Introduction to ssh and openssh in CentOS6

Introduction to ssh and openssh in CentOS6

1. Introduction to ssh and openssl:

SSH:

Ssh is a secure shell tool used to provide secure remote access through the network. The C/S structure. Before ssh, the earliest Remote Computer Connection Tool was telnet.

Telnet uses plain text communication, so the security is poor. Do not use telnet unless necessary.

Ssh is much safer than telnet, while openssl is an open-source implementation of ssh,

OPENSSH

It can be used as a direct replacement for rlogin, rsh rcp, and telnet. Furthermore, any other TCP/IP connection can be tunneling/forwarded securely through SSH. OpenSSH encrypts all transmission data to effectively prevent eavesdropping, connection hijacking, and other network-level attacks. OpenSSH is maintained by the OpenBSD project.

The logon process is similar to a session created using rlogin or telnet. During connection, SSH uses a key fingerprint system to verify the authenticity of the server. The user is required to enter yes only when the connection is established for the first time. Subsequent connections will verify the pre-stored key fingerprint. If the fingerprint is inconsistent with the one received during logon, a warning is given. The fingerprint is saved in ~ /. Ssh/known_hosts, for the SSH v2 fingerprint, It is ~ /. Ssh/known_hosts2.

By default, later versions of OpenSSH only accept SSH v2 connections. If version 2 can be used, the client program will automatically use it; otherwise, it will return version 1 mode. In addition, you can use the command line parameter-1 or-2 to forcibly use version 1 or 2. The Client Version 1 capability is maintained to consider compatibility of earlier versions.

SSH has two versions:

1. sshv1

Sshv1 MAC Based on CRC-32 (integrity verification), no encryption, but the verification code, it is strongly recommended not to use. Extremely insecure

2. sshv2

Sshv2 selects the safest MAC mode based on mutual host negotiation

The encryption and MAC mechanisms are selected by both parties through negotiation:

Implement key exchange based on DH algorithm and Identity Authentication Based on RSA or DSA

The client checks the host key of the server to determine whether the communication can continue.

In actual use, you can use the command line parameter Protocol to forcibly use version 1 or 2.

The Client Version 1 capability is maintained to consider compatibility of earlier versions.

You can also write only 2, and discard the sshv1 that is incompatible with the security.

2. OPENSSH client:

Openssh is a C/S architecture. Therefore, it consists of two parts: server and client. ssh is a common client software in linux. putty, xshell, secrecrt, and sshshellclient are commonly used in windows.

2.1 Client components of openssh:

2.1.1 the ssh configuration file is/etc/ssh/ssh_config

Syntax:

ssh [username]@host[COMMAND][-pPORT] ssh -lusernamehost[COMMAND]

# If username is not specified, use the current local user to log on. If this user does not exist on the remote host, an error is returned.

# COMMAND: Do not log on remotely. simply execute COMMAND on the remote host and return the result to the local machine.

For example:

You need to obtain the ifconfig information of the host 192.168.229.202. The ssh port is listened to on port 2222:

#sshroot@192.168.229.202ifconfig-p7767

2.1.2 scp: A Tool for Secure File Transfer between hosts using the ssh protocol

Syntax:

Scp SRC1. .. DEST

There are two situations:

1. The original file is on the local machine and the target is remote

#scp/path/to/somefile...USERNAME@HOST:/path/to/somewhere

Is to log on to the remote HOST using the USERNAME user in the local/path/to/somefile file, and copy to the remote HOST/path/to/somewhere

For example:

Copy the local/etc/fstab file to/tmp on the host www.881027.com. Note that the ssh port of the host www.881027.com is 2222.

#scp-P2222/etc/fstabroot@www.881027.com:/tmp # Note: the location of the parameter-P must be followed by the scp command, and-P specifies the ssh port of the remote host. # Note: if the current user logged on to the local machine is root, the root @ In the root@www.881027.com can be omitted

2. The source file is remote and the local file is the target

#scpUSERNAME@HOST:/path/to/somewhere/path/to/somewhere -R: used to copy a directory -P: Keep the metadata information of the source file, including the owner, group, mode, and timestamp. (If the remote host does not have this user, it will not work) -Q: silent mode -PPORT: Specify ssh Protocol listening port For example: Set remote host /tmp/fstab Download files to the Local Machine /etc Lower #scp-P2222root@www.881027.com/etc

2.1.3 sftp: ssh-based ftp service

You can use many bash commands, such as ls, cd, mkdir, put, get, and other ftp commands.

