Linux-remote access and control

One, SSH

1 Overview

SSH remote management
ssH (Secure shell) is a secure channel protocol, which is mainly used to implement remote login and remote copy functions in a character interface.
The SSH protocol encrypts the data transmission between the communicating parties, including the user password entered when the user logs in. Therefore, the SSH protocol has good security

2. Advantages

SSH client <-------------Network-------------->SSH server The
data transmission is encrypted, which can prevent information leakage. The
data transmission is compressed Yes, can increase the transmission speed

3. SSH client and server

SSH client: Putty, xshell, CRT
SSH server: openssH
openSSH is an open source software project that implements the SSH protocol and is suitable for various UNIX and Linux operating systems.
The Centos 7 system has installed openssh related software packages by default, and has added the sshd service as a boot-up auto-start.
Execute the "systemctl start sshd" command to start the sshd service
. The default port number used by the sshd service is 22.
The default configuration file for the sshd service is /etc/ssh/sshd_config
. Both ssh_config and sshd_config are configuration files for the ssh server. The difference between the two is the former It is a configuration file for the client, and the latter is a configuration file for the server.

Two, configure the openssH server

1. Common options

Common option settings of sshd config configuration file
vim /etc/ssh/sshd_config
Port 22-listening port is 22
ListenAddress 0.0.0.0-listening address is any network segment, you can also specify the specific IP of the opensSH server

2、Allowusers与Denyusers

AllowUsers zhangsan lisi [email protected] ——Only allow zhangsan, lisi, wangwu users to log in, and the wangwu user can only log in remotely from the host with IP address 192.168.221.88
DenyUsers zhangsan——Forbid certain users to log in, used in AllowUsers Similar (be careful not to use at the same time)

3. Scp remote replication

scp -r /etc/srs [email protected]:/opt——uplink replication: copy the local /etc/srs directory to the remote host


scp [email protected]:/etc/srs1 /etc——downlink replication : Copy the /etc/passwd file of the remote host to the local machine

4. sftp secure FTP

Download
get -r command

Upload
put -r command

Three, sshd service supports two verification methods

1. Password verification

Password verification verifies the login name and password of the local system user in the server. Simple, but may be brute-forced

2. Key pair verification

Key pair verification requires matching key information to pass verification. Usually a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the designated location of the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.

3. The relationship between public key and private key

The public key and the private key are generated in pairs. The two keys are different from each other and can be mutually encrypted and decrypted.
One key cannot be used to calculate another key.
The public key is made public, and the private key is only known to the holder of the private key.
When both password verification and key pair verification are enabled, the server will preferentially use key pair verification. The verification method can be set according to the actual situation.
vim /etc/ssh/sshd_config-edit the server main configuration file
PasswordAuthentication yes-enable password authentication
PubkeyAuthentication yes-enable key pair authentication
AuthorizedKeysFile .ssh/authorized_keys-specify the public key store file

4. Small experiment

①Create users on the client and server respectively ② ssh-keygen -t ecdsa——Generate key with ecdsa algorithm
cd .ssh——Enter ssh
ls——View
id_ecdsa id_ecdsa.pub——There are 2 files ③Import


public key text
Copy-the above mentioned id -i-ssh id_ecdsa.pub [email protected]

④ verify

⑤ to set up ssh proxy functionality on the client machine, to achieve free interactive logon
ssh-agent bash
ssh-the Add
the Enter passphrase for / Home / ADMIN / .ssh / id_ecdsa:
——Enter the password of the private key ssh [email protected]

Four, TCP Wrappers access control

1 Overview

TCP Wrappers "wraps" the TCP service program, and monitors the port of the TCP service program on behalf of it, adding a security detection process. The external connection request must pass this layer of security detection first, and then the real service program can be accessed after obtaining permission.
In most Linux distributions, TCP Wrappers is a feature provided by default.
rpm -q tcp_wrappers

2. Protection mechanism

Two implementation methods of TCP Wrapper protection mechanism
Directly use the tcpd program to protect other service programs, and the tcpd program needs to be run.
The libwrap.so. link library is called by other network service programs without running the tcpd program. This method is more widely used and more efficient.
Use the ldd command to view the program's libwrap.so.* link library
ldd $(which ssh vsftpd)

TCP Wrappers access strategy
The protection objects of the TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service.
The corresponding two policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set allow and deny policies respectively.

3. Format

<Service program list>:<Client address list>
①Service program list
ALL: Represents all services.
Single service program: such as "vsftpd".
A list of multiple service programs: such as "vsftpd, sshd".
②The client address list
ALL: represents any client address.
LOCAL: represents the local address.
Multiple addresses are separated by commas.
Wildcards "?" and "*" are allowed. The former represents characters of any length, and the latter represents only one character.
Network segment address, such as 192.168.80. or 192.168.80.0/255.255.255.0
area address, such as ".Benet.com" matches all hosts in the bdqn.com domain.

4. Basic principles

Basic principles of TCP Wrappers mechanism
First check the /etc/hosts.allow file, if a matching policy is found, then access is allowed;
otherwise, continue to check the /etc/hosts.deny file, if a matching policy is found, then access is denied;
if Check that the above two files are not found to match the policy, then allow access.
"Allow all, deny individual"
only need to add the corresponding deny policy in the /etc/hosts.deny file
"Allow individual, deny all"
In addition to adding an allow policy in /etc/hosts.allow, it also needs to be in /etc Set the "ALL:ALL" denial policy in the /hosts.deny file.
If you only want to access the sshd service from a host with an IP address of 12.0.0.1 or a host on the 192.168.80.0/24 network segment, other addresses will be rejected.

5. Small experiment

Example:
If you only want to access the sshd service from the host whose IP address is 192.168.221.20, other addresses will be rejected.
vim /etc/hosts.allow
sshd: 192.168.221.20

vim /etc/hosts.deny
sshd: ALL

verification result
192.168.221.20 port can log in and
192.168.221.30 port cannot log in