to the gcc user and go to su root to switch, and then comment out the banned root user, restart sshd , and then Log in to root, be careful! ! !
  

2.3 sftp secure FTP

• Through the sftp command, you can use the SSH secure connection to upload and download files with the remote host. The login process and interactive environment similar to FTP are used to facilitate directory resource management
• Due to the use of encryption/decryption technology, the transmission efficiency is lower than ordinary FTP, but the security is higher

sftp [email protected]
sftp> ls
sftp> get 文件名		#下载文件到ftp目录
sftp> put 文件名		#上传文件到ftp目录
sftp> quit		    #退出

• download
  
• Upload
  

3. Build an SSH system for key pair verification

• As we have learned in the previous article, the key pair verification method can provide better security for remote login. Below I will demonstrate the basic process of building a key pair verification SSH system in the Linux server and client.

3.1 Create a key pair on the client

• In the Linux client, create a key pair file for the current user through the ssh-keygen tool
• The available encryption algorithms are RSA, ECDSA or DSA, etc. (The "-t" option of the "ssh-keygen" command is used to specify the algorithm type)
• First create the user "congyu" on the server and set a password
  
• Then create a new user "xuanxuan" and set a password on the client, and configure the key with "congyu"
  
  
• Confirm the newly generated key file
  

3.2 Upload the public key file to the server

3.3 Use key pair authentication on the client

• View the public key file, which is the password string encrypted by the algorithm
  

3.4 Use key pair authentication on the client

• When the private key file (client) and public key file (server) are deployed in place, you can test in the client
• At this time, the client xuanxuan user logs in to the server and the congyu client only needs to enter the key pair password to log in
  
• Set the ssh proxy function on the client to realize interactive login
  

---

Two, TCP Wrappers access control

• In Linux systems, many network services provide a certain access mechanism for clients, such as BIND and OpenSSH
• TCP Wrappers (TCP wrappers), as a special line of defense between application services and the network, to provide additional security

1. Overview of TCP wrappers

• TCP Wrappers "wraps" other TCP service programs and adds a security monitoring process. External connection requests must pass this layer of security monitoring first, and the real service program can be accessed after obtaining permission
• TCP Wrappers can also record all attempts to access protected services, providing administrators with rich security analysis data
• The access control of TCP Wrappers is an application based on the TCP protocol
• TCP Wrappers can only control the application services of the TCP protocol, and not all application services based on the TCP protocol can accept its control
• For most Linux distributions, it is a feature provided by default

2. Two implementations of TCP Wrappers protection mechanism

• Use the tcpd program directly to protect other service programs, you need to run tcpd
• The libw rap.so.* link library is called by other network service programs without running the tcpd program; this method is more widely used and more efficient

##查看程序的 libwrap,so.* 的链接库
[congyu@localhost ~]$ ldd $(which ssh)
...略

3. TCP Wrappers' access strategy

• The protection objects of the TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service
• The two corresponding policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set allow and deny policies respectively

3.1 Policy configuration format

• The functions of the two strategies are opposite, but the format of the configuration record is the same, as shown below

<服务程序列表><客户端地址列表>

• Service program list
  • ALL: represents all services
  • Single service program: such as "vsftpd"
  • A list of multiple service programs: such as "vsftpd, sshd"
• Client address list
  • ALL: represents any client address
  • LOCAL: represents the local address
  • Network segment address, such as 192.168.80. or 192.168.80.0/255.255.255.0
  • Wildcard characters "?" and "*" are allowed, the former represents any length character, the latter only represents one character
  • Multiple addresses are separated by commas

4. Basic principles of access control

• First check the /etc/hosts.allow file, if a matching policy is found, access is allowed
• Otherwise, continue to check the /etc/hosts.deny file, if a matching policy is found, access is denied
• If checking the above two files can not find a matching policy, then allow access
  

5. TCP Wrappers configuration example

• In actual use of the TCP Wrappers mechanism, the looser policy can be "allow all, deny individual", only need to add the response rejection policy in the hosts.deny file
• , The stricter policy is "allow individual, deny all". In addition to adding an allow policy in hosts.allow, you also need to set a deny policy of "ALL:ALL" in the hosts deny file
• For example, if you only want to access the sshd service from a host with an IP address of 12.0.0.1 or a host on the 192.168.126.0/24 network segment, other addresses will be rejected

vim /etc/hosts.allow
sshd:12.0.0.1,192.168.126.*

vim /etc/hosts.deny
sshd:ALL