Introduction to SSH under CentOS6 and application of OpenSSH

1. Introduction to SSH and OpenSSL:

Ssh:

SSH is secure shell, is used to provide secure remote access through the Network tool, C/s structure, before SSH, the earliest remote computer connection tool is Telnet

Telnet is used to communicate in clear text, so security is poor and you do not use Telnet unless you are in an emergency situation.

SSH is much safer than telnet, and OpenSSL is an open-source implementation of SSH,

OPENSSH

It can be used as a direct replacement for Rlogin, Rsh rcp, and Telnet. Further, any other TCP/IP connection can be tunneled/forwarded securely through SSH. OpenSSH encrypts all transmissions, effectively blocking eavesdropping, connection hijacking, and other network-level attacks. OpenSSH is maintained by OpenBSD Project.

The logon process is very similar to the session established using Rlogin or Telnet. When connected, SSH uses a key fingerprint system to verify the authenticity of the server. The user will be asked to enter Yes only on the first connection. Subsequent connections will validate the pre-saved key fingerprint. If the saved fingerprint does not match what you received at logon, a warning will be given. The fingerprint is stored in the ~/.ssh/known_hosts, and for the SSH v2 fingerprint, it is ~/.ssh/known_hosts2.

By default, the newer version of OpenSSH only accepts SSH v2 connections. If you can use version 2, the client program will use it automatically, otherwise it will return to the mode using version 1. Alternatively, you can force version 1 or 2 by using command-line arguments-1 or-and so on. The ability to maintain version 1 of the client is to consider earlier versions of compatibility.

There are two versions of SSH:

1. Sshv1

SSHV1 based on CRC-32 do mac (integrity check), no encryption, just check code, it is strongly recommended not to use. Very insecure

2. Sshv2

SSHV2 Choose the safest Mac method based on the negotiation of both hosts

The encryption mechanism and MAC mechanism are selected by both parties:

Implementation of key exchange based on DH algorithm, authentication based on RSA or DSA

The client determines if it can continue to communicate by checking the server-side host key

In practice, you can use the command-line parameter protocol 2 to force version 1 or 2 accordingly.

The ability to maintain version 1 of the client is to consider earlier versions of compatibility.

You can also write only 2 and discard the sshv1 that are incompatible with the security

2. OpenSSH client:

OpenSSH is the C/s architecture, so there are two parts of server and client, Linux Common client software ssh, under windows commonly used putty,xshell,secrecrt,sshshellclient, etc.

2.1 OpenSSH Client-side components:

2.1.1 SSH configuration file is/etc/ssh/ssh_config

Grammar:

SSH [username] @host [command] [-P port]ssh-l username host [command]

#若没指定username, a local current user is used to attempt to log in, and if the remote host does not exist, an error will be

The #COMMAND is to not log in remotely, just execute the COMMAND on the remote host and return the result to the native.

For example:

Need to get ifconfig information of 192.168.229.202 host, SSH port listening on port 2222:

#ssh [email protected] ifconfig-p 7767

2.1.2 SCP: A tool for secure file transfer between hosts using the SSH protocol

Grammar:

SCP SRC1 ... DEST

In two cases:

1. The original file is in this machine, the target is remote

#scp/path/to/somefile [Email protected]:/path/to/somewhere

is to copy the local/path/to/somefile file to the remote host username the user to log on to the remote host,/path/to/somewhere

For example:

Copy the local/etc/fstab file to the www.881027.com host on/TMP, note that the SSH port of the www.881027.com host is 2222

#scp-P 2222/etc/fstab [email protected]:/tmp# Note that the parameter-P location must be immediately following the SCP command, and that-p specifies the SSH port of the remote host # Note that if the current native user is root, the [ email protected] [email protected] can be omitted

2. Source files are targeted remotely, locally

#scp [email protected]:/path/to/somewhere/path/to/somewhere-r: Copy directory using-P: Keep source file metadata information, including owner, genus, Mode,timestamp ( If the remote host does not exist for this user, or not)-Q: Silent mode-P port: Specifies the port on which the SSH protocol listens for example: Download the remote host/tmp/fstab file to the local/etc #scp-p 2222 [email protected]/etc

