SSH Remote Control

1. What is SSH

SSH is a network protocol that is used to encrypt logins between computers

2. Configure the OpenSSH service side

The OpenSSH server is provided by packages such as OpenSSH, Openssh-server, etc. (installed by default) and has been added as standard system services.

Configuration file:

/etc/ssh/sshd_config

Service Listening options:

Port 22//monitoring port is 22 (default)

Protocol 2//using SSH v2 protocol

ListenAddress 192.168.1.1.55//listener address is 192.1681.55

Usedns No//disable DNS reverse Resolution

#service sshd Reload//Reload

User Login Control:

Sshd By default allows root login, but in the Internet for security should prohibit root login, first with a normal user login to the server, and then su to root permissions.

SSHD Service User Login Restrictions:

1). Disable root user, or user login with password blank

2). Limit logon verification Duration (default is 2 minutes)

3). Limit the number of users to repeat logins.

Vim/etc/ssh/sshd_config

Permitrootlogin on//disable root user Login

Permitemptypasswords on//disallow null password user login

Logingracetime 2m//user logon verification duration

Maxauthtries 6//maximum number of repeat logins

Service sshd Reload

Allow, deny a user, log on from an IP, allow and deny cannot appear at the same time

Allowusers user @ip//Allow Login

Denyusers user @ip//Deny Login

Cases:

Only allow DYQ and Zhangsan to log in from the 192.168.1.0 segment (separated by a space between multiple users)

Allowusers [email protected] Zhangsan//multi-user separated by a space

#service sshd Reload

Login Authentication Method:

1). Password Login verification: A simple way to log in to the server with a local password.

2). Key Login Verification: A method to generate the public key to verify the login. The public key save needs to be saved on the client side.

Generally two authentication methods are turned on at the same time, the system will choose the secret key authentication method to log in. On a server with high security level, only the key authentication method is generally open.

How to generate a public key private key, which is said later.

#vim/etc/ssh/sshd_config

Passwordauthentication Yes//start password verification

Pubkeyauthentication Yes//enable key verification

Authorizedkeysfile. Ssh/authorized_keys//Specify Public key library data files

#service sshd Reload

3. Client (clients) connection mode

Two kinds of remote connection, one is through command Connection (command interface commonly used), and the other is through the client connection (win common)

command to connect to the service side

SSH Telnet

Format:

SSH [-P port] [email protected]address

If the port is not the default port 22, you need to use the parameter-p to make the port.

Cases:

Ssh-p 50022 [email protected]

The return will prompt to receive the secret key from the server, enter Yes to select Receive, and then enter the password to log in.

SCP Remote Replication

The SCP command can be used to copy local files to the remote server, or to copy the files on the server locally.

Copy File Error Resolution:

Linux/bash__scp__command_not_found_lost_connectionwentijiejue_15485_1347695526.html

Format:

scp-r [file to be copied] [target file]-p

Parameters:

-r//copy entire Directory

-P (uppercase)//Specify Port

More Parameters Man SCP

Example: Server copied to local

# scp-p 50022 [email protected] :/home/dyq/132/root/123

Copy locally to the server, and turn the order in reverse.

# scp-p 50022/root/dd.sql [email protected]:/home/dyq

SFTP Secure FTP

SFTP is one of the SSH protocols, which can simulate the FTP protocol, and the input ciphertext transmission is more secure than the FTP protocol.

When you use the SFTP command to connect to a server, the server must have the FTP service turned on or it cannot connect.

Format:

SFTP [email protected]

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

The above three kinds of commands are simply introduced, there are more parameters and forms to explore, detailed information can query data or man help document.

Win on Client connection remote service here is not much to do with the narrative.

4. Building an SSH system for key verification

Concept:

The form of key authentication is more secure than password authentication. Here are two files to remember: Id_rsa is the private key; Id_rsa.pub is the public key.

Key Verification Work Process:

Step: Generate a Public key (id_rsa.pub) private key (Id_rsa).

Step two: Upload the public key file (id_rsa.pub)

Three-step: Import public key information, ~/.ssh/authorized.keys

Four steps: Public key and private key authentication.

1). Create a key pair on the client

The key file can be generated by the tool Ssh-keygen in Linux, with two encryption algorithms: RSA or DSA (use any one of them).

Format:

SSH-KEYGEN-T [encryption Algorithm RSA;DSA]

Parameters:

-t//Specify encryption algorithm

More parameters: Man Ssh-keygen

Example: It would be nice to encounter an interaction with a general direct return.

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

Confirm that the key is present:

# LS-LH ~/.ssh

Total dosage 12K

-RW-------. 1 root root 1.7K July 6 15:33 Id_rsa

-rw-r--r--. 1 root root 408 July 6 15:33 id_rsa.pub

-rw-r--r--. 1 root root 402 July 6 15:04 known_hosts

Keep the key, and don't let it out to others.

