In the actual production environment, the server could not have been appropriate management at the local server, most enterprise servers are managed through remote login method. When you need hundreds of workstations from a management server host, remote maintenance of way will be more dominant.
SSH Overview
SSH (Secure Shell) is a secure channel protocol, mainly used for remote login, remote copy characters such as interface features. SSH protocol for communication data transmission both to encrypt, including a user password entered when the user logs. , Compared to the traditional way RSH (remote command execution), etc. than ever Telnet (remote login), SSH protocol provides better security.
First, configure the OpenSSH server
1. Service listening options
Sshd service uses the default port number is 22, it is recommended to modify this port number, and specify the listening service specific IP address, in order to improve hidden in the network if necessary. In addition, the version of the SSH protocol v2 security selection to be better than v1, disable reverse DNS can improve the response speed of the server.
[root@localhost ~]# vim /etc/ssh/sshd_config //修改sshd服务的主配置文件
………… //省略部分内容
Port 22 //监听端口为22
ListenAddress 0.0.0.0 //监听地址为0.0.0.0,表示全部监听
Protocol 2 //使用SSH v2的版本
UseDNS no //禁用DNS反向解析,提高响应速度
………… //省略部分内容
[root@localhost ~]# systemctl restart sshd //重新启动sshd服务 2. User login control
sshd service allowed by default root user login, but the network is a big security risk, the general practice is a normal user, and then switch to the root user.
[root@localhost ~]# vim /etc/ssh/sshd_config //修改sshd服务的主配置文件
………… //省略部分内容
LoginGraceTime 2m //登录验证时间为2分钟
PermitRootLogin no //禁止root用户登录
MaxAuthTries 6 //最大重试次数为6次
PermitEmptyPasswords no //禁止空密码登录
………… //省略部分内容
[root@localhost ~]# systemctl restart sshd //重新启动sshd服务 When you want to allow or disallow only when a user logs in, or you can use AllowUsers DenyUsers configuration, similar to the use of both (but be careful not to be used simultaneously). And allowing xiaoli e.g. xiaozhang user login, and wherein the user can only xiaozhang address from the IP address 192.168.1.2 of the remote login.
[root@localhost ~]# vim /etc/ssh/sshd_config //修改sshd服务的主配置文件
………… //省略部分内容
AllowUsers xiaoli [email protected] //多个用户之间用空格进行分隔
[root@localhost ~]# systemctl restart sshd //重新启动sshd服务 3. login authentication mode
sshd服务支持两种验证方式: 1.密码验证:对服务器中的本地系统用户的登录名称、密码进行验证。这种方式使用最为简便,但是系统用户密码存在可能遭遇密码穷举(暴力破解); 2.密钥对验证:要求提供相匹配的密钥信息才能通过验证。通常先在客户端中创建一对密钥,然后将公钥文件存放到服务器指定位置。远程登录时,系统将使用公钥、私钥进行加密/解密验证,这种方式不易被假冒,且可以免交互登录,在Shell中被广泛应用。
When the password authentication, key verification is enabled, the server uses the key priority for verification! No special requirements, it is recommended to enable both ways!
[root@localhost ~]# vim /etc/ssh/sshd_config //修改sshd服务的主配置文件
………… //省略部分内容
PasswordAuthentication yes //启用密码验证
PubkeyAuthentication yes //启用密钥对验证
AuthorizedKeysFile .ssh/authorized_keys //指定公钥库文件
………… //省略部分内容
[root@localhost ~]# systemctl restart sshd //重新启动sshd服务 Second, the use SSH client program
In CentOS 7.3 systems, OpenSSH client by openssh-clients package provided (installed by default), including ssh remote login commands, and scp, sftp remote replication and file transfer commands.
1. Command program (ssh, scp, sftp) application
1) ssh remote login
Remote login via ssh sshd service command, to provide users with a secure Shell environment for the server management and maintenance!
[root@kehuduan ~]# ssh [email protected]
If the sshd server uses a non-default port number (such as 2222) you will need to use the "-p" option specifies the port number.
[root@kehuduan ~]# ssh -p 2222 [email protected]
[email protected]'s password: //输入密码
[xiaozhang@fuwuduan ~]$ //登录成功2) scp remote copy
[root@kehuduan ~]# scp [email protected]:/etc/passwd /mnt
//从服务器下载文件
[email protected]'s password:
passwd 100% 2360 2.3KB/s 00:00
[root@kehuduan ~]# scp 123.txt [email protected]:/mnt
//从客户端上传文件
[email protected]'s password:
123.txt 100% 0 0.0KB/s 00:00If you need to specify the port, use the "-P" option!
3) sftp Secure FTP
Sftp command can be used by SSH secure connection to the remote host upload, download files, using the FTP login process and similar interactive environment for easy directory resource management.
[root@kehuduan ~]# sftp [email protected]
[email protected]'s password:
Connected to 192.168.1.1.
sftp> put 456.txt //上传文件
Uploading 456.txt to /root/456.txt
456.txt 100% 0 0.0KB/s 00:00
sftp> get /root/789.txt //下载文件
Fetching /root/789.txt to 789.txt
sftp> bye2. Graphical tool
On Windows hosts can use a series of graphical tools Xshell, SecureCRT, Putty and other graphical tools, supports Telnet, SSH, SFTP and other protocols, easy to remotely manage Linux host. These graphical tools provide Chinese language interface, function and operation is relatively simple, there is no longer do in-depth introduction.
