Linux Centos7 -sshd remote login, a key login, TCPWrappers access control

This chapter Environment: VM virtual machine, a server as a server, a server as a client

This chapter Objective: sshd telnet management, key verification, Tcp wappers access control

A remote login .sshd

1. Review the sshd service

 [root@localhost ~]# netstat -ntap | grep 22
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      3252/dnsm      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      968/sshd       //默认我们的SSHD是开启的
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      16227/sshot@pt 
tcp        0      0 192.168.17.128:49342    180.97.251.226:80       TIME_WAIT   -              
tcp        0      0 192.168.17.128:42522    202.141.176.110:80   

2. Understand the SSHD server configuration file

[Root @ localhost ~] # vim / etc / ssh / sshd_config // the SSHD server configuration file

17 #Port 22 // port
18 #AddressFamily the any
19 // reads #ListenAddress 0.0.0.0 listening address
20 #ListenAddress :: // IPV6 address

37#LoginGraceTime 2m  //2分钟会话时间 
 38 #PermitRootLogin yes  //允许ROOT登录
 39 #StrictModes yes    //验证你的访问权限
 40 #MaxAuthTries 6   //验证次数
 41 #MaxSessions 10   // 访问最大连接数10个

#PubkeyAuthentication yes  //公钥验证开启

3. Use the Telnet client to the server's user ROOT

[root@test02 ~]# ssh [email protected]
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Last login: Mon Sep 16 12:07:36 2019

4. Remote Login ROOT user to turn off the server

37 #LoginGraceTime 2m
 38 #PermitRootLogin no  //禁止远程用户用ROOT登录
 39 #StrictModes yes
 40 #MaxAuthTries 6
 41 #MaxSessions 10

5. Go to the server to verify that the user can log ROOT

[root@test02 ~]# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 

6. The client switches to the normal user lisi, and then cut to the ROOT user lines (unsafe)

[root@test02 ~]# ssh [email protected]
[email protected]'s password: 
[lisi@test01 ~]$ su - root
密码：
上一次登录：一 9月 16 12:17:31 CST 2019pts/2 上
最后一次失败的登录：一 9月 16 12:25:59 CST 2019pts/2 上
最有一次成功登录后有 1 次失败的登录尝试。
[root@test01 ~]# 

7. Place the open end PAM authentication service

vim /etc/pam.d/su
//把“#”号去掉auth            required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin

8. go to the client to verify

[lisi@test01 ~]$ su - root
密码：
su: 拒绝权限

9. In the client attempts to enter the wrong password three times and found it to withdraw, and we had the server is set up to verify the number is 6 times

[root@test02 ~]# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[root@test02 ~]# 

10. ROOT cut to the client user, set the number of verification is 8

[root@test01 ~]# ssh -o NumberOfPasswordPrompts=8 [email protected]
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Received disconnect from 192.168.17.128 port 22:2: Too many authentication failures
Authentication failed.
[root@test01 ~]# 

11. Set the SSH remote login black and white lists

37 #LoginGraceTime 2m
 38 #PermitRootLogin no
 39 #StrictModes yes
 40 #MaxAuthTries 6
 41 #MaxSessions 10
 42 Allow Users [email protected]
//只允许chen这个用户用192.168.17.130地址登录
[root@test01 ~]# systemctl restart sshd

12. understand the three kinds of remote management

scp 远程复制
sftp  get 远程下载文件
sftp put  远程上传文件

II. Key login verification

1. Service is enabled with public and private key verification Login

[Root @ localhost ~] # vim / etc / ssh / sshd_config // the SSHD server configuration file

43 PubkeyAuthentication yes  把“#”去掉开启公私钥验证登录
 44 
 45 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys    2
 46 # but this is overridden so installations will only check .ssh/authorized_ke    ys
 47 AuthorizedKeysFile      .ssh/authorized_keys
                                           //生成的公私密钥会在这个目录底下

