CentOS SSH installation and configuration

Source: Internet
Author: User
Tags ssh server dns spoofing

CentOS SSH installation and configuration sshlinuxSSH is short for Secure Shell, developed by the IETF Network Working Group. SSH is a security protocol established on the application layer and transport layer. Traditional network service programs, such as FTP, POP, and Telnet, are inherently insecure because they transmit data, user accounts, and user passwords in plaintext over the network, attackers are vulnerable to man-in-the-middle attacks. There is another person or a machine impersonating a Real Server to receive data from the user to the server, and then impersonating the user to pass the data to the Real Server. SSH is a reliable protocol designed for remote logon sessions and other network services. The SSH protocol can effectively prevent information leakage during Remote Management. SSH can be used to encrypt all transmitted data and prevent DNS Spoofing and IP spoofing. System and version: CentOS release 5.3 (Final) installs SSH yum install ssh to start SSH service sshd start. Set the startup to run chkconfig sshd on SSH. Modify the SSH configuration file first. As follows: [root @ sample ~] # Vi/etc/ssh/sshd_config using vi open the SSH configuration file # Protocol locate this line and delete the line Header "#", and then delete ", 1" at the end of the line, only the connection Protocol 2 Protocol in SSH2 mode is allowed to be changed to this State after modification. Only the line "#" at the beginning of the line is found using SSH2 # ServerKeyBits 768 Protocol, change "768" to "1024 slave ServerKeyBits 1024 slave", and change "ServerKey strength" to "1024 bits # PermitRootLogin yes slave" to find this line and remove "#" at the beginning of the line, change "yes" to "no such PermitRootLogin no such modification" to this status. You are not allowed to log on using root. # PasswordAuthentication yes. Find this line, change "yes" to "no signature PasswordAuthentication ". Status, password-based logon is not allowed # PermitEmptyPasswords no. Find this line and delete "#" in the line header. Do not allow empty passwords to log on to the role PermitEmptyPasswords no. Changed to this status, do not enter a password to log on and save and exit. (The command for saving and exiting vi is ZZ.) We only want to make the SSH service more convenient for the management system. Therefore, without the remote management system through the Internet, only Intranet clients are allowed to log on to the server through SSH to minimize insecure factors. The setting method is as follows: [root @ sample ~] # Vi/etc/hosts. modify the deny shield rule and add the corresponding line at the end of the text # hosts. deny This file describes the names of the hosts which are # * not * allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts. deny and hosts. allow. in particle # you shoshould know that NFS uses portmap! Sshd: ALL Users Add this line to shield all ssh connection requests [root @ sample ~] # Vi/etc/hosts. add the corresponding line at the end of the text # hosts. allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd: 192.168.0. add this line by using the dig command. Only SSH connection requests from the Intranet can be restarted. After modifying the SSH configuration file, you must restart the SSH service to make the new settings take effect. [Root @ sample ~] #/Etc/rc. d/init. d/sshd restart the SSH server Stopping sshd: [OK] Starting sshd: [OK] When the SSH server is restarted successfully, on the remote terminal (Personal PC, etc, you cannot log on to the server using the SSH client with a normal password. In order for the customer to log on to the server, we will create a public key and private key for SSH to log on to the SSH server as a "key" for the client. The establishment of the public key and private key of SSH2 serves as a general user, and the establishment of a public key and private key based on this user. (Take centospub as an example.) [root @ sample ~] # Log on to the su-centospub guest as a general user centospub [centospub @ sample ~] $ Ssh-keygen-t rsa keys create public keys and private keys Generating public/private rsa key pair. enter file in which to save the key (/home/kaz /. ssh/id_rsa): name of the keystore key file. Press ENTER Created directory by default /. ssh 'enter passphrase (empty for no passphrase): Enter Your password Enter same passphrase again: Enter Your password again Your identification has been saved in/home/kaz /. ssh/id_rsa.Your public key has been saved in/home/kaz /. ssh/id_rsa.pub.The key fing Erprint is: tf: rs: e3: 7 s: 28: 59: 5 s: 93: fe: 33: 84: 01: cj: 65: 3b: the 8e centospub@sample.centospub.com then confirms the establishment of the public key and key, and some processing corresponding to the client. [Centospub @ sample ~] $ Cd ~ /. Enter the directory [centospub @ sample. ssh] $ ls-l keys list the files total 16-rw --- 1 centospub 951 Sep 4 id_rsa keys confirm that the private key has been created-rw-r-1 centospub 241 Sep 4 19: 22 id_rsa.pub confirm that the public key has been created [centospub @ sample. ssh] $ cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys export public key content to the corresponding file [centospub @ sample. ssh] $ rm-f ~ /. Ssh/id_rsa.pub keystore Delete the original public key file [centospub @ sample. ssh] $ chmod 400 ~ /. Ssh/authorized_keys secret sets the attribute of the newly created public key file to 400, and then securely transfers the Private Key to the PC to be connected to the server through SSH. Here, we use a 3.5-inch disk as the media as an example: centospub @ sample. ssh] $ exit logging out of normal user login (return to root login) [root @ sample ~] # Mount/mnt/floppy/ephemeral mount the floppy drive [root @ sample ~] # Mv/home/centospub/. ssh/id_rsa/mnt/floppy/secrets move the created private key to a floppy disk [root @ sample ~] # Umount/mnt/floppy/uninstall detach a floppy disk drive

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.