Table of contents
1. SSH service
1.1 SSH basics
1.1.1 What is an SSH server?
SSH (Secure Shell) is a secure channel protocol, mainly used to realize remote login, remote copy and other functions of character interface;
The SSH protocol encrypts the data transmission between the communicating parties, including the user password entered when the user logs in;
SSH is a security protocol based on the application layer and transport layer. Compress data to speed up transmission.
SSH client<-------------Network------------->SSH server
1.1.2 Advantages of SSH
数据传输是加密的,可以防止信息泄漏
数据传输是压缩的,可以提高传输速度
1.1.3 Common ssh protocols
Client: Linux Client: ssh, scp, sftp, slogin Windows Client: xshell, MobaXterm, putty, securecrt, sshsecureshellclient
OpenSSH is an open source software project that implements the SSH protocol, applicable For various UNIX and Linux operating systems.
The Centos 7 system has openssh-related software packages installed by default, and the sshd service is added to start automatically at boot.
Execute the "systemctl start sshd" command to start the sshd service.
The sshd service uses port 22 of TCP by default. , security protocol version sshv2, in addition to 2 there is 1 (with vulnerability)
The default configuration file of the sshd service is/etc/ssh/ssh_config和sshd_config都是ssh服务器的配置文件,二者区别在于前者是针对客户端的配置文件,后者则是针对服务端的配置文件.
Service name: sshd
Server main program: /usr/sbin/sshd
Server configuration file: /etc/ssh/sshd_config< /span>
Client configuration file: /etc/ssh/ssh_config
2. Common options for server configuration files
2.1 Set up whitelist
AllowUsers zhangsan [email protected] Only allows zhangsan and lisi to log in on this user, and lisi can only log in remotely under this host
2.2 Set up blacklist
DenyUsers zhangsan [email protected] prohibits zhangsan and lisi from logging in remotely on this host and lisi only prohibits logging in on 101
3. Two verification methods for SSH service
- Password verification: Verify the login name and password of the local system user in the server. It is simple, but may be cracked by brute force.
- Key pair verification: A matching key is required to pass the verification. Usually, a pair of key files (public key and private key) are created in the client first, and then the public key file is placed in the specified location on the server, remotely. When logging in, the system will use the public key and private key for encryption/decryption association verification to increase security and enable password-free interactive login.
3.1 Relationship between public key and private key
- The public key and the private key are generated in pairs. The two keys are different from each other and can encrypt and decrypt each other.
- One key cannot be used to deduce another key
- The public key is public and the private key is known only to the holder of the private key.
When password verification and key verification are enabled at the same time, the server will give priority to key pair verification.
vim /etc/ssh/sshd_config configuration file
PasswordAuthentication yes Enable password authentication
PubkeyAuthentication yes Enable key pair authentication
AuthorizedkeysFile .ssh/authorized_keys specifies the public key library file
4. ssh client program
4.1ssh remote login
ssh [option] user@ip
-pspecify port number
When the user logs in remotely for the first time, he must accept the ECDSA key verification sent by the server. The received key information is stored in the ~/.ssh/known_hosts file. After the verification is successful, he will log in to the target server command environment.
4.2 scp remote copy
Copy below:
scp [email protected]:/etc/passwd /root/passwd.txt
Copy the /etc/passwd file in the remote host to the local machine
Copy upstream:
scp -r /etc/ssh/ [email protected]:/opt
Copy the /etc/ssh directory on the local machine to the remote host
This copy will automatically overwrite if the other host has a file with the same name.
Replenish:
4.3 sftp secure ftp
Due to the use of encryption/decryption technology, the transmission efficiency is lower than ordinary FTP, but the security is higher
5. Configure key pair verification
- Create a key pair on the client and generate the private key and public key in the .ssh directory in your home directory
ssh -keygen -t rsa
- ssh -copy-id -p port number-i id-rsa.pub user@ip address
Note that the generated .ssh permissions must be 700 and the authorized _keys permissions must be 600
5.1 Interactive verification-free:
That is, do not set the key pair password when creating the key pair.
5.2 Interaction-free implementation under existing key password verification
ssh - agent bash Set up an agent (only in the current environment)
ssh - add Enter the key password
However, this operation is only valid in the current session and will be invalid after restarting.
6. TCP Wrappers access control (TCP envelope)
Wrap the tcp service program and listen to the port of the tcp service program, adding a security detection process. External connection requests must pass this layer of security detection, and only after obtaining permission can they access the real service program.
6.1 Two implementation methods of TCP Wrappers protection mechanism
- To directly use the tcpd program to protect other services, you need to allow the tcpd program
- Other network service programs call libwrap.so * link library without running the tcpd program. This method is more effective.
Use the lld command to view the libwrap.so link library of the program
lld $(which sshd)
6.2 TCP Wrappers access policy
For various network service programs, perform access control for client addresses accessing services. The corresponding policy files are /etc/hosts.allow and /etc/hosts.deny to set allowed and denied access respectively.
Format: "Service Program List": "Client Address List"
The wildcard character * is allowed in the client address list?
6.3 Basic principles
先检查/etc/hosts.allow 文件,密钥则检查/etc/hosts.deny 文件,若都没有相匹配的策略,则全部允许访问
For example:
If I only want to access the ssh service from the host with the ip address 12.0.0.1 or the host located at 192.168.137.101, the others Deny
vim /etc/hosts.allow
sshd:12.0.0.1,192.168.137.101
vim /etc/hosts.deny
sshd:ALL
Set whitelist and blacklist in 192.168.137.102