Third, the construction of key SSH authentication system for
Key authentication can provide remote access to provide better security, flow chart:
1) The first implementation:
1. Create a client key pair
in LInux client, create a key file for the current user via ssh-keygen tool, encryption algorithms available for the ECDSA or DSA (ssh-keygen command "-t" option Specifies the algorithm type)
root@kehuduan ~]# su - xiaowang //切换到用户xioawang
[xiaowang@kehuduan ~]$ ssh-keygen -t ecdsa //创建基于ECDSA算法的SSH密钥对
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/xiaowang/.ssh/id_ecdsa): //指定私钥存放位置
Created directory '/home/xiaowang/.ssh'.
Enter passphrase (empty for no passphrase): //设置私钥短语
Enter same passphrase again: //确认所设置的短语
Your identification has been saved in /home/xiaowang/.ssh/id_ecdsa.
Your public key has been saved in /home/xiaowang/.ssh/id_ecdsa.pub.
The key fingerprint is:
13:c2:03:63:bc:2e:d8:7e:be:f1:1b:1d:95:6b:4c:49 xiaowang@kehuduan
The key's randomart image is:
+--[ECDSA 256]---+
| .+ E |
| ..+ . o |
| .+ . = |
| . o = . |
| o . S + |
|. o . . + |
| . .. . . |
| . .o . |
| oo.o. |
+-----------------+
[xiaowang@kehuduan ~]$ ls -lh ~/.ssh/id_ecdsa*
-rw-------. 1 xiaowang xiaowang 227 8月 8 16:45 /home/xiaowang/.ssh/id_ecdsa
-rw-r--r--. 1 xiaowang xiaowang 179 8月 8 16:45 /home/xiaowang/.ssh/id_ecdsa.pubNew generated key pair file, id_ecdsa private key file permissions of 600, need to keep; id_ecdsa.pub public key file is used to provide to the SSH server.
2. Upload the public key file to the server
will just generate the public key file to the server user's public key database.
[xiaowang@kehuduan ~]$ scp ~/.ssh/id_ecdsa.pub [email protected]:/mnt
[email protected]'s password: //输入密码
id_ecdsa.pub 100% 179 0.2KB/s 00:00
//上传成功3. Import the public key text in the server
in the server, the target user (refer to accounts with Ali remote login) public key database located in ~ / .ssh directory, the default file name "authorized_keys", the need to manually create your own!
[root@fuwuduan ~]# mkdir /home/xiaozhang/.ssh
[root@fuwuduan ~]# cat /mnt/id_ecdsa.pub >> /home/xiaozhang/.ssh/authorized_keys
[root@fuwuduan ~]# cat /home/xiaozhang/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJmtmVbjnjH6NbWBRQcFjbYHoDBILQYclqrIHbVe0oyA15IXd+WBGsOcX3FYX8FYnIPHfL36Auj7aWb2MuVqmac= xiaowang@kehuduan4. Use client authentication key
[Xiaowang kehuduan @ ~] $ SSH [email protected]
Last Login: Thu-Aug 2019 16:03:33 from 192.168.1.2. 8
// no password, to connect EXPERIMENTAL carry out!
2) The second method to achieve:
[root@kehuduan ~]# ssh-keygen -t ecdsa
//以root为例,生成root用户的密钥对文件
[root@kehuduan ~]# ssh-copy-id -i ~/.ssh/id_ecdsa.pub [email protected]
//“-i”用来指定公钥文件,这一步把刚才第二、三步结合在一起
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: //输入服务端root用户密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[root@kehuduan ~]# ssh [email protected]
Last login: Thu Aug 8 17:03:20 2019
//验证实验效果When authentication log using a key, you do not need to know the target user's mask, but verify the user's private key phrases client and check the private, public whether pairing, so better security.
Four, TCP Wrappers access control
1) TCP Wrappers Overview
TCP Wrappers The TCP service program "wrap up", took strong TCP port service program, adds a safety monitoring process, the connection request outreach must first pass this layer of safety monitoring, to obtain a license to access the real service program. Figure: 
For most Linux distributions, TCP Wrappers is the default functions provided. CentOS 7.3 package using the tcp_wrappers-7.6-77.el7.x86_64.rpm.
对应TCP Wrappers保护机制的两种实现方式: 1.直接使用tcpd程序对其他服务程序进行保护,需要运行tcpd; 2.由其他网络服务程序调用libwrap.so.*链接库,不需要运行tcpd程序。 通常,链接库方式的应用要更为广泛,也更有效率。
2) TCP Wrappers access policy
TCP Wrappers object of protection mechanisms for a variety of network services programs, access control address for the client access services, two policy files corresponding to /etc/hosts.allow and /etc/hosts.deny, respectively, allows Ali to set strategy and rejected.
1, policy configuration format
服务列表:客户机地址列表Server program list, between the client address list are separated by colons, separated by commas between the plurality of items within the list.
1) the list of programs and services 
2) Client Address List
2, the order in strategy
先检查hosts.allow,找到匹配则允许访问 否则再检查hosts.deny,找到则拒绝访问 若两个文件中均无匹配策略,则默认允许访问
3, a configuration example
Requirements: want to allow only 192.168.1.0 network host access sshd service
[root@fuwuduan ~]# vim /etc/hosts.allow
sshd:192.168.1.
[root@fuwuduan ~]# vim /etc/hosts.deny
sshd:ALL