environment
Intranet win10 192.168.25.1
Server centos inside-192.168.25.11 outside-192.168.254.11
Extranet server 192.168.254.10
The service name is: sshd The default port number is: 22
rpm -qc openssh-server.x86_64
# View the configuration file
*Server main program: /usr/sbin/sshd
*Server configuration file: /etc/ssh/sshd_config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# backup it first
Modify the main configuration file
vim /etc/ssh/sshd_config
# modify the configuration file
line 17
Port 22 # can change the port
Default 22 can also be changed to other
systemctl restart sshd
line 18
Protocol 2 #Version 2 is more secure than version 1, if not, add it yourself
systemctl restart sshd
# Restart the service to take effect
line 20
ListenAddress 192.168.254.254.11
#Listening address, the meaning above is to allow 192.168.254.1, which means that the external network connection cannot be connected to the internal network
192.168.25.11 intranet ssh software connection failed --- because there is no monitoring 192.168.25.11 network card
192.168.254.11 connected successfully
If you want to monitor two or more
can continue writing
ListenAddress 192.168.254.25.11
Can connect normally again
116 lines up and down
UseDNS no
#Disable reverse parsing, improve server response speed (add)
systemctl restart sshd
# Any configuration made will only take effect after restarting the service
User Login Control
Create two experiment subjects
useradd a1
useradd a2
useradd a1
useradd a2
#Set passwords for both of them
vim /etc/ssh/sshd_config
# enter the main configuration file
line 40
PermitRootLogin no
# ban root user
66 lines
PermitEmptyPasswords no
# Disable empty password users
39 lines
LoginGraceTime 2m
#Login verification time 2 minutes
42 lines
MaxAuthTries 6
#Maximum number of retries
Add at the end:
AllowUsers a1 [email protected]
#Allow a1 to log in freely; allow a2 to only log in at this address
25.1 Intranet win10 login successful
a2 is rejected
192.168.254.10 successfully logged in a1
192.168.254.10 successfully logged in a2
Use of ssh && scp && sftp
cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
Since it has little to do with the above environment, first restore the configuration and then restart the service
systemctl restart sshd
ssh remote login
ssh target server user@target server ip address
Enter to connect
login successful
ssh uses commands remotely and outputs return values
ssh [email protected] ls
ssh target server user@target server ip address command
scp download
First create an a1.txt under the a1 user on the server 192.168.254.11
Then go to the tom user on 192.168.254.10 (if you don’t have one, create one, any user can be downloaded. I did this to tell everyone that there are many ways to download this)
Now download a1.txt from user a1 at 192.168.254.11 to user tom at 192.168.254.10, and download the downloaded a1.txt to tom. The file name is a1—tom.txt
scp [email protected]:a1.txt a1-tom.txt
It's okay if you don't want to change your name
scp [email protected]:a1.txt a1.txt
scp upload
Now there is a file a1-tom.txt in tom and then send this file back to a1
scp a1-tom.txt [email protected]:a1-tom.txt
The name is also changed at will.
scp a1-tom.txt [email protected]:tom-a1.txt
sftp
sftp [email protected]
sftp target user@connection target ip address
successfully entered
type ls
is to look at the files in the target server
Enter lls to see what files are on this machine
download
get
get + filename
upload
put
put + local filename
key login
Logging in with a key means that you often log in to the server as a user on a machine, but you have to enter a password every time you log in
Generate a key directly under the user of the machine, import it to the target server, and next time you ssh to log in to the server, you will not need to enter the password again, including ssh, scp, sftp
Private key file: id_rsa
Public key file: id_rsa.pub
sudo vim /etc/ssh/sshd_config
43 lines
PubkeyAuthentication yes
47行AuthorizedKeysFile .ssh/authorized_keys
systemctl restart sshd
ssh-keygen -t ecdsa
# Then all default (Enter)
Generated a .ssh file
scp .ssh/id_ecdsa.pub [email protected]:tom.key
Log in to a1 first
mkdir .ssh
touch .ssh/authorized_keys
chmod 700 .ssh
# Modify permissions for security
chmod 644 .ssh/authorized_keys
cat tom.key >> .ssh/authorized_keys
Now you don't need a password to log in to a1
Login successfully without password