2). Uploading the public key to the server

The upload key can be uploaded using the SCP command in a variety of ways (copy and paste, Ftp,samba,http,email).

# scp-p 50022 ~/.ssh/id_rsa.pub [email protected]:/home/dyq/

[email protected]' s password:
Id_rsa.pub 100% 408 0.4kb/s 00:00

3). Import the public key file in the server

The key is saved in the ~/.ssh/authorized_keys file

Operation:

# mkdir ~/.SSH//There is no. ssh file, you will have to create it manually

# cat/home/dyq/id_rsa.pub >> ~/.ssh/authorized_keys//redirect Import

# tail-l/home/dyq/.ssh/authorized_keys//view Verification

Because the default is strict permission detection mode (strictmodes Yes), it is required. SSH permissions can only have the owner of the permissions, belong to the group, other users, cannot have permissions, otherwise the validation fails.

4). Using key authentication on the client

Once the last three steps have been successfully deployed, you can log in directly through the key verification method.

5.TCP Wrappers Access Control

Many network services in Linux system have access control mechanism, such as Samba,bind, Httpd,openssh and so on. In addition, the network boundary of the firewall, intrusion detection and other devices also have a strong security barrier.

Overview:

TCP Wrappers "package" other TCP service programs to increase the security detection process. Foreign requests to authenticate to access the service, TCP wrappers can also record all attempts to access the protected service, providing administrators with extensive security analysis data.

Typically Linux has pre-installed the Tcp_wrappers service.

View:

# RPM-QL Tcp_wrappers

/usr/sbin/safe_finger

/usr/sbin/tcpd

/usr/sbin/try-from

/usr/share/doc/tcp_wrappers-7.6

/usr/share/doc/tcp_wrappers-7.6/blurb

/usr/share/doc/tcp_wrappers-7.6/banners.makefile

/usr/share/doc/tcp_wrappers-7.6/changes

/usr/share/doc/tcp_wrappers-7.6/disclaimer

/usr/share/doc/tcp_wrappers-7.6/readme

/usr/share/doc/tcp_wrappers-7.6/readme. IRIX

/usr/share/doc/tcp_wrappers-7.6/readme. Nis

/usr/share/man/man8/safe_finger.8.gz

/usr/share/man/man8/tcpd.8.gz

/usr/share/man/man8/try-from.8.gz

Note:

XINEDTD is a special service management program, often referred to as a super server. XINETD the TCP wrappers mechanism to provide additional access control protection by establishing a configuration file for each protected program under the/ETC/XINETD.D directory.

TCP Wrappers Access Policy

The protection object of the TCP Wrappers mechanism is a variety of network service programs, which control access to the client address of the service. The corresponding two policy files are/etc/hosts.allow/etc/hosts.deny, which are used to set both the Allow and deny policies.

/etc/hosts.allow//Allowed clients to access

/etc/hosts.deny//Access Denied clients

Configuration format for policy:

Two files have different effects, but the configuration format is the same.

Format:

< list of service programs;: < client address List >

1). List of service programs:

All//On behalf of all servers

Individual service programs, such as "VSFTPD, httpd"

2). Client Address List

All//represents any client address

Local//Representative native address

A single IP address, such as "192.168.1.50"

Network segment address, such as "192.168.4.0/255.255.255.0"

With "." The starting domain name, for example:. 365.com, matches all hosts in the 365.com domain

With "."  End of the network address, for example: 192.168.4. , matching the entire 4.0 network segment

Embed a wildcard character *,? , which represents an arbitrary length character, which represents only one character. For example: "10.0.8.2*" matches all IP addresses that begin with 10.0.8.2 and cannot be mixed with a mode that begins or ends with ".".

A list of multiple client addresses, for example: 192.168.1. , 172.17.17. ,. 365.com

Basic principles of access control

The access policies for the TCP wrappers mechanism are applied in the following order and principles.

(1). First check the/etc/hosts.allow file and allow access if a matching policy is found.

(2.) Otherwise continue to check the/etc/hosts.deny file, and if a matching policy is found, access is denied.

(3.) If you check that none of the above two files can find a matching policy, access is allowed.

TCP Wrappers Configuration Instance

When actually using the TCP Wrappers mechanism, the looser policy can be "allow all, deny individual", and the more stringent strategy is "allow individual, deny all". The former simply adds the appropriate deny policy in the Hosts.deny file, and the latter needs to add the Allow policy in the Hosts.allow, and also the "All:all" Deny policy in the Hosts.deny file.

Cases:

You only want to access the SSHD service from a host with an IP address of 61.63.65.67 or a host on a 192.168.1.0/24 segment, and all other addresses will be rejected.

# Vim/etc/hosts.allow

sshd:61.63.65.67,192.168.2.*

# Vim/etc/hosts.deny

Ssh:all

This article is from the "start from 0" blog, please be sure to keep this source http://0kaishi.blog.51cto.com/9457500/1679066

SSH Remote Control