Many devices, such as routers and firewalls, provide interfaces for remote access and management. For example, Windows servers can use the Telnet protocol for remote management. However, Telnet is not safe. Because the account and password are transmitted in plain text during transmission. This is very dangerous during network transmission. Hackers can use network sniffing tools to easily steal accounts and passwords transmitted in plain text on the network. Therefore, we do not recommend using Telnet to remotely manage network devices and servers.
Someone has developed an SSH protocol to address the problem of insecure Telnet protocol. The principle is similar to Telnet, but it has higher security. SSH is an application running on the transport control layer. Compared with Telnet, it provides powerful authentication and encryption performance. He can ensure that the data transmitted by the network device is encrypted. This is to ensure the security of accounts and passwords.
1. Composition of the SSH software package.
The SSH software package consists of two parts: the server side and the client side. The server is mainly installed on the controlled side, that is, the objects that require remote management. The client is installed on the host of the operator. The SSH package is applicable to all operating systems, including Microsoft, Linux, and Cisco IOS operating systems. However, there are still some differences in specific applications. For example, the SSH server can be installed in Microsoft's server version, but the Linux system does not have this restriction, and so on.
In addition, SSH currently mainly includes two versions: SSH1 and SSH2. SSH1 is a completely free software package, while SSH2 is a paid software package. There is no free lunch in the world. The SSH2 paid version has more powerful functions than the SSH1 free version. However, because it has to pay, its application scope is not as wide as SSH1. In practical application, note that SSH2 and SSH1 are two completely different protocols and are incompatible. That is to say, your server is installed with SSH2, but if your client is installed with SSH1, you cannot use this client to connect to the server. Because they are not compatible. This is a very important issue at work.
Ii. SSH authentication method.
Generally, SSH provides two security authentication methods.
First, password-based security authentication. In this Authentication mode, you only need to know the account and password to remotely log on to the server using the SSH protocol. In this Authentication mode, the data transmitted, including the user name and password, is transmitted in ciphertext. However, he has a defect. That is to say, he cannot ensure that the server you are connecting to is the server you want to connect. Because he does not verify the identity of the client and server, someone may pretend to be a real server, but the Administrator does not know. This attack is also called a man-in-the-middle attack. It is also a famous attack method.
Second, key-based security authentication. In this Security Authentication mode, you need to rely on the key for authentication. In this case, you need to create a key pair for yourself. You need to use other security methods to put the public key on the server that requires remote management. When the Administrator connects to the SSH server, the client sends a request to the server asking the Administrator to use the client key for security authentication. After receiving a request from the client, the server compares and identifies the public key that you sent to the client in advance. If the two keys are consistent, the server uses the public key to encrypt the question and send it to the client software. After the client software receives a question from the server, it can use the private key to decrypt and send the result to the server. Compared with the first method, this method ensures the validity of the SSH server and effectively avoids man-in-the-middle (mitm) attacks.
Currently, both SSH1 and SSH2 versions support this security authentication method. The latter security authentication method is complicated. Therefore, it may take a long time for a user to log on to the server. Sometimes it may take even one minute or longer. When you start the first session, there will be a "." prompt on the client before the SSH user authentication prompt appears. Generally, this prompt does not affect the SSH function. When a user uses the private key to generate a server key or encrypt a message during SSH key exchange, the prompt will appear on the SSH client before the user authentication appears. We can regard it as a process indicator, indicating that SSH is busy and not on the machine. The duration varies depending on the network conditions. Generally within two minutes, it can be considered normal. If the time limit is exceeded, the administrator needs to adjust the related configuration. Otherwise, the normal operation of SSH will be affected.
However, the second authentication method will give the Administrator an extra reward. If your network has many SSH servers. If an FTP file server has a Cisco Firewall and you have an SSH server, you are the administrator, you can use only one password to log on to all the servers you want to log on. 3. Prepare an instance.
Because SSH uses an encryption mechanism, the configuration is more complex than the Telnet protocol. Next I will take Cisco's firewall server as an example to see how to configure the SSH protocol to make it take effect on the server.
To enable the SSH service for the firewall, five steps are required.
Step 1: configure the firewall host name.
This step is not a required step to enable the SSH service. However, I suggest you give the firewall a proper name. When accessing the SSH service period through a client, the input name is much simpler than the input IP address. In addition, the name is much easier to remember than the boring number. Therefore, an easily remembered SSH server name is the basis for managing SSH servers.
In Cisco Firewall, you can use the hostname command to configure the name of the SSH server. In order to facilitate identification, it is generally necessary to comply with certain rules when naming. For example, use the "device name-Object Name" rule to name a device.
Step 2: generate a key pair.
In Cisco Firewall, we recommend that you use the "Key Authentication installation method ". Therefore, you need to generate a key pair for it. This step is also very simple, because the firewall already has the default item method. The Administrator only needs to enter the command ca generate rsa key 1024 in the command line, and the firewall operating system will automatically generate a key pair. After the key pair is generated, the Administrator also needs to use the ca save all command to SAVE the key pair.
Note that different systems adopt different encryption mechanisms, so the generated key pair methods are also different. As an Enterprise Security Manager, there should be a unified plan for key generation methods. When security permits, the security key generation method is unified within the company. This greatly reduces the maintenance workload.
Step 3: Specify the IP address of the client.
To improve the security of Remote Management, Cisco firewall filters out an IP address. On the SSH server, you must specify the IP address of the client. Only allowed IP addresses can be connected to the SSH server through the SSH client.
This is an important security control method. In this way, only specific clients can use the SSH protocol to remotely manage the firewall. Unauthorized clients have no access permission. This ensures the security of SSH remote management.
The administrator can use the ssh ip_adress command to configure the IP address of the client that can be accessed. Generally, only the Administrator is allowed to access the remote host through SSH.
Step 4: Set the access password.
Although the client has been restricted to Ensure SSH security, it is still necessary to set an access account and password for it. Sometimes, the SSH server also has a default user name. However, to ensure the security of the SSH server, we strongly recommend that you change the default password immediately. Changing the default account and password of servers and devices is a necessary work habit for network security personnel. In SSH, you can use the password command to change the SSH Login username.
Step 5: Set the idle time.
Finally, you need to set the idle time before the session is disconnected. This is similar to screen protection. Sometimes you may have other things that require you to leave the SSH client for a while. However, you have already left, but the SSH session has not been interrupted. What should I do if someone is using the time when you leave to destroy the action?
Therefore, we need to set a maximum idle time for an SSH session like setting screen protection. When the time limit expires, the SSH server will automatically interrupt the session to ensure the security of the SSH server. In this case, we can use the ssh tineout command to set the maximum idle time. The Unit is minute. By default, the maximum idle time is 5 minutes.
Generally, no additional configuration is required on the client. Only compatibility issues should be considered in client selection. That is, if you select SSH1 on the server, the client must also be SSH1. If the server side is SSH2, the client must also select SSh2.
To manage multiple SSH servers, there are two convenient methods. First, use the above "security key authentication method ". In this case, you only need one account and password to manage all SSH services. Second, you can save related configurations on the SSH client. When the administrator needs to access an SSh server, he only needs to select the server on the client instead of entering the server configurations, such as IP addresses and ports.