SSH protocol:
To provide a safe environment for the client shell for remote management
The default port: TCP22
SSH service configuration file:
Service Name: sshd
Server main program: / usr / sbin / sshd
Server configuration file: / etc / ssh / sshd_config
Client configuration file: / etc / ssh / ssh_config
Monitor service options:
Port number, protocol version, monitor IP address
Disable reverse lookup
User login control:
Prohibit the root user, the user a blank password
Login time, the number of retries
AllowUsers,DenyUsers
Case 1: Turn on both Linux server, using ssh login, root login prohibited, prohibited springboard login root
test01(192.168.109.133)test02(192.168.109.132)
1, on test02 test02 login using ssh
2, prohibit root logins
[root @ test01 ~] # vim / etc / ssh / sshd_config change the configuration file [root @ test01 ~] # systemctl restart sshd restart the ssh service
3, prohibits the use of springboard login root
In fact, we can use to log on to other users in the login root
Then we have to turn pam authentication module
[root@test01 ~]# vim /etc/pam.d/su
Check whether the user wheel group, with two users as a springboard root switch
Column Case 2: opening times login settings (the default is three times to exit, we want to use a command to achieve the maximum number of login)
[root @ test01 ~] # vim / etc / ssh / sshd_config change the configuration file [root @ test01 ~] # systemctl restart sshd restart the ssh service
At this point we want to enter a command to
[root@test02 ~]# ssh -o NumberOfPasswordPrompts=8 [email protected]
Column Case 3: Set whitelist
Construction of keys for SSH authentication system
Overall implementation:
1, open the secret key authentication, restart the ssh service
[root@test01 ~]# vim /etc/ssh/sshd_config [root@test01 ~]# systemctl restart sshd
2,在test01中创建秘钥对
[root@test02 ~]# ssh-keygen -t ecdsa 创建ecdsa类型的秘钥对 [root@test02 ~]# cd .ssh 切换查看秘钥的文件位置 [root@test02 .ssh]# ls id_ecdsa id_ecdsa.pub known_hosts
3,上传公钥文件,导入公钥信息给test01中的test1用户
[root@test02 .ssh]# ssh-copy-id -i id_ecdsa.pub [email protected]
4,查看test1用户有没有收到公钥文件,并进行验证秘钥对登录
[root@test01 ~]# cd /home/test1/.ssh [root@test01 .ssh]# ls
5,使用秘钥验证免交互
[root@test02 .ssh]# ssh-agent bash [root@test02 .ssh]# ssh-add
TCP Wrappers概述
访问控制策略的配置文件
/etc/hosts.allow
/etc/hosts.deny
设置访问控制策略
策略格式:服务列表:客户机地址列表
策略的应用顺序
先检查hosts.allow,找到匹配则允许访问
否则再检查hosts.deny,找到则拒绝访问
若两个文件中均无匹配策略,则默认允许访问
[root @ test01 ~] # vim /etc/hosts.allow white list [root @ test01 ~] # vim /etc/hosts.deny blacklist
Two are set to the same host address, then allow it to look at the white list, if the two lists are not the default log
thanks for reading! ! !