Secure Shell protocol (SSH) is a protocol that provides secure remote logon and other security network services on insecure networks. Secure Shell can be recorded as s h. It was originally a program on the u n I X system and then quickly expanded to other operating platforms. S h is a good application. When used correctly, it can make up for vulnerabilities in the network.
SSH consists of three parts:
Transport Layer Protocol [SSH-TRANS] provides server authentication, confidentiality and integrity. In addition, it sometimes provides the compression function. A SSH-TRANS typically runs on a TCP/IP connection and may also be used on other reliable data streams. SSH-TRANS provides strong encryption technology, password Host Authentication and Integrity protection. The authentication in this Protocol is based on the host and does not perform user authentication. Higher-level user authentication protocols can be designed on top of these protocols.
User Authentication Protocol [SSH-USERAUTH] is used to provide client user authentication to the server. It runs on the transport layer protocol SSH-TRANS. When the SSH-USERAUTH starts, it receives session identifiers from low-level protocols (from swap hash H in the first key exchange ). The session identifier uniquely identifies the session and applies to the tag to prove the ownership of the private key. SSH-USERAUTH also needs to know whether low-level protocols provide confidentiality protection.
Connection Protocol [SSH-CONNECT] divides multiple encrypted tunnels into logical channels. It runs on the user authentication protocol. It provides interactive logon routes, remote command execution, forwarding TCP/IP connections, and forwarding X11 connections.
By using SSH, You can encrypt all transmitted data, so that the "man-in-the-middle" attack method is impossible, and it can also prevent DNS Spoofing and IP spoofing. Another advantage of using SSH is that the data transmitted is compressed, which can speed up transmission. SSH has many functions. It can replace Telnet, provide a secure "channel" for FTP, PoP, and even PPP ".
In many cases, the Telnet service is provided on the server. Indeed, for UNIX systems, to remotely manage them, you must use a remote terminal. To use a remote terminal, you must start the Telnet service on the server. However, the Telnet service has a fatal weakness-It transfers user names and passwords in plain text, so it is easy for others to steal passwords with ulterior motives. Currently, SSH is a useful tool to effectively replace the Telnet service. When the SSH client communicates with the server, the user name and password are encrypted to effectively prevent password eavesdropping. The emergence of SSH makes remote control more secure.
Although SSH has the above advantages, it will still be attacked by hackers. Next we will talk about how to prevent SSH Attacks:
1. Basic Configuration:
There are no authentication, password authentication, user name and password authentication methods, it is recommended to use the user and password authentication method. If unified authentication is performed for all network devices, the same radius server can be used for authentication. The details are as follows:
Create an observation-level telnet user with the following permissions:
Local-user test
Password cipher 3 M] * QF/H] KL 'K & @ YU8 <4 )!!!
Service-type telnet level 0
Enable user and password authentication on the tty 0 4 interface:
User-interface vty 0 4
Authentication-mode scheme
2. In consideration of security, you can set the authenticated user's permissions to level 0. Then, the super command is used to improve the permissions. Considering the username, password, and super password, three lines of defense can be set for hackers. The details are as follows:
Super password level 3 cipher/C] JIDTXNUC8BT:. _ ^ U $ !!
3. You can set the acl on the tty interface and only allow remote telnet from some ip addresses. This is the fourth line of defense, as shown in the following code:
Create an acl Based on the Source ip Address:
Acl number 2000
Rule 0 permit source 192.168.1.0 0.0.255
Apply the acl to the inbound direction of vty 0 4:
User-interface vty 0 4
Acl 2000 inbound
4. in light of past experience, ssh attacks on network devices are often carried out. Although the devices will not be infiltrated, it will occupy cpu, memory, and other resources. ssh packets cannot be entered on the tty interface, is the fifth line of defense, as follows:
The vty 0 4 interface only allows access by telnet users:
User-interface vty 0 4
Protocol inbound telnet
Using the SSH service can improve the security of remote control and prevent password theft.