Catalog title
SSH remote management
OpenSSH server introduction
- SSH (Secure Shell) protocol
- Is a secure channel protocol, mainly used to implement remote login, remote copy and other functions of the character interface
- The communication data is encrypted, including the user password entered when the user logs in. Therefore, the SSH protocol has good security
Network
SSH client<--------------------------------------------- ->The SSH server
data transmission is encrypted, which can prevent information leakage
and compress during data transmission, which can increase the transmission speed
- SSH client: Putty, Xshell, CRT
- OpenSSH server
- Service name: sshd
- Server main program: /usr/sbin/sshd
- Server configuration file: /etc/ssh/sshd_config
- Client configuration file: /etc/ssh/ssh_config
- OpenSSH is an open source software project that implements the SSH protocol, applicable to various UNIX and Linux operating systems
- CentOS7 system has installed openssh related software packages by default, and has added the sshd service as self-starting at boot
- Execute the "systemctl start sshd" command to start the sshd service
- The default port number of the sshd service is 22
Configure OpenSSH server
- vim /etc/ssh/sshd_config
Port 22 #The listening port is port 22
ListenAddress 0.0.0.0
#The listening address is any network segment, or you can specify the specific IP of the OpenSSH server LoginGraceTime 2m #Login authentication time is 2 minutes
PermitRootLogin no #Forbid root User login
MaxAuthTries 6 #The maximum number of retries is 6
PermitEmptyPasswords no #Forbid users with empty passwords to log in
UseDNS no #Disable DNS reverse analysis to improve the response speed of the server
#Only allow users zhangsan, lisi, wangwu to log in, and users wangwu among them You can only log in remotely from the host with the IP address of 192.168.150.10.
AllowUsers zhangsan lisi [email protected] #Multiple users are separated by spaces, do not set non-existent user names
#Forbid some users to log in, the usage is similar to AllowUsers (be careful not Simultaneous use)
DenyUsers zhangsan
- systemctl restart sshd #Restart the service
SSH remote login
ssh [Options] [email protected]
When the user logs in to the SSH service for the first time, he must accept the ECDSA key sent by the server (enter YES according to the prompt) before proceeding with the authentication. The received key information will be saved in the ~/.ssh/known_hosts file. After the password verification is successful, you can log in to the command environment of the target server
- -p: Specify a non-default port number. By default, port 22 is used by default.
ssh [email protected] can log in
ssh [email protected] can not log in
SSH system for key pair verification
- sshd service supports two authentication methods
- Password Verification Verifies
the login name and password of the local system user in the server. Simple, but may be brute-forced - Key pair verification
requires the key information to be matched to pass verification. Usually, a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Enhanced security, and can log in without interaction
- Password Verification Verifies
- When both password verification and key pair verification are enabled, the server will preferentially use key pair verification. The verification method can be set according to the actual situation
- vim /etc/ssh/sshd_config
passwordAuthentication yes
#Enable password authentication PubkeyAuthentication yes #Enable key pair authentication
AuthorizedKeysFile .ssh/authorized_keys #Specify public key library file
- vim /etc/ssh/sshd_config
Configure key pair verification
- 1. Create a key pair on the client through the ssh-keygen tool to create a key pair file for the current user. The available encryption algorithms are RSA, ECDSA or DSA, etc. (The "-t" option of the ssh-keygen command is used to specify the algorithm type)
useradd wang
echo “123456” | passwd --stdin wang
su-wang
ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ecdsa): # Specify the location of the private key and press Enter to use the default location
Created directory'/home/admin/.ssh'. #The generated private key and public key file are stored in the hidden directory of the host directory by default. ssh/
Enter passphrase (empty for no passphrase): #Set the password of the private key
Enter same passphrase again: #Confirm the input
ls -l .ssh/id_ecdsa*#id_ecdsa is the private key file, the default permission is 600; id_ecdsa.pub is the public key file, used to provide to the SSH server
- 2. Upload the public key file to the server
scp ~/.ssh/id_ecdsa.pub [email protected]:/opt
-
3. Import the public key file
mkdir .ssh
cat id_ecdsa.pub >> .ssh/authorized_keys in the server
-
4. Use the key pair to verify
ssh [email protected] on the client side
Enter passphrase for key'/home/wang/.ssh/id_ecdsa': #Enter the key pair password
-
5. Set the ssh proxy function on the client to realize interactive login
ssh-agent bash
ssh-add
Enter passhrase for /home/wang/.ssh/id_ecdsa: #Enter the private key password
ssh [email protected]
scp remote replication
- Downlink copy
scp [email protected]:/etc/passwd /root/passwd10.txt #Copy the /etc/passwd file in the remote host to the local machine - Uplink copy
scp -r /etc/ssh/ [email protected]:/opt #copy the local /etc/ssh directory to the remote host (the file does not need to be -r)
sftp secure FTP
- Due to the use of encryption/decryption technology, the transmission efficiency is lower than ordinary FTP, but the security is higher. The operating syntax sftp is almost the same as ftp
- sftp [email protected]
sftp> ls #View sftp>
get file name#download
sftp> put file name#upload sftp> quit #quit
TCP Wrappers access control
Overview of TCP Wrappers
-
TCP Wrappers
"wraps" the TCP service program, and monitors the port of the TCP service program on behalf of it, and adds a security detection process. The external connection request must pass this layer of security detection first, and then can access the real service program after obtaining permission.
Most Linux In the release version, TCP Wrappers is a feature provided by default. rpm -q tcp_wrappers -
Two ways to implement the TCP Wrapper protection mechanism.
Directly use the tcpd program to protect other service programs, and need to run the tcpd program
. The libwrap.so. link library is called by other network service programs, and there is no need to run the tcpd program. This method is more widely used and more efficient -
Use the ldd command to view the program's libwrap.so.* link library
ldd $(which ssh vsftpd) -
Protection principle
TCP Wrappers access policy
- The protection objects of the TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service.
- The corresponding two policy files are /etc/hosts.allow and /etc/hosts.deny , which are used to set allow and deny policies respectively.
- Format:
<Service Program List>:<Client Address List>
(1) Service program list
ALL: represents all services.
Single service program: such as "vsftpd".
A list of multiple service programs: such as "vsftpd, sshd".
(2) Client address list
ALL: represents any client address.
LOCAL: represents the local address.
Multiple addresses are separated by commas
Wildcards "*" and "?" are allowed. The former represents characters of any length, and the latter only represents one character
network segment address, such as 192.168.80. or 192.168.80.0/255.255.255.0
area address, such as ".benet.com" Match all hosts in the bdqn.com domain.
Basic principles of TCP Wrappers mechanism
- First check the /etc/hosts.allow file, if a matching policy is found, access is allowed
- Otherwise, continue to check the /etc/hosts.deny file, if a matching policy is found, then access is denied
- If no matching policy is found after checking the above two files, then access is allowed
- "Allow all, deny individual"
just add the corresponding deny policy in the /etc/hosts.deny file - "Allow individual, deny all"
In addition to adding an allow policy in /etc/hosts.allow, you also need to set a deny policy of "ALL:ALL" in the /etc/hosts.deny file - Example:
If you only want to access the sshd service from a host with an IP address of 12.0.0.1 or a host on the 192.168.150.0/24 network segment, other addresses will be denied
vi /etc/hosts.allow
sshd:12.0.0.1,192.168.150. *
vi /etc/hosts.deny
sshd:ALL