definition:
SSH is a secure application layer network protocol built on the basis of developed by the IETF.
effect:
1. It is designed for remote login session (each file transfer can even use Windows remote login Linux servers)
2. Provide security protocols for other network services, which can effectively make up for network vulnerabilities.
3, can be transmitted all the data encrypted by SSH, can be prevented and DNS spoofing IP spoofing.
4. The transmission data is compressed, it can accelerate the speed of transmission.
So SSH has become the standard configuration of Linux systems.
SSH security mechanisms
1.SSH been able to ensure safety, because it uses asymmetric cryptography (RSA) encryption of all transmitted data.
2. The traditional network service program, such as FTP transfer across the network in plaintext data, user account and password, others can easily be acquired.
3. does not mean that SSH is absolutely safe because it itself provides two levels of authentication methods:
The first level (based on security authentication password) : As long as know their account number and password, you can log in to the remote host. All transmitted data will be encrypted, but can not guarantee that the server you are connecting to a server that you want to connect. There may be other servers in posing as the real server.
The second level (based on security authentication key): You have to create for themselves a pair of keys, and the public on the need to access the server. If you want to connect to the SSH server, the client software will send a request to the server, secure authentication requests with your key. After the server receives a request, first find your public key on the server under your home directory, and then you send it over the public key comparison. If two key agreement, the server will use public key encryption "question" and sends it to the client software. After the client software receive a "challenge" you can use your private key to decrypt locally and then send it to the server to complete the login. Compared with the first level, second level not only encrypt all transmitted data does not need to transmit the password over the network, and therefore more security, it can effectively prevent others from damage.
Detailed graphics:
Environment: 2 centos7 virtual machine
Virtual Machine 1: test01 ip: 192.168.220.137
虚拟机2:test02 ip: 192.168.220.129
1.用虚拟机test02远程登录test01,输入命令
[root@test02 ~]# ssh [email protected]
2.通过修改test01修改配置文件限制其他用户远程登录root账户
[root@test01 ~]# vim /etc/ssh/sshd_config
重启服务
[root@test01 ~]# systemctl restart sshd
此时用test02远程登录test01的root账户来验证
3.添加白名单
[root@test01 ~]# vim /etc/ssh/sshd_config
重启服务,用test02验证
4.添加黑名单(注意,这里白名单和黑名单只能存在一个,不能同时存在)
[root@test01 ~]# vim /etc/ssh/sshd_config
重启服务,验证
4.秘钥的安全加密
[root@test02 ~]# ssh-keygen -t ecdsa
导入公钥到对应要远程登录的账户
[root@test02 ~]# ssh-copy-id -i id_ecsda.pub [email protected]
验证
5.免交互远程登录
[root@test02 ~]# ssh-agent bash
[root@test02 ~]# ssh-add
6.sftp远程下载上传文件
上传
下载
7.TCP Warppers访问控制策略
配置文件:/etc/hosts.allow
/etc/hosts.deny
策略的应用顺序:1.先检查hosts.allow文件,找到匹配则允许访问
2.否则再查找hosts.deny文件,找到则拒绝访问
3.若2个文件均找不到匹配策略,则默认允许访问
