This chapter Environment: VM virtual machine, a server as a server, a server as a client
This chapter Objective: sshd telnet management, key verification, Tcp wappers access control
A remote login .sshd
1. Review the sshd service
[root@localhost ~]# netstat -ntap | grep 22
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 3252/dnsm
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 968/sshd //默认我们的SSHD是开启的
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 16227/sshot@pt
tcp 0 0 192.168.17.128:49342 180.97.251.226:80 TIME_WAIT -
tcp 0 0 192.168.17.128:42522 202.141.176.110:80
2. Understand the SSHD server configuration file
[Root @ localhost ~] # vim / etc / ssh / sshd_config // the SSHD server configuration file
17 #Port 22 // port
18 #AddressFamily the any
19 // reads #ListenAddress 0.0.0.0 listening address
20 #ListenAddress :: // IPV6 address
37#LoginGraceTime 2m //2分钟会话时间
38 #PermitRootLogin yes //允许ROOT登录
39 #StrictModes yes //验证你的访问权限
40 #MaxAuthTries 6 //验证次数
41 #MaxSessions 10 // 访问最大连接数10个
#PubkeyAuthentication yes //公钥验证开启
3. Use the Telnet client to the server's user ROOT
[root@test02 ~]# ssh [email protected]
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Mon Sep 16 12:07:36 2019
4. Remote Login ROOT user to turn off the server
37 #LoginGraceTime 2m
38 #PermitRootLogin no //禁止远程用户用ROOT登录
39 #StrictModes yes
40 #MaxAuthTries 6
41 #MaxSessions 10
5. Go to the server to verify that the user can log ROOT
[root@test02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
6. The client switches to the normal user lisi, and then cut to the ROOT user lines (unsafe)
[root@test02 ~]# ssh [email protected]
[email protected]'s password:
[lisi@test01 ~]$ su - root
密码:
上一次登录:一 9月 16 12:17:31 CST 2019pts/2 上
最后一次失败的登录:一 9月 16 12:25:59 CST 2019pts/2 上
最有一次成功登录后有 1 次失败的登录尝试。
[root@test01 ~]#
7. Place the open end PAM authentication service
vim /etc/pam.d/su
//把“#”号去掉auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
8. go to the client to verify
[lisi@test01 ~]$ su - root
密码:
su: 拒绝权限
9. In the client attempts to enter the wrong password three times and found it to withdraw, and we had the server is set up to verify the number is 6 times
[root@test02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[root@test02 ~]#
10. ROOT cut to the client user, set the number of verification is 8
[root@test01 ~]# ssh -o NumberOfPasswordPrompts=8 [email protected]
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Received disconnect from 192.168.17.128 port 22:2: Too many authentication failures
Authentication failed.
[root@test01 ~]#
11. Set the SSH remote login black and white lists
37 #LoginGraceTime 2m
38 #PermitRootLogin no
39 #StrictModes yes
40 #MaxAuthTries 6
41 #MaxSessions 10
42 Allow Users [email protected]
//只允许chen这个用户用192.168.17.130地址登录
[root@test01 ~]# systemctl restart sshd
12. understand the three kinds of remote management
scp 远程复制
sftp get 远程下载文件
sftp put 远程上传文件
II. Key login verification
1. Service is enabled with public and private key verification Login
[Root @ localhost ~] # vim / etc / ssh / sshd_config // the SSHD server configuration file
43 PubkeyAuthentication yes 把“#”去掉开启公私钥验证登录
44
45 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys 2
46 # but this is overridden so installations will only check .ssh/authorized_ke ys
47 AuthorizedKeysFile .ssh/authorized_keys
//生成的公私密钥会在这个目录底下
2. Client, the user generates a key to chen
[root@client ~]# ls /home/
chen
[root@client ~]# ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:HqV9MQWYPqLHSodJciQEDpGhsbQheF3gVqXLMD6mhTo root@client
The key's randomart image is:
+---[ECDSA 256]---+
|B*.+ooo.. o... |
|*=+.o... o . |
|oo. =o. .. o |
| +.+o..+o o |
| . =+o=S.... |
| . + .=.+. . |
|E . . +. |
| . . |
| |
+----[SHA256]-----+
3. View the user among the private directory chen
[root@client ~]# ls -a
. .bash_logout .dbus .mozilla 模板
.. .bash_profile .esd_auth .ssh 视频
.1234.txt.swp .bashrc .ICEauthority .tcshrc 图片
abc .cache initial-setup-ks.cfg test 文档
abc.txt chen is this 下载
anaconda-ks.cfg chenchen .lesshst .viminfo 音乐
.anacond-ks.cfg.swp .config .local .Xauthority 桌面
.bash_history .cshrc lshelp1.txt 公共
[root@client ~]# cd .ssh/
[root@client .ssh]# ls
id_ecdsa id_ecdsa.pub known_hosts
4. The public key directory chen sent to a server in a public key
[root@client .ssh]# ssh-copy-id -i id_ecdsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
5. Go see if there chen server user's public key
[root@localhost chen]# cd .ssh/
[root@localhost .ssh]# ls
authorized_keys
[root@localhost .ssh]# cat authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3jJu7k3skpOWd5azNtHhohBCyQvcE5vMQblIICOn48GGL3h1tQ9d7m34liu7YdXcdY+oLyQvgl23xiP9Au8ug= root@client
6. Client remote login authentication key pair
[root@client .ssh]# ssh [email protected]
Enter passphrase for key '/root/.ssh/id_ecdsa':
Last login: Sat Aug 10 00:32:52 2019
7. Free interactive, eliminating the need for login authentication key
[chen@localhost ~]$ exit
登出
Connection to 192.168.17.128 closed.
[root@client .ssh]# ssh-agent bash //代理bash环境
[root@client .ssh]# ssh-add //添加我们密钥对的密码
Enter passphrase for /root/.ssh/id_ecdsa:
Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
[root@client .ssh]# ssh [email protected]
Last login: Mon Sep 16 13:09:06 2019 from 192.168.17.134
[chen@localhost ~]$
Three .Tcp wappers access control
Access control policy:
first check hosts.allow, access is granted a match is found
otherwise then check hosts.deny, find, access is denied
If no matching policy in both files, the default allow
access
1. Access control is provided to the server
[root@localhost ~]# vim /etc/hosts.allow
hosts.allow This file contains access rules which are used to
allow or deny connections to network services that
either use the tcp_wrappers library or that have been
started through a tcp_wrappers-enabled xinetd.
See 'man 5 hosts_options' and 'man 5 hosts_access'
for information on rule syntax.
See 'man tcpd' for information on tcp_wrappers
sshd:192.168.17.130 //添加只允许访问的地址
~
[root@localhost ~]# vim /etc/hosts.deny
hosts.deny This file contains access rules which are used to
deny connections to network services that either use
the tcp_wrappers library or that have been
started through a tcp_wrappers-enabled xinetd.
The rules in this file can also be set up in
/etc/hosts.allow with a 'deny' option instead.
See 'man 5 hosts_options' and 'man 5 hosts_access'
for information on rule syntax.
See 'man tcpd' for information on tcp_wrappers
sshd:192.168.17.128
~
~
~