2.1.3 SFTP: SSH-based FTP service

SFTP log in, you can use a lot of BASH commands, such as LS,CD, mkdir, put, get and other FTP commands

Usage: sftp [email protected]

For example:

SFTP logs on to www.881027.com,ssh port 2222 and downloads the/etc/fstab file on the www.881027.com host to the local

#sftp-oport=2222 sbi.881027.com#-oport To specify a remote port, do not specify a default 22

3. Server side of OpenSSH: sshd

Configuration file:/etc/ssh/sshd_config

SSH port, control various operating parameters of the sshd service, etc., there are many applications in the following best practices

This command can be done by

#man Sshd_config

To see a detailed description of each parameter and how to use Help

Service script:/etc/rc.d/init.d/sshd

Control sshd Service status, start, stop, restart, view status, etc.

Script configuration file:/etc/sysconfig/sshd

3.1 Parameters that you often need to modify:

Port: Modify the default listening ports listenaddress 0.0.0.0, the default is to listen to all local addresses, you can also set to listen to only specific IP address protocol 2,1; Preference 2, backwards compatible sshv1hostkey/etc/ssh/ssh_ Host_rsa_key; When the client connects, the key is sent Hostkey/etc/ssh/ssh_host_dsa_key; When the client connects, the key that is sent, DSA can only authenticate Keyregenerationinterval 1h Key exchange interval, the server automatically logingracetime 2m; login window grace period, that is, after the login window, give you the time to enter the account password Permitrootlogin Yes: Allow the root user to SSH directly to the first No: RO is not allowed OT user SSH login for the first time, but according to the need, can be from the ordinary user su-rootmaxauthtries 6, the maximum number of login failures maxsessions 10, the maximum number of sessions supported rsaauthentication Yes; Whether to enable RSA authentication pubkeyauthentication Yes; Enable public key authentication (asymmetric encryption) authorizedkeysfile. Ssh/authorized_keys; authorized key file, We can pass the public key information to this authorized_keys, to password-free login Clientaliveinterval 0, the server side to the client request the message time interval, 0 is not send Clientalivecountmax 300; The client does not respond to a certain value after the server makes a request, etc.

I just list some common options, there are many options not listed, you can #man sshd_config to go through the document.

4. Sshd Authentication method:

1. Password-based authentication:

There's nothing to say. User name, password authentication

2. Authentication based on the key (key in the public key):

Logic:

A. Need a pair of keys, local reserved private key,

B. Place public key on the remote host's user home directory: ~/.ssh/

C. Append the local public key to the remote host home directory ~/.ssh/authorized_users

Steps:

#ssh-keygen-t RSA generate key pair default key is Id_rsa, id_rsa.pub-f path/to/somefile: Key File Save location-P ' Specify OLDPASSWD

You can also use tools to generate key pairs directly to the remote host:

#ssh-copy-id-i ~/.ssh/id_rsa.pub [email protected] ssh-copy-id-i id_rsa.pub "-p 7767 [email protected]" SS H-P 222 hostname

5. Best Practices for SSH services:

1. Do not use the default port 22

2. Do not use protocol 1

3. Restrict the users who can log in

White list:

Allowusers user1 user2 User3 ...

Allowgroups grp1 Grp2 ....

Blacklist:

Denyusers user1 User2

Denygroups GRP1 Grp2

#黑白名单不能同时使用, you can use only one

4. Set Idle session timeout length

Clientaliveinterval #秒数

Clientalivecountmax 0#空闲计数最大值为0

5. Use the firewall to set the SSH access policy:

6. Listen only on specific IP addresses, not all IP addresses on this computer

7. Using Strong password policies

#tr-dc a-za-z0-9 </dev/urandom | Head-c 20 | Xargs

8. Using key-based authentication

9, prohibit the use of blank password

10. Prevent administrators from logging in directly

11. Show the frequency of SSH access

Iptables can do it.

12. Do a log, often analysis

To optimize the server according to best practices, in contrast to the Lastb ssh attack, you will see the obvious effect. After you learn iptables, do a further optimization.

In addition, a small software dropbear, is embedded lightweight SHH client tools, you can compile the installation test. It's much smaller than OpenSSH, but it's a full-featured SSH open Source tool.

Introduction to SSH under CentOS6 and application of OpenSSH