Remote access and control of Linux
table of Contents
1. SSH remote management
1. SSH protocol
-
SSH is a secure channel protocol, which is mainly used to realize remote login and remote copy functions of character interface
-
The SSH protocol encrypts the data transmission between the communication parties, including the user password entered when the user logs in, so the SSH protocol has good security
-
SSH client: Putty, Xshell, CRT
-
SSH server: OpenSSH
2、OpenSSH
- OpenSSH is an open source software project that implements the SSH protocol and is suitable for various UNIX and Linux operating systems
- The CentOS 7 system has installed openssh related packages by default, and has added the sshd service as a boot-up
- Execute the systemctl start sshd command to start sshd
- The sshd service uses TCP port 22 by default
- The default configuration file of the sshd service is /etc/ssh/sshd_config
Both ssh_config and sshd_config are configuration files of the ssh server. The difference between the two is that the former is the configuration file for the client, and the latter is the configuration file for the server.
3. Configure the OpenSSH server
Common option settings of sshd_config configuration file
vim /etc/ssh/sshd_config
Port 22 #Listening port is 22
ListenAddress 0.0.0.0 #Listening address is any network segment, you can also specify the specific IP of the OpenSSH server
LoginGraceTime 2m #Login verification time is 2 minutes
PermitRootLogin no #Forbid root user to log inMaxAuthTries 6 #The maximum number of retries is 6
PermitEmptyPasswords no #Prohibit empty password user login
UseDNS no #Disable DNS reverse analysis to improve server response speed
Only zhangsan, lisi, and wangwu users are allowed to log in, and the wangwu user can only log in remotely from the host with the IP address 192.168.241.3
vim /etc/ssh/sshd_config
AllowUsers zhangsan lisi [email protected] #This does not have a template and needs to be typed by yourself. Multiple users are separated by spaces
Forbid some users to log in, the usage is similar to AllowUsers (be careful not to use it at the same time)
vim /etc/ssh/sshd_config
DenyUsers zhangsan
4. sshd service supports verification method
1. Password verification
Verify the login name and password of the local system user in the server. Simple, but will be brute force
2. Key pair verification
You need to provide matching key information to pass the verification. Usually, the client creates a pair of key files (public key, private key), and then puts the public key file to the specified location in the server. When logging in remotely, the system will use Public key and private key are used to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.
3. The relationship between public key and private key
- The public key and the private key are generated in pairs. The two keys are not connected to each other and can encrypt and decrypt each other
- Can’t deduce another key from one key
- The public key is public, and the private key is only known to the holder of the private key
4. When both password verification and key pair verification are enabled, the server will give priority to the key pair verification, and the verification method can be set according to the actual situation
vim /etc/ssh/sshd_config
PasswordAuthentication yes #Enable password authentication
PubkeyAuthentication yes #Enable key pair authentication
AuthorizedKeysFile .ssh/authorized_keys #Specify the public key library file
5. Use SSH client program
1. SSH remote login
ssh [options] [email protected]
When the user logs in to the SSH server for the first time, he must accept the ECDSA key sent by the server (enter "yes" according to the prompt) before proceeding with the verification. The received key information will be saved in the ~/.ssh/known_hosts file for password verification After success, you can log in to the command line environment of the target server
-p: Specify a non-default port number. By default, port 22 is used by default
ssh -p 2345 [email protected]
2, scp remote replication
Downstream copy
scp [email protected]:/etc/passwd /root/passwd1.txt Copy the /etc/passwd file in the remote host to the local machine
Upstream replication
scp -r /etc/ssh [email protected]:/opt Copy the local /etc/ssh directory to the remote host
3. sftp secure FTP
Due to the use of encryption/decryption technology, all transmission efficiency is lower than ordinary FTP, but the security is higher. The operation syntax sftp and ftp are almost the same
sftp [email protected]
Connecting to 192.168.241.3…
[email protected]'s password: #Enter the password
Connected to 192.168.241.3.
