Article Directory
SSH
SSH remote management
- SSH (Secure Shell) is a secure channel protocol, which is mainly used to implement remote login and remote copy functions of a character interface.
- The SSH protocol encrypts the data transmission between the communicating parties, including the user password entered when the user logs in. Therefore, the SSH protocol has very good security.
Advantages of SSH
- Data transmission is encrypted to prevent information leakage (security)
- Data transmission is compressed, which can increase the transmission speed (fast)
SSH client and server
- SSH client: Putty, Xshell, CRT
- SSH server: OpenSSH
OpenSSH
concept
- OpenSSH is an open source software project that implements the SSH protocol and is suitable for various UNIX and Linux operating systems.
- The CentOS 7 system has installed openssh related software packages by default, and has added the sshd service as a self-startup after booting. (The service name of openssh is sshd)
- Execute the "systemctl start sshd" command to start the sshd service
- The sshd service uses TCP port 22 by default
- The default configuration file of the sshd service is /etc/ssh/sshd_config
- Both ssh_config and sshd_config are configuration files of ssh server
- ssh_config is a configuration file for the client
- sshd_config is the configuration file for the server
View OpenSSH server configuration
sshd_config配置文件的常用选项设置
vim /etc/ssh/sshd_config
Port 22 #监听端口为 22
ListenAddress 0.0.0.0 #监听地址为任意网段,也可以指定OpenSSH服务器的具体IP
LoginGraceTime 2m #登录验证时间为 2 分钟
PermitRootLogin no #禁止 root 用户登录
MaxAuthTries 6 #最大重试次数为 6
PermitEmptyPasswords no #禁止空密码用户登录
UseDNS no #禁用 DNS 反向解析,以提高服务器的响应速度
AllowUsers和DenyUsers
AllowUsers 用户1 用户2 用户3 #仅允许登录的用户,多个用户以空格分隔
DenyUsers 用户1 # 禁止用户登录
#只允许zhangsan、lisi、wangwu用户登录,且其中wangwu用户仅能够从IP地址为10.0.0.2 的主机远程登录
AllowUsers zhangsan lisi [email protected]
#禁止某些用户登录,用法于AllowUsers 类似(注意不要同时使用)
DenyUsers li
Server:
Client:
Two authentication methods for sshd service
Password validation
- Verify the login name and password of the local system user in the server. Simple, but may be brute-forced (the same as the allowable test above)
Key pair verification
- The matching key information is required to pass the verification. Usually, a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.
When both password verification and key pair verification are enabled, the server will preferentially use key pair verification. The verification method can be set according to the actual situation.
vim /etc/ssh/sshd_config
PasswordAuthentication yes #启用密码验证
PubkeyAuthentication yes #启用密钥对验证
AuthorizedKeysFile .ssh/authorized_keys #指定公钥库文件
Configure password authentication
Operate
ssh remote login in SSH client program
ssh [选项] [email protected]
当用户第一次登录SSH服务器时,必须接受服务器发来的ECDSA密钥(根据提示输入“yes”)后才能继续验证。接收的密钥信息将保存到~/.ssh/known_hosts 文件中。密码验证成功以后,即可登录目标服务器的命令行环境中了。
-p:指定非默认的端口号,缺省时默认使用 22端口
ssh -p 20 [email protected] #使用指定的20口访问192.168.249.30
scp remote replication
#从服务器上下载
scp [email protected]:/etc/passwd /root/passwd1.txt #将远程主机中的/etc/passwd文件复制到本机
#向服务器传输资料
scp -r /root/123/ [email protected]:/opt #将本机的/root/123 目录复制到远程主机
Client:
Server:
sftp secure FTP
uses encryption/decryption technology, so the transmission efficiency is lower than ordinary FTP, but the security is higher. The operating syntax sftp is almost the same as ftp.
sftp [email protected]
[email protected]'s password: #输入密码
Connected to 192.168.249.10.
