SSH remote login management and TCP Wrappers access control

1. SSH remote management

1.SSH definition

• SSH (Secure Shell) is a secure channel protocol, which is mainly used to implement remote login and remote copy functions of the character interface
• The SSH protocol encrypts the data transmission between the communicating parties, including the user password entered when the user logs in. Therefore, the SSH protocol has good security

2. SSH advantages

• Data transmission is encrypted to prevent information leakage
• Data transmission is compressed, which can increase the transmission speed

3.SSH configuration file

• The default configuration file of the sshd service is /etc/ssh/sshd_config
• Both ssh_config and sshd_config are configuration files of the ssh server
  == The difference between the two is that ssh_config is the configuration file for the client, and sshd_config is the configuration file for the server ==

4.SSH client and server

• SSH client: Putty, Xshell, CRT
• SSH server: OpenSSH
• OpenSSH is an open source software project that implements the SSH protocol, applicable to various UNIX and Linux operating systems
• The CentOS 7 system has installed openssh related software packages by default, and the sshd service has been added as a boot-up auto-start

Two, configure the OpenSSH server

1. Common option settings of sshd_config configuration file

vim /etc/ssh/sshd_config
Port 22 						//监听端口为22 如果设置了端口号 ssh登入需要ssh -p 用户名@地址
ListenAddress 0.0.0.0 					//监听地址为任意网段，也可以指定OpenSSH服务器的具体IP

LoginGraceTime 2m 					//登录验证时间为2分钟
PermitRootLogin no 					//禁止root用户登录
MaxAuthTries 6 						//最大重试次数为 6

PermitEmptyPasswords no 				//禁止空密码用户登录
UseDNS no 						//禁用 DNS 反向解析，以提高服务器的响应速度

//只允许zhangsan、lisi、wangwu用户登录，且其中wangwu用户仅能够从IP地址为61.23.24.25 的主机远程登录
AllowUsers zhangsan lisi [email protected] 		//多个用户以空格分隔

//禁止某些用户登录，用法于AllowUsers 类似（注意不要同时使用）
DenyUsers zhangsan

2、Allowusers与Denyusers

Allowusers……    //仅允许某某用户登陆

Three, scp remote replication

1. Downlink copy: copy the /etc/passwd file of the remote host to the local machine

scp [email protected]:/etc/passwd /root/passwd1

2. Uplink copy: copy the /etc/ssh directory of the local machine to the remote host

scp -r /etc/passwd/ [email protected]:/opt

Four, sftp secure FTP

Due to the use of encryption/decryption technology, the transmission efficiency is lower than ordinary FTP, but the security is higher. The operating syntax sftp is similar to ftp

sftp [email protected]
sftp> ls
sftp> get 文件名		//下载件到ftp目录（下载和上传目录 -r）
sftp> put 文件名		//复制（上传）文件到ftp目录
sftp> quit		    //退出

Five, sshd service supports verification methods

The sshd service supports two authentication methods:
1. Password authentication Verify
the login name and password of the local system user in the server. Simple, but it may be brute force cracked. For brute force cracking, see the previous blog for a detailed description of the system weak password detection
. 2. Key pair verification
. The matching key information is required to pass the verification. Usually, a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.
When both password verification and key pair verification are enabled, the server will preferentially use key pair verification. The verification method can be set according to the actual situation.

vim /etc/ssh/sshd_config                        //编辑服务端主配置文件
PasswordAuthentication yes 			//启用密码验证
PubkeyAuthentication yes 		        //启用密钥对验证
AuthorizedKeysFile .ssh/authorized_keys         //指定公钥库文件

3. Create a key pair on the client.
Use the ssh-keygen tool to create a key pair file for the current user. The available encryption algorithms are RSA, ECDSA, or DSA, etc. (The "-t" option of the ssh-keygen command is used to specify the algorithm type).
Basic command explanation

useradd zhangsan
passwd zhangsan
su - zhangsan
ssh-keygen -t ecdsa                                  //以ecdsa算法生成验证密钥
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ecdsa): 	//指定私钥位置，直接回车使用默认位置
Created directory '/home/admin1/.ssh'.		    //生成的私钥、公钥文件默认存放在宿主目录中的隐藏目录.ssh/下
Enter passphrase (empty for no passphrase): 	//设置私钥的密码
Enter same passphrase again: 			//确认输入

ls -l .ssh/id_ecdsa*   //id_ecdsa是私钥文件，权限默认为600；id_ecdsa.pub是公钥文件，用来提供给 SSH 服务器

2. This method can directly import the public key text in the /home/zhangsan/.ssh/ directory of the server

cd ~/.ssh/
ssh-copy-id -i id_ecdsa.pub [email protected]

3. Login zhangsan user verification result

Instance

6. Set the ssh proxy function on the client to realize interactive login

ssh-agent bash    //开启ssh代理服务
ssh-add           //密钥添加到高速缓存中
Enter passphrase for /home/admin/.ssh/id_ecdsa:     //输入私钥的密码

ssh [email protected]   //验证无需输入密码登入用户

Seven, TCP Wrappers access control

TCP Wrappers "wraps" the TCP service program and monitors the port of the TCP service program on behalf of it. A security detection process is added. The external connection request must pass this layer of security detection first, and then can access the real service program after obtaining permission.
Most Linux In the release version, TCP Wrappers is a feature provided by default. rpm -q tcp_wrappers

(1) Two realization methods of TCP Wrapper protection mechanism

1. Use the tcpd program directly to protect other service programs, and you need to run the tcpd program.
2. The libwrap.so. link library is called by other network service programs without running the tcpd program. This method is more widely used and more efficient

(2) Use the ldd command to view the program's libwrap.so.* link library

ldd $(which ssh vsftpd)
TCP Wrappers access strategy
The protection objects of TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service.
The corresponding two policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set allow and deny policies respectively.
Format:
<Service Program List>:<Client Address List>
1. Service Program List
ALL: Represents all services.
Single service program: such as "vsftpd".
A list of multiple service programs: such as "vsftpd, sshd".
2. Client address list
ALL: represents any client address.
LOCAL: represents the local address.
Multiple addresses are separated by commas.
Wildcards "*" and "?" are allowed. The former represents characters of any length, and the latter represents only one character.
Network segment address, such as 192.168.7. or 192.168.71.0/255.255.255.0
area address, such as ".Benet.com" matches all hosts in the bdqn.com domain.

(3) Basic principles of TCP Wrappers mechanism:

First check the /etc/hosts.allow file, if a matching policy is found, access is allowed;
otherwise, continue to check the /etc/hosts.deny file, if a matching policy is found, then access is denied;
if you check both of the above two files If no matching policy is found, access is allowed.
"Allow all, deny individual"
only need to add the corresponding deny policy in the /etc/hosts.deny file
"Allow individual, deny all"
In addition to adding an allow policy in /etc/hosts.allow, it also needs to be in /etc Set the "ALL:ALL" denial policy in the /hosts.deny file.
If you only want to access the sshd service from a host with an IP address of 12.0.0.1 or a host on the 192.168.80.0/24 network segment, other addresses will be rejected

vi /etc/hosts.allow
sshd:12.0.0.1,192.168.71.*

vi /etc/hosts.deny
sshd:ALL