2. Client, the user generates a key to chen

[root@client ~]# ls /home/
chen
[root@client ~]# ssh-keygen -t ecdsa 
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:HqV9MQWYPqLHSodJciQEDpGhsbQheF3gVqXLMD6mhTo root@client
The key's randomart image is:
+---[ECDSA 256]---+
|B*.+ooo..  o...  |
|*=+.o...  o  .   |
|oo. =o.  .. o    |
|   +.+o..+o  o   |
|  . =+o=S....    |
| . + .=.+. .     |
|E .  . +.        |
| .    .          |
|                 |
+----[SHA256]-----+

3. View the user among the private directory chen

[root@client ~]# ls -a
.                    .bash_logout   .dbus                 .mozilla     模板
..                   .bash_profile  .esd_auth             .ssh         视频
.1234.txt.swp        .bashrc        .ICEauthority         .tcshrc      图片
abc                  .cache         initial-setup-ks.cfg  test         文档
abc.txt              chen           is                    this         下载
anaconda-ks.cfg      chenchen       .lesshst              .viminfo     音乐
.anacond-ks.cfg.swp  .config        .local                .Xauthority  桌面
.bash_history        .cshrc         lshelp1.txt           公共
[root@client ~]# cd .ssh/
[root@client .ssh]# ls
id_ecdsa  id_ecdsa.pub  known_hosts

4. The public key directory chen sent to a server in a public key

[root@client .ssh]# ssh-copy-id -i id_ecdsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

5. Go see if there chen server user's public key

[root@localhost chen]# cd .ssh/
[root@localhost .ssh]# ls
authorized_keys
[root@localhost .ssh]# cat authorized_keys 
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3jJu7k3skpOWd5azNtHhohBCyQvcE5vMQblIICOn48GGL3h1tQ9d7m34liu7YdXcdY+oLyQvgl23xiP9Au8ug= root@client

6. Client remote login authentication key pair

[root@client .ssh]# ssh [email protected]
Enter passphrase for key '/root/.ssh/id_ecdsa': 
Last login: Sat Aug 10 00:32:52 2019

7. Free interactive, eliminating the need for login authentication key

[chen@localhost ~]$ exit
登出
Connection to 192.168.17.128 closed.
[root@client .ssh]# ssh-agent bash  //代理bash环境
[root@client .ssh]# ssh-add             //添加我们密钥对的密码
Enter passphrase for /root/.ssh/id_ecdsa: 
Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
[root@client .ssh]# ssh [email protected]
Last login: Mon Sep 16 13:09:06 2019 from 192.168.17.134
[chen@localhost ~]$ 

Three .Tcp wappers access control

Access control policy:
first check hosts.allow, access is granted a match is found
 otherwise then check hosts.deny, find, access is denied
 If no matching policy in both files, the default allow
access

1. Access control is provided to the server

[root@localhost ~]# vim /etc/hosts.allow

 hosts.allow   This file contains access rules which are used to
               allow or deny connections to network services that
               either use the tcp_wrappers library or that have been
               started through a tcp_wrappers-enabled xinetd.

               See 'man 5 hosts_options' and 'man 5 hosts_access'
               for information on rule syntax.
              See 'man tcpd' for information on tcp_wrappers

sshd:192.168.17.130   //添加只允许访问的地址
~              

[root@localhost ~]# vim /etc/hosts.deny

hosts.deny    This file contains access rules which are used to
               deny connections to network services that either use
               the tcp_wrappers library or that have been
               started through a tcp_wrappers-enabled xinetd.

               The rules in this file can also be set up in
               /etc/hosts.allow with a 'deny' option instead.

               See 'man 5 hosts_options' and 'man 5 hosts_access'
               for information on rule syntax.
               See 'man tcpd' for information on tcp_wrappers

sshd:192.168.17.128                                                                                     
~                                                                                       
~                                                                                       
~        

These are all our content up