Linux remote access and control (SSH, TCP Wrappers access control)

1. SSH remote management

1.SSH definition

• SSH (Secure Shell) is a secure channel protocol, which is mainly used to implement remote login and remote copy functions of a character interface.
• The SSH protocol encrypts the data transmission between the communicating parties, including the user password entered when the user logs in. Therefore, the SSH protocol has very good security.

2. SSH data transmission advantages

• Data transmission is encrypted to prevent information leakage
• Data transmission is compressed, which can increase the transmission speed)

3.SSH client and server

• SSH client: Putty, Xshell, CRT
• SSH server: OpenSSH

Two, OpenSSH

• OpenSSH is an open source software project that implements the SSH protocol and is suitable for various UNIX and Linux operating systems.
• The CentOS 7 system has installed openssh related software packages by default, and the sshd service has been added as a self-startup after booting. (The service name of openssh is sshd)
• Execute the "systemctl start sshd" command to start the sshd service
• The sshd service uses TCP port 22 by default
• The default configuration file of the sshd service is /etc/ssh/sshd_config
• Both ssh_config and sshd_config are configuration files of the ssh server. The difference between the two is that the former is a configuration file for the client, and the latter is a configuration file for the server.
  

1. Configure OpenSSH server configuration

sshd_config配置文件的常用选项设置
vim /etc/ssh/sshd_config
Port 22 								#监听端口为 22
ListenAddress 0.0.0.0 					#监听地址为任意网段，也可以指定OpenSSH服务器的具体IP

LoginGraceTime 2m 						#登录验证时间为 2 分钟
PermitRootLogin no 						#禁止 root 用户登录
MaxAuthTries 6 							#最大重试次数为 6

PermitEmptyPasswords no 				#禁止空密码用户登录
UseDNS no 								#禁用 DNS 反向解析，以提高服务器的响应速度

只允许用户登录，且其中某用户仅能够从指定IP地址进行远程登录
例：AllowUsers zhangsan lisi wangwu@61.23.24.25             #多个用户以空格分隔

禁用某些用户登录，用法与AllowUsers类似（注意不要同时使用）
例：DenyUsers zhangsan

2.scp remote replication

下行复制：将远程主机的/etc/passwd文件复制到本机
scp root@192.168.172.20:/etc/passwd /root/passwd10.txt

上行复制：将本机的/etc/ssh目录复制到远程主机
scp -r /etc/passwd/ root@192.168.172.20:/opt

3.sftp secure FTP

Due to the use of encryption/decryption technology, the transmission efficiency is lower than ordinary FTP, but the security is higher. The operating syntax sftp is almost the same as ftp.

sftp root@192.168.184.20
sftp> ls
sftp> get 文件名		#下载文件到ftp目录
sftp> put 文件名		#上传文件到ftp目录
sftp> quit		        #退出

Download experiment


Upload experiment

Three, two authentication methods of sshd service

1. Password verification

Verify the login name and password of the local system user in the server. Simple, but may be brute-forced

2. Key pair verification

The matching key information is required to pass the verification. Usually, a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.

When both password verification and key pair verification are enabled, the server will preferentially use key pair verification. The verification method can be set according to the actual situation.

vim /etc/ssh/sshd_config
PasswordAuthentication yes 						#启用密码验证
PubkeyAuthentication yes 						#启用密钥对验证
AuthorizedKeysFile .ssh/authorized_keys 		#指定公钥库文件

Create a key pair on the client

Create a key pair file for the current user through the ssh-keygen tool. The available encryption algorithms are RSA, ECDSA, or DSA, etc. (The "-t" option of the ssh-keygen command is used to specify the algorithm type).

useradd admin
echo "123123" | passwd --stdin admin
su - admin
ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ecdsa): 	#指定私钥位置，直接回车使用默认位置
Created directory '/home/admin/.ssh'.		    #生成的私钥、公钥文件默认存放在宿主目录中的隐藏目录.ssh/下
Enter passphrase (empty for no passphrase): 	#设置私钥的密码
Enter same passphrase again: 					#确认输入

ls -l .ssh/id_ecdsa*#id_ecdsa是私钥文件，权限默认为600；id_ecdsa.pub是公钥文件，用来提供给 SSH 服务器

Upload the public key file to the server

#This method can directly import the public key text in the /home/zhangsan/.ssh/ directory of the server

cd ~/.ssh/
ssh-copy-id -i id_ecdsa.pub zhangsan@192.168.80.10

Use key pair authentication on the client

Set the ssh proxy function on the client to realize interactive login

ssh-agent bash
ssh-add
Enter passphrase for /home/admin/.ssh/id_ecdsa: #输入私钥的密码

ssh zhangsan@192.168.80.10

Four, TCP Wrappers access control

1.TCP Wrappers

The TCP service program is "wrapped" to listen to the port of the TCP service program, and a security detection process is added. The external connection request must pass this layer of security detection first, and then can access the real service program after obtaining permission.
In most Linux distributions, TCP wrappers are provided by default. rpm -q tcp_wrappers

2. Two implementations of TCP wrapper protection mechanism

• 1. Use the tcpd program directly to protect other service programs, and you need to run the tcpd program.
• ⒉. The libwrap.so.* link library is called by other network service programs without running the tcpd program. This method is more widely used and more efficient.

3. Use the ldd command to view the program's libwrap.so.* link library

ldd $ (which ssh vsftpd)

4. TCP wrappers' access strategy

• The protection objects of the TCP wrappers mechanism are various network service programs, and access control is performed on the client address of the access service.
• The corresponding two policy files are /etc/hosts.allow and /etc/hosts. deny, which are used to set allow and deny policies respectively.

格式:
<服务程序列表>:<客户端地址列表>

(1) Service program list
ALL: represents all services.
Single service program: such as "vsftpd".
A list of multiple service programs: such as "vsftpd, sshd".

(2) Client address list
ALL: represents any client address.
LOCAL: represents the local address.
Multiple addresses are separated by commas.
Wildcards "?" and "*" are allowed.
"*" represents any length character. "?" represents only one character
network segment address, such as 192.168.163. or 192.168.163.0/255.255.255.0
area address, For example, ".benet.com" matches all hosts in the bdqn.com domain.

5. Basic principles of TCP Wrappers mechanism

First check the /etc/hosts.allow file, if a matching policy is found, access is allowed;
otherwise, continue to check the /etc/hosts.deny file, if a matching policy is found, then access is denied;
if you check both of the above two files If no matching policy is found, access is allowed.

"Allow all, deny individual"
just add the corresponding deny policy in the /etc/hosts.deny file

"Allow individual, deny all"
In addition to adding an allow policy in /etc/hosts.allow, you also need to set a deny policy of "ALL:ALL" in the /etc/hosts.deny file.

Example
If you only want to access the sshd service from a host with an IP address of 12.0.0.1 or a host on the 192.168.80.0/24 network segment, other addresses will be rejected.

vi /etc/hosts.allow
sshd:12.0.0.1,192.168.80.*

vi /etc/hosts.deny
sshd:ALL