Summary:
SSH is the abbreviation for secure shell, developed by the IETF web team (Network Working Group); SSH is built on the basis of the application layer security protocol. SSH is more reliable, designed to provide security protocol for remote login session, and other network services. SSH protocol can effectively prevent the use of remote management in the process of information disclosure issue. SSH was originally a program on UNIX systems, and later quickly spread to other operating platforms. SSH when used properly can make up for network vulnerabilities. SSH client for multiple platforms. Almost all UNIX platforms - including HP-UX, Linux, AIX, Solaris, Digital UNIX, Irix, and other platforms, can run SSH.
basic skills:
1. First, we opened two Linux systems, as a server, one as a client. We first ssh server configuration file with vim editor "/ etc / ssh / sshd_config" for editing.
Port 22 监听端口,默认监听22端口
#AddressFamily any IPV4和IPV6协议家族用哪个,any表示二者均有
#ListenAddress 0.0.0.0 指明监控的地址,0.0.0.0表示本机的所有地址
#ListenAddress :: 指明监听的IPV6的所有地址格式
#LoginGraceTime 2m 会话时间,默认2分钟则自动断开连接
#PermitRootLogin yes 是否允许管理员直接登录,'yes'表示允许
#StrictModes yes 是否让sshd去检查用户主目录或相关文件的权限数据
MaxAuthTries 6 最大认证尝试次数,最多可以尝试6次输入密码。
#MaxSessions 10 允许的最大会话数
(将“#”删除即可开启相应功能)2. Remember to restart the service has been configured to take effect, we try to connect with the client at the server.
We used to directly enter the login user root (note the service end user) and server IP address can then enter the user password to log in. I landed before, if not landed, the system will ask whether you want to connect, you simply enter "yes" to. 
The same user name if the client's user name and server, you can omit the user name at login. 
The default port SSH service is 22, if you do not set the port, then port 22 will automatically login requests to the remote host. If we change the port number in the configuration file, we can use the -p option to specify the port number. For example, to the port 123:
3. We know the root user is the administrator of the system, if someone else can log on at will is certainly not safe. So we can modify the configuration file, not allowing people to log in as root. Modify remember to restart the service.
我们再次用root用户登录,输入密码后显示权限拒绝,而换成zhangsan用户又可以登录了。
4.虽然我们限制了使用root用户登录,但是当我们用zhangsan用户登录了,用“su”命令任然可以切换到root用户。
所以我们可以开启“su”命令的PAM安全认证功能,我们只要将允许用“su”命令的用户添加到“wheel”组即可。
可以看到用户“jiang”在“wheel”组中,用户“zhangsan”不在。我们再用“zhangsan”用户切换root用户已经显示权限拒绝,而在“wheel”组用户“jiang”任然可以切换root用户。
5.前面我将最大认证尝试次数6次数开启了,我们可以测试一下是否成功。
可以看到当我们尝试了6次,就自动被断开连接了。但是我们得用“-o NumberOfPasswordPrompts=8”选项才能测试成功,如果直接输入,还是默认3次就会断开连接。
6.我们还可以通过在服务端配置文件里添加黑白名单来限制登录的用户和IP地址。
黑白名单不能同时存在,一般企业中多用白名单,下面以白名单为例演示。
首先我们在配置文件中添加白名单,限制zhangsan用户只能在ip为192.168.52.132的主机上进行登录,lisi用户可以在任意主机上进行登录。配置完成要重启服务。
我们在ip为192.168.52.132的主机上登录时,可以看到由于设置了白名单,用户“jiang”不在名单里所有已经不能登录了,而zhangsan与lisi用户任然可以登录。
我们在ip为192.168.52.128的主机上登录时,只有lisi用户可以登录,zhangsan用户不能登录,因为我们限制了zhangsan用户只能在ip为192.168.52.132的主机上进行登录。
scp命令与sftp命令
1.我们将之前设置的白名单删除,允许root用户登录改为“yes”,并重启服务。
2.首先在client主机的“/opt/”目录,新建一个文件“ssh_client.txt”和一个目录“ssh”,然后用scp命令将它们都复制到server主机的“/opt/”目录下。
3.再在client主机的“/opt/”目录下,创建一个文件“test01”,然后在“server”主机用scp命令将文件复制过来。
4.我们将之前在两台主机“/opt/”目录下新建的目录和文件删除,分别在server与client的“/opt/”目录下创建两个文件demo01、demo02。
5.我们在client主机用sftp命令也可以登录server主机进行文件的上传和下载。上传用“put”命令,下载用“get”命令,同时我们还可以用cd命令进行目录的切换。
6.可以看到我们可以用cd命令随意切换目录,这样很不安全,所以我们可以通过对ssh服务端配置文件进行修改,将sftp命令连接后限制在我们指定的目录里。
首先用vim编辑器对文件“/etc/ssh/sshd_config”进行编辑,将“Subsystem sftp /usr/libexec/openssh/sftp-server”注释掉。然后添加下面的命令:
Subsystem sftp internal-sftp
Match User zhangsan
ChrootDirectory /home/zhangsan
X11Forwarding no
ForceCommand internal-sftp
AllowTcpForwarding no
(配置完别忘了重启服务)
然后我们进入“/home/”目录,将我们指定的目录“zhangsan”的权限设为“755”,属主、属组均改为root。
我们再“/home/zhangsan/”目录下,新建5个空文件。
我们再次用client主机,通过sftp连接server主机,可以看到我们直接就登录到“zhangsan/目”录中了。当我们想切换到别的目录时,都不能成功。
密钥对登录
1.将之前的限制sftp登录切换目录的配置修改回来,开启密钥对登录功能(删除#即可),并重启服务。
2.首先用“ssh-keygen -t ecdsa”命令生成密钥对,将密钥文件存在“/home/zhangsan/.ssh/”目录中。
3. The command "ssh-copy-id -i id_ecdsa.pub [email protected]" directory "/home/zhangsan/.ssh/" public key file under "id_ecdsa.pub" introduced into the host server.
4. When we use the ssh command to log in again, as long as it is before you can enter the key.
5. But we have to enter the key each time you log will be difficult, at this time we just use a proxy bash, you can add the key, the next time we log on without entering a key.
TCP Wrappers strategy
Control policy configuration file:
- /etc/hosts.allow (whitelist file)
- /etc/hosts.deny (blacklist file)
Application order of the policy:
- Check hosts.allow file, a match is found then allow direct access, no checks hosts.deny file;
- If the file does not hosts.allow, hosts.deny file and then detect, locate, access is denied;
- If the two files no matching policy, the default access is permitted.
1. First edit the file "/etc/hosts.allow" with vim editor, add a white list ip192.168.52.132.
2. vim editor and then to file "/etc/hosts.deny" edit all set ip blacklist.
3. Here we 192.168.52.132 ip host client and a host of client02 192.168.52.128 log respectively, only the white list in the client host ip can log in to.
4. The client host ip delete the white list, added to the blacklist, then the client host to log in, the results can not log on.