sftp> pwd
sftp> ls
sftp> get 文件名 #下载文件到登录前账号的家目录,文件要加-r
sftp> put 文件名 #上传文件到登录者的家目录,文件加-r
sftp> quit #退出
Server:
Client:
Server:
Configure key pair verification
Create a key pair on the client
通过ssh-keygen工具为当前用户创建密钥对文件。可用的加密算法为RSA、ECDSA或DSA等(ssh-keygen命令的“-t”选项用于指定算法类型)。
useradd li1
echo "123456" |passwd --stdin li1
su - li1
ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ecdsa): #指定私钥位置,直接回车使用默认位置
Created directory '/home/admin/.ssh'. #生成的私钥、公钥文件默认存放在宿主目录中的隐藏目录.ssh/下
Enter passphrase (empty for no passphrase): #设置私钥的密码
Enter same passphrase again: #确认输入
ls -l .ssh/id_ecdsa
#id_ecdsa是私钥文件,权限默认为600;id_ecdsa.pub是公钥文件,用来提供给 SSH 服务器
Upload the public key file to the server
方法一:此方法可直接在服务器的/home/zhangsan/.ssh/目录中导入公钥文本
cd ~/.ssh/
ssh-copy-id -i id_ecdsa.pub [email protected]
方法二:
客户端:先将公钥文件复制都服务端
scp ~/.ssh/id_ecdsa.pub [email protected]:/opt
服务端:
mkdir /home/zhangsan/.ssh/ #在zhangsan的家目录下创建.ssh文件,没有这个文件的需要创建
cat /tmp/id_ecdsa.pub >> /home/zhangsan/.ssh/authorized_keys
#将复制来的公钥文件导入到authorized_keys中(没有authorized_keys会自动创建)
cat /home/zhangsan/.ssh/authorized_keys #查看authorized_keys文件
Server:
Use key pair authentication on the client
ssh [email protected]
Enter passphrase for key '/home/li1/.ssh/id_ecdsa': #输入私钥的密码
Last login: Sun Dec 13 13:31:58 2020
Set the ssh proxy function on the client to realize password-free login
ssh-agent bash
ssh-add
Enter passphrase for /home/li1/.ssh/id_ecdsa: #输入私钥的密码
Identity added: /home/li1/.ssh/id_ecdsa (/home/li1/.ssh/id_ecdsa)
ssh [email protected]
Last login: Sun Dec 13 13:32:47 2020 from 192.168.249.30
TCP Wrappers access control
- TCP Wrappers, like a protective cover, protects the TCP service program. It monitors the port of the TCP service program and adds a security detection process to it. The external connection request must pass this layer of security detection first, and then can access the real Service program.
- In most Linux distributions, TCP Wrappers is a feature provided by default.
- Use "rpm -q tcp_wrappers" to install
Two implementation methods of TCP Wrapper protection mechanism
-
To directly use the tcpd program to protect other service programs, you need to run the tcpd program.
-
The libwrap.so.* link library is called by other network service programs without running the tcpd program. This method is more widely used and more efficient.
-
Use the ldd command to view the program's libwrap.so.* link library
ldd $(which ssh vsftpd)
Access policy of TCP Wrappers
- The protection objects of the TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service.
- The corresponding two policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set allow and deny policies respectively.
Format:
<Service Program List>:<Client Address List>
Service program list
- ALL: Represents all services.
- Single service program: such as "vsftpd".
- A list of multiple service programs: such as "vsftpd, sshd".
Client address list
- ALL: Represents any client address.
- LOCAL: represents the local address.
- Multiple addresses are separated by commas
- Wildcard characters "?" and " "
" " are allowed to represent characters of any length.
"?" represents only one character - Network segment address, such as 192.168.249. or 192.168.249.0/255.255.255.0
- Regional addresses, such as ".benet.com" match all hosts in the bdqn.com domain.
Basic principles of TCP Wrappers mechanism
First check the /etc/hosts.allow file, if a matching policy is found, access is allowed;
otherwise, continue to check the /etc/hosts.deny file, if a matching policy is found, then access is denied;
if you check both of the above two files If no matching policy is found, access is allowed.
"Allow all, deny individual"
just add the corresponding deny policy in the /etc/hosts.deny file
"Allow individual, deny all"
In addition to adding an allow policy in /etc/hosts.allow, you also need to set a deny policy of "ALL:ALL" in the /etc/hosts.deny file.
If you only want to access the sshd service from a host with an IP address of 12.0.0.1 or a host on the 192.168.249.0/24 network segment, other addresses will be rejected.
vi /etc/hosts.allow
sshd:192.168.249.20.
vi /etc/hosts.deny
sshd:ALL
