Remote access and control-SSH remote management and TCP Wrappers access control
1. SSH remote management
SSH (Secure Shell) is a secure channel protocol, which is mainly used to implement remote login and remote copy functions of a character interface.
The SSH protocol encrypts the data transmission between the communicating parties, including the user password entered when the user logs in. Therefore, the SSH protocol has good security
网络
SSH client<----------------------------------------->SSH server
data Encrypted during transmission, can prevent information leakage.
Data transmission is compressed, which can increase transmission speed
SSH client: Putty, Xshell, CRT
SSH server: OpenSSH
OpenSSH is an open source software project that implements the SSH protocol and is suitable for various UNIX and Linux operating systems.
The CentOS 7 system has installed openssh related software packages by default, and the sshd service has been added as a boot-up.
Execute the "systemctl start sshd" command to start the sshd service
. The default port number used by the
sshd service is 22. The default configuration file for the sshd service is /etc/ssh/sshd_config
Both ssh_config and sshd_config are configuration files of ssh server. The difference between the two is that the former is a configuration file for the client, and the latter is a configuration file for the server.
2. Configure the OpenSSH server
① Commonly used setting options of configuration files
②AllowUsers and DenyUsers
③sftp secure FTP
3. The sshd service supports two authentication methods
1. Password verification
Verify the login name and password of the local system user in the server. Simple, but may be brute-forced
2. Secret key pair verification
The matching key information is required to pass the verification. Usually, a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.
When both password verification and key pair verification are enabled, the server will preferentially use key pair verification. The verification method can be set according to the actual situation.
Create a key pair on the client
Four. TCP Wrappers access control
TCP Wrappers "wraps" the TCP service program, and monitors the port of the TCP service program on behalf of it, adding a security detection process. The external connection request must pass this layer of security detection first, and then the real service program can be accessed after obtaining permission.
In most Linux distributions, TCP Wrappers is a feature provided by default.
Access policy of TCP Wrappers
The protection objects of the TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service.
The corresponding two policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set allow and deny policies respectively.
* View the program's libwrap.so. link library-ldd command
The absolute path of the file needs to be written. When
we are not very clear about the absolute path of the file, we can use the which command to query
or use two commands together: ldd $(which sshd)
The basic principles of TCP Wrappers mechanism
① first check the /etc/hosts.allow file, if a matching policy is found, access is allowed
② Otherwise, continue to check the /etc/hosts.deny file, if a matching policy is found, then access is denied
③If the above two files are not found to match the strategy, then the access is allowed.
④Allow all, deny individual, just add the corresponding deny policy in the /etc/hosts.deny file
⑤Allow individual, deny all. In addition to adding an allow policy in /etc/hosts.allow, you also need to set a rejection policy of "ALL:ALL" in the /etc/hosts.deny file