Usage: sftp USERNAME @ HOST

For example:

Log on to www.881027.com with ssh port 2222 and download the/etc/fstab file from the host www.881027.com to your local computer.

#sftp-oPort=2222sbi.881027.com #-OPort to specify the remote port, without specifying the default 22

3. openssh server: sshd

Configuration File:/etc/ssh/sshd_config

The ssh port controls various running parameters of the sshd service. There are many applications in the following best practices:

This command can be run through

# Man sshd_config

To view detailed descriptions and help for each parameter.

Service Script:/etc/rc. d/init. d/sshd

Control sshd service status, start, stop, restart, view status, etc.

Script configuration file:/etc/sysconfig/sshd

3.1 frequently-modified parameters:

PORT: Modify the default listening PORT ListenAddress0.0.0.0; listens to all local addresses by default. You can also set to only listen to specific IP addresses. Protocol2, 1; 2 first; sshv1 backward compatible HostKey /etc/ssh/ssh_host_rsa_key The key sent when the client is connected HostKey /etc/ssh/ssh_host_dsa_key When the client is connected, DSA can only perform identity verification for the sent key. KeyRegenerationInterval1h; Key Exchange interval, automatically performed by the server LoginGraceTime2m; login window grace period, that is, after the pop-up login window, enter your account password time PermitRootLogin yes yes : Allows the root user to directly ssh Login No: root users are not allowed to directly ssh Login, but as needed, you can su -root MaxAuthTries6; Maximum number of Logon failures MaxSessions10; Maximum number of sessions supported RSAAuthentication yes ; Whether to enable RSA Verification PubkeyAuthentication yes ; Whether to enable public key authentication (asymmetric encryption) AuthorizedKeysFile. ssh /authorized_keys For the authorized key file, we can append the public key information to this authorized_keys to log on without a password ClientAliveInterval0; the time interval between the server and the client to request a message. 0 indicates that no message is sent. ClientAliveCountMax300; after the server sends a request, the number of times that the client does not respond reaches a certain value. And so on.

I will only list some common options, but there are still many options not listed one by one. You can refer to # man sshd_config to go through the document.

4. sshd authentication method:

1. Password-based authentication:

Nothing to say, user name, Password Authentication

2. Authentication Based on the key (the key in the public key:

Logic:

A. a pair of Children's keys are required. The private key is kept locally,

B. Put the public key to the user's home directory on the remote host :~ /. Ssh/

C. append the Local public key to the remote host's home directory ~ /. Ssh/authorized_users

Steps:

# Ssh-keygen-trsa generation key pair The default key is id_rsa and id_rsa.pub. -fpath /to/somefile : Key file storage location -p '' Specify oldpasswd

You can also use a tool to directly generate a key pair and directly upload it to a remote host:

#ssh-copy-id-i~/.ssh/id_rsa.pubUSERNAME@HOST ssh -copy- id -iid_rsa.pub "-p7767root@sbi.881027.com" ssh -p222 hostname

5. Best practices for the ssh service:

1. Do not use the default port 22

2. Do not use protocol 1

3. Restrict login users

Whitelist:

AllowUsers user1 user2 user3...

AllowGroups grp1 grp2 ....

Blacklist:

DenyUsers user1 user2

DenyGroups grp1 grp2

# The blacklist and whitelist cannot be used at the same time. Only one type can be used.

4. Set the idle session timeout period

ClientAliveInterval 300 # seconds

ClientAliveCountMAX 0 # The maximum idle count is 0.

5. Use the firewall to set an ssh access policy:

6. Only listen on a specific IP address, not all the IP addresses of the Local Machine

7. Use strong password policies

# Tr-dc A-Za-z0-9 </dev/urandom | head-c 20 | xargs

8. Use Key-based authentication

9. Do not use a blank password.

10. Prohibit the administrator from logging on directly.

11. Display ssh access frequency

Iptables

12. Make logs and analyze them frequently.

Optimize the server according to the best practices. Compare the ssh attack of lastb to see the obvious effect. I will learn about iptables later. I will make further optimization.

In addition, the small software dropbear is a lightweight embedded shh client tool. You can compile and install it. It is much smaller than openssh, but it has a complete open-source ssh tool.