[[Email protected] Desktop]# service NetworkManager stop
[[Email protected] Desktop]# chkconfig NetworkManager off
[[Email protected] Desktop]# Setup
[[Email protected] Desktop]# vim/etc/udev/rules.d/70-persistent-net.rules
[Email protected] Desktop]# MODPROBE-RV e1000
[Email protected] Desktop]# modprobe-v e1000
[[Email protected] Desktop]# Vim/etc/sysconfig/network-scripts/ifcfg-eth0
[[email protected] desktop] #service network restart
[[Email protected] Desktop]# Setenforce 0
[Email protected] ssh]# Vim/etc/selinux/config
Selinux=disabled
: Wq
Ssh-x 192.168.1.1//plus X can open the System-network-date graphical interface on a remote server and display it locally
SSH 192.168.10.1 ' useradd bob '//After the IP address command, directly execute the command without logging on to the remote server
Ping6:: 1//Spell IPv6 local loopback
Ping 127.0.0.1//spell IPv4 local loopback
NETSTAT-TUNLP | Nore//See what port numbers are listening for TCP
::: 111//: The colon is followed by 111 for the port number, and the preceding two colons represent the IPv6 arbitrary address
/ETC/SSH configuration file
Ssh_config Client Configuration file
Sshd_config Server-side software
Vim/etc/ssh/sshd_config
Port 3389 //Port number
Protocol2 2//version
ListenAddress 192.168.168.174//End-of-IP address, 0.0.0.0 represents all IP addresses
Permitrootlogin no//Do not allow root user login
Permitemptypasswords no//null password not allowed
Usedns no//Do not look up DNS, do not find the name of the IP pair
Logingracetime 2m//landing page two minutes without moving, automatic disconnection
Strictmodes Yes
Maxauthtries 6//maximum authentication attempt 6 times
: Wq
Man ssh//check SSH command Help
Man 5 sshd_config//Check configuration file with Help, do not add path
ssh-p 3389 192.168.10.3//Connect SSH via port number 3389
SSHL Black and white list settings
Configuration file/etc/ssh/sshd_config
From the top down
1. Denyusers USER1 USER2 ...
2. Allowusers [email protected] USER2 ...
3. denygroups GROUP1 GROUP2 ...
4. allowgroups GROUP1 GROUP2 ...
Cases:
Vim/etc/ssh/sshd_config
Allowusers Tom [email protected]//Allow Tom user to log in, allow the root user to login on the 192.168.10.5 host, other hosts not allowed, the default is not allowed to login
: Wq
rsync httpd-2.2.25.tar.gz [Email Protected]:/home/demo
SCP httpd. tar.gz [Email Protected]:/home/demo
Encryption technology
One. Encryption method
1. Symmetric encryption: Encryption and decryption use the same key. Algorithm: Des/3des/aes. Advantages, high encryption efficiency, disadvantages,
The transfer and storage of keys is not convenient.
2. Asymmetric encryption: Public key encryption, private key decryption. Algorithm: RSA. Advantages, key transfer storage is convenient. Disadvantages
Low encryption efficiency
3. One-way encryption: Encryption can only be done in one direction and cannot be pushed back. Hash algorithm. MD5, SHA
[Email protected] ssh]# MD5SUM/ETC/PASSWD
[[email protected] ssh]# SHA---knocking Tab health
Sha1sum sha224sum sha256sum sha384sum sha512sum sharesec
[[email protected] ssh]# SHA512SUM/ETC/PASSWD//The larger the number the longer the key
Bob:$6$xa/cy//6 represents sha512 encryption
Bob:$1$xa/cy//1 represents MD5 encryption
Enables SSH to be connected without a password
I. Generating a key pair
# Ssh-keygen, follow all return, first enter to modify key name, second and third return to modify key password
/root/.ssh/id_rsa//Key pair storage location
Two. Upload the public key to the server root user
# ssh-copy-id-i [email protected] Server IP address
# ssh-copy-id-i [email protected]
/root/.ssh/id_rsa private Key
/root/.ssh/id_pub Public Key
/root/known_hosts Saved Password information
Cd/etc/ssh
RM-RF ssh_host*
Service sshd Restart
SSH 192.168.1.2//Login not
Then you can log in by deleting the known_hosts.
RM-RF known_hosts
SSH 192.168.1.2//Login Successful
[email protected]. ssh]# ls
Id_rsa id_rsa.pub known_hosts
[email protected]. ssh]# rm-f id*
[email protected]. ssh]# Ssh-keygen//Regenerate key
[email protected]. ssh]# Ssh-add//Perform this step to connect remotely without entering the key
Could not open a connection to your authentication agent.
[[email protected]. SSH] #eval ' ssh-agent '//If the Ssh-add fails, perform this step
Agent PID 5267
[email protected]. ssh]# Ssh-add ~/.ssh/rsa//If Ssh-add fails, perform this step
/root/.ssh/rsa:no such file or directory
[email protected]. ssh]# Ssh-add
Enter Passphrase For/root/.ssh/id_rsa:
Identity added:/root/.ssh/id_rsa (/ROOT/.SSH/ID_RSA)
[email protected]. ssh]# Ssh-keygen
Yum List | grep wire//Search and grab Bag tool
Yum-y Install Wireshark wireshark-gnome//MOUNTING clutch KIT
Application-internet-wireshark//Open grab Bag tool
Two. Authentication of SSH encryption and authentication
1. When the client SSH to the server for the first time, the server sends his key information. The client cannot determine the secret
The key is the real server, so you will be prompted to trust the key on the screen. After the user has entered Yes,
can continue.
