1. SSH remote management
SSH (Secure Shell) protocol
is a secure channel protocol that encrypts communication data and is used to implement functions such as remote management, remote login, and remote replication.
(1) SSH working principle
SSH client such as Putty, Xshell, CRT
SSH server for example: OpenSSH
-
Client to server is transmitted through the network
-
Data transmission is encrypted
-
Data transmission is compressed
Two, openSSH
OpenSSH is an open source software project that implements the SSH protocol and is suitable for various UNIX and Linux operating systems.
The sshd service uses TCP port 22 by default
Service name: sshd
Server main program: /usr/sbin/sshd
Server main program: /usr/sbin/sshd
Server configuration file: /etc/ssh/sshd_config
(1) Common options of sshd configuration file
(2) Authentication method supported by sshd service
[1] Password verification
Verify the login name and password of the local system user in the server. Simple, but may be brute-forced
[2] Key pair verification
The matching key information is required to pass the verification. Usually, a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.
[3] Both verifications are turned on at the same time
When both types of authentication are enabled, the server will preferentially use key pair authentication.
[4] Common options for verifying configuration files
Three, SSH client use
[1] SSH remote login
ssh [选项] 用户 @ IP号
-p:指定非默认的端口号,缺省时默认使用 22端口
[2 ]scp remote replication
scp 目标用户名@目标IP地址:目标文件位置 本机存放位置
//复制目标主机文件到本机
scp -r 本机目录 目标用户名@目标IP地址:目标目录
//复制本机目录到目标主机
[3] sftp secure FTP
sftp [email protected] //访问目标主机
sftp> ls //查看当前所在位置的文件
sftp> get 文件名 //下载文件
sftp> put 文件名 //上传文件
sftp> quit //退出
[4] Configure key pair verification
useradd admin //创建用户
echo "123123" | passwd --stdin admin //配置密码
su - admin //切换用户
ssh-keygen -t ecdsa //创建密钥对
cd ~/.ssh/ //进入~目录下.ssh目录
ssh-copy-id -i id_ecdsa.pub 目标用户@目标IP
//直接在服务器的/home/目标用户名/.ssh/目录中导入公钥文本
ssh-agent bash //以下命令为配置免交互
ssh-add
四、TCP Wrappers
(If you don’t know much about this service, you can do it yourself if you are interested)
TCP Wrappers
"wraps" the TCP service program, and monitors the port of the TCP service program on behalf of it, adding a security detection process. External connection requests must pass this layer of security detection first, and then can access the real service program after obtaining permission.
In most Linux distributions, TCP Wrappers is a feature provided by default. rpm -q tcp_wrappers
(1) Two implementation methods of TCP Wrapper protection mechanism
1. Use the tcpd program directly to protect other service programs, and you need to run the tcpd program.
2. The libwrap.so.* link library is called by other network service programs without running the tcpd program. This method is more widely used and more efficient.
Use the ldd command to view the program's libwrap.so.* link library
ldd $(which ssh vsftpd)
(2) The access strategy of TCP Wrappers
The protection objects of the TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service.
The corresponding two policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set allow and deny policies respectively.
Format:
<Service Program List>:<Client Address List>
-
Service program list
ALL: represents all services.
Single service program: such as "vsftpd".
A list of multiple service programs: such as "vsftpd, sshd" -
Client address list
ALL: represents any client address.
LOCAL: represents the local address.
Wildcard "?" and "*"
network segment addresses are allowed , such as 192.168.80. Or 192.168.80.0/255.255.255.0
area addresses, such as ".benet.com" matches all hosts in the bdqn.com domain.
(3) Basic principles of TCP Wrappers mechanism:
First check the /etc/hosts.allow file, if a matching policy is found, access is allowed;
otherwise, continue to check the /etc/hosts.deny file, if a matching policy is found, access is denied;
if you check both of the above two files If no matching policy is found, access is allowed.
"Allow all, deny individual"
just add the corresponding deny policy in the /etc/hosts.deny file
"Allow individual, deny all"
In addition to adding an allow policy in /etc/hosts.allow, you also need to set an "ALL:ALL" deny policy in the /etc/hosts.deny file.