sftp> ls
sftp>get file name to download the file to the ftp directory
sftp>put file name upload file to ftp directory
sftp>quit exit
6. Configure key pair verification
1. Create a key pair on the client
Use the ssh-keygen tool to create a key pair file for the current user. The available encryption algorithms are RSA, ECDSA, or DSA (the -t option of the ssh-keygen command is used to specify the algorithm type)-
useradd admin
echo “'123123” | passwd --stdin admin
su - admin
ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa): #Specify the location of the private key, press Enter to use the default location
Created directory “/home/admin/.ssh”. #The generated private key and public key file are stored in the hidden directory .ssh/ in the host directory by default
Enter passphrase (empty for no passphrase): #Set the password of the private key
Enter same passphrase again: #Confirm input
ls -l ~/.ssh/id_ecdsa
id_ecdsa is a private key file, the permission is 600 by default; id_ecdsa.pub is a public key file, used to provide to the SSH server
2. Upload the public key file to the server
scp ~/.ssh/id_ecdsa.pub [email protected]:/opt
or
Import the public key text directly in the /home/zhangsan/.ssh directory of the server
cd ~/.ssh
ssh-copy-id -i id_ecdsa.pub [email protected]
method one
Method Two
3. Import the public key text in the server
mkdir /home/zhangsan/.ssh
cat /opt/id_ecdsa.pub >> /home/zhangsan/.ssh/authorized_keys
cat /home/zhangsan/.ssh/authorized_keys
Method 1
Method 2
4. Use key pair verification on the client
Enter passphrase for key “/home/admin/.ssh/id_ecdsa”: #Enter the password of the private key
5. Set the ssh proxy function on the client machine, which can actually log in without interactive
ssh-agent bash
ssh-add
Enter passphrase for /home/admin/.ssh/id_ecdsa: Enter the password of the private key
Two, TCP Wrappers access control
1. TCP Wrappers (TCP wrappers)
"Wrap" the TCP service program and monitor the port of the TCP service program on behalf of it, adding a security detection process. The external connection request must first pass this layer of security detection. Most Linux distributions, TCP Wrappers are the default functions.
rpm -q tcp_wrappers
2. Two realization methods of TCP Wrappers protection level system
- Use the tcpd program directly to protect other service programs, you need to run the tcpd program
- The libwrap.so.* link library is called by other network service programs without running the tcpd program. This method is more widely used and more efficient
3. Use the ldd command to view the program's libwrap.so.* link library
ldd $(which ssh)
4. Access strategy of TCP Wrappers
The protection objects of the TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service
Two corresponding strategies
Format: <service program list>:<client address list>
(1) Service program list
ALL: represents all services
Single service program: such as "vsftpd"
A list of multiple service programs: such as "vsftpd, sshd".
(2) Client address list
ALL: represents any client address
LOCAL: represents the local address
Multiple addresses are separated by commas
Wildcard characters "*" and "?" are allowed, the former represents a character of any length, the latter represents a character
Network segment address such as "192.168.80." or 192.168.80.0/255.255.255.0
Regional addresses such as ".benet.com" match all hosts in the benet.com domain
5. Basic principles of TCP Wrappers mechanism
First check the /etc/hosts.allow file, if a matching policy is found, access is allowed
Otherwise, continue to check the /etc/hosts.deny file, if a matching policy is found, access is denied
If checking the above two files can not find a matching policy, then allow access
"Allow all, deny individual"
Just add the corresponding deny policy in the /etc/hosts.deny file
"Allow individual, deny all"
In addition to adding an allow policy in /etc/hosts.allow, you also need to set "aahd:ALL" in the /etc/hosts.deny file
Small experiment
If you only want to access the sshd service from the host whose IP address is 192.168.241.3, other addresses will be rejected
vim /etc/hosts.allow
sshd:192.168.241.3
vim /etc/hosts.deny
sshd:ALL
ssh r