2. On the server side
# rm-f/etc/ssh/ssh_host_*
# Service Sshd Restart
3. The client connects to the server again because the service's key is regenerated, and the client locally stored server key
The key information sent by this session server is inconsistent, so the client rejects the connection.
4. Client re-trust key
# RM ~/ssh/known_hosts
# SSH Server
Three. Generate an SSH key, protect the private key with a password
1. The client generates a key pair.
# Ssh-keygen, when prompted to enter passphrase, enter the password, which is the password to protect the private key
2. Uploading to a public key server
# ssh-copy-id-i Server IP
3. Connection test
# SSH server IP prompt for password, this password is the password to protect the private key, not the server's password
4. Host the private key password to the agent
# Ssh-add
5. SSH server again, you do not need to enter any password.
Four. Carrier of the certificate---algorithm
1.CA Certification Authority
Five. TCP WRAPPERS
1. A unified protection strategy
Multiple TCP services are shared for increased efficiency
2. Check whether the service supports TCP wrappers protection
[[Email protected] Desktop]# ldd ' which sshd vsftpd ' | grep Wrap
libwrap.so.0 =/lib64/libwrap.so.0 (0x00007f274758c000)
libwrap.so.0 =/lib64/libwrap.so.0 (0x00007fb676477000)
3. Protection rules are stored in
/etc/hosts.allow
/etc/hosts.deny
Policy Application Law
Check the Hosts.allow first, and a match will allow
Otherwise, check the Hosts.deny, and the horse will refuse.
If there are no matches in both files, the default is to allow
4. Format of the Rules
Service List: Client list
About client Addresses
Can I use a wildcard character? and
Network segment address, such as 192.168.4
or 192.168.4.0/255.255.255.0.
An area address, such as. wsyht.com
5. Example:
Allow only the following clients to access VSFTPD
Network Segment 192.168.4.0/24
IP range: 192.168.7.1-192.168.7.20
# RPM-QL Telnet-server//view his service name
# Vim/etc/hosts.allow
vsftpd:192.168.4.*,192.168.7.?,192.168.7.1?,192.168.7.20
sshd:192.168.1.3
in.telnetd:192.168.1.3
# Vim/etc/hosts.deny
# Vsftpd:all
Five. AAA
Authentication: Identity Authentication-who are you?
Authorization: Authorization , what can you do?
Audit: Audit , what did you do?
Six. Pam Pluggable identity authentication module
1. configuration file:/etc/pam.d/
2. The contents of the configuration file (select one line below):
Accountrequiredpam_nologin.so
The first column is the authentication type, and the available options are:
Accout: Performs a user-managed, non-authenticated behavior operation, typically restricting the user's login time and available system resources
Auth: This module provides two aspects of Zang card users. First it authenticates the user who he claims to be (for example, with a password), and secondly,
It assigns a spear user group membership or other permissions.
Password: This module is required when the user modifies the
Session: What to do before or after certain services are assigned to the spear user. For example, a user performs a write log operation when accessing data.
The second column is the control mode, and the available options are
Required: The check result fails and will eventually fail, but it is still checked for follow-up.
Sufficient: The check succeeds, passes immediately, and no longer checks for subsequent entries. If the item check fails, it does not mean that it will eventually fail.
Optional: Optional
Include: Contains the contents of another file
The third column is the called module, which is located under/lib64/security
/var/log/secure Security log File
3. Example one: Only members of the Whell group can be switched to the root user
# VIM/ETC/PAM.D/SU Open Auth required comments on this line
Log in as Tom, perform Su-operation, even if you enter the correct password, you can not login
# Usermod-ag Wheel Tom, add Tom to wheel Group A, append, G attach
Perform the Su-operation again, Tom can switch to the root user
4. Example two: Prohibit Tom from landing in Tty2
# Vim/etc/pam.d/login Join the following line
Accountrequiredpam_access.so
# vim/etc/security/access.conf Tail increment, cannot append in last line
-: Tom:tty2//-means to cancel
5. Example three: Only Tom users are allowed to open two files
View/etc/pam.d/system-auth included in
Sessionrequiredpam_limits.so tail Add
# vim/etc/security/limits.conf Tail Increase
Tomhardnofile 2
Whether it's switching to Tom or logging on as Tom, it's forbidden.
6. Example Four. Create a file/etc/vsftpd/ftpgrps, the group in the file cannot access the FTP
# Groupadd Denyftp
# Usermod-ag Denyftp Tom
# echo ' denyftp ' >/etc/vsftpd/ftpgrps
# vim/etc/pam.d/vsftpd Tail Increase
Auth requiredpam_listfile.so item=group Sense=deny
File=/etc/vsftpd/ftpgrps Onerr=succeed
Verification, Tom Login ftp, login unsuccessful, check/var/log/secure log
7. Example five, set user password minimum length is 9 bits
# Vim/etc/pam.d/system-auth
Password requisite pam_cracklib.so try_first_pass retry=3 minlen=9
Dcredit=0 ucredit=0 lcredit=0 ocredit=0
This article is from the "Wsyht blog" blog, make sure to keep this source http://wsyht2015.blog.51cto.com/9014030/1790277
Linux Security Application 2