The principle of remote connection to Linux Shh remote connection Introduction
Currently, in almost all of the Internet enterprise environment, the most commonly used Linux to provide remote connection services is the SSH software, ssh is divided into SSH client and SSH server two parts. Among them, the SSH server contains the software mainly OpenSSH and OpenSSL, in the Linux system can query the installation of SSH Server tools:
- [Email protected] ~]# Rpm-qa OpenSSH OpenSSL
- Openssl-1.0.1e-30.el6.x86_64
- Openssh-5.3p1-104.el6.x86_64
Tip: OpenSSH is a program that provides SSH services, and OpenSSL is a program that provides connection encryption for SSH.
SSH Service Side Introduction
Starting the Linux system is, by default, the SSH server program is started with the system, the SSH service is a daemon (demon), it runs permanently in the system background and responds to connection requests from all SSH clients at all times. SSH server process named sshd, is responsible for real-time monitoring remote SSH client connection request and processing, these requests generally include public key authentication, key exchange, symmetric key encryption and non-secure connection. The SSH service is one of the services that need to be retained for boot-up during system optimization.
View process: Ps–ef
View Port: Netstat–lntup
View the configured IP:IFCONFIG,IP add
- [[email protected] ~]# netstat-lntup|grep SSH
- TCP 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1202/sshd
- TCP 0 0::: $:::* LISTEN 1202/sshd
- [Email protected] ~]# Ps-ef|grep sshd
- Root 1202 1 0 10:24? 00:00:00/usr/sbin/sshd
- Root 1426 1202 0 10:30? 00:00:00 sshd: [Email protected]/0
- Root 1533 1433 0 11:02 pts/0 00:00:00 grep sshd
SSH Client Introduction
The most common tool for SSH clients is the SECURECRT of the Windows platform, which is easy to install. In addition to the SECURECRT software, there are common software such as Xshell, Putty, and SSH clients under Linux.
SSH protocol Introduction
Communication between the SSH server and the SSH client is done through the SSH protocol. The SSH protocol is a shorthand for secure Shell protocol, developed by the IETF Network Working Group (Working group). Before data transfer, SSH encrypts the online data packet by encryption technology, and then transmits the data, so as to ensure the security of the transmitted information.
SSH is a security protocol that is specifically provided for Telnet sessions and other network services. SSH protocol can effectively prevent the information in the remote management process is disclosed, in the current production environment, the majority of enterprises generally use the SSH protocol service to replace the traditional insecure remote online services software, such as Telnet (23 port, non-encrypted) and so on.
The SSH protocol has two incompatible versions, 1.x and 2.x, respectively.
OpenSSH also points to ssh 1.x and SSH 2.x. SSH 2.x client program can not connect to the SSH 1.x service program, SSH 2.x is more secure than SSH 1.x, by default, the service through the SSH 2.x protocol to provide services.
Troubleshooting SSH remote Connections
1. Physical link Check
Ping server_ip ? ICMP protocol, default 64 bytes
Does not pass:
Check that the server firewall and SSH service are turned on.
You can turn off the firewall first:
- [[email protected] ~]#/etc/init.d/iptables stop
It is recommended to execute two times in succession.
2, the service is normal
Telnet IP Port
Linux does not have Telnet installed by default and is installed using Yum install Telnet–y.
Windows installation Telnet:
Control Panel à uninstall program à turn on or off Windows features àtelnet client à ok
Windows and Linux file transfer
How to install RZ and SZ commands
The first method: Install the system when the package contains the RZ SZ command Package group dial-up Networking support.
Second approach: Install the system by performing a yum install lrzsz–y or yum Groupinstall "dial-up Networking support" –y command installation.
Upload command RZ
When uploading the content, execute the command RZ, if you want to overwrite the server with the same name content upload, you can add the-y parameter, enter the Rz–y command after the direct return, will open an upload file window, and then from this window browse to find the file to be transferred to upload, The files selected in this uploaded window are the files that are sent locally by the client computer.
Download command sz
When downloading content, execute the command sz filename, if you want to overwrite the local content download with the same name, you can enter the sz–y filename command, and the Sz–y command after the filename is the command line file under the current directory.
Ideas for using RZ and SZ commands
can only upload download files and not the directory, if the directory needs to be packaged into a file for retransmission.
The uploaded file can be any file on the computer, and the downloaded file will be downloaded to the corresponding download path directory of the CRT configuration.
Other tools
In addition to the RZ, SZ and other transfer file commands, you can also use FTP, SFTP (SSH service) and other tools to transfer files.
Several packages that are often required to install:
Yum Install tree telnet lrzsz nmap dos2unix–y
Rpm-qa telnet Lrzsz Dos2unix tree
NIC Issues after VM cloning
First modify the/etc/sysconfig/network-scripts/ifcfg-eth0.
- [Email protected] ~]# Vi/etc/sysconfig/network-scripts/ifcfg-eth0
Delete two rows of data:
Hwaddr=
Uuid=
Empty file
- [Email protected] ~]# >/etc/udev/rules.d/70-persistent-net.rules
Restart: Reboot.
Basic commands
To view the system version:
- [Email protected] ~]# cat/etc/redhat-release
- CentOS Release 6.6 (Final)
To view the kernel version:
- [Email protected] ~]# uname-r
- 2.6.32-504.el6.x86_64
To view the number of system bits:
- [Email protected] ~]# uname-m
- x86_64
View Host Name:
- [Email protected] ~]# hostname
- oldboy66
Uname: Print System Information,-r display kernel,-m display 32 or 64 bits,-n display host name,-a display all information.
Linux multi-tasking, multi-process, multi-CPU, multi-user.
Usually manage the computer only with ordinary user, prohibit with root administrator.
Add Account:
- [Email protected] ~]# Useradd Oldboy
Set Password:
- [Email protected] ~]# passwd Oldboy
- Changing password for user Oldboy.
- New Password:
- Bad Password:it are based on a dictionary word
- Bad PASSWORD: was too simple
- Retype new password:
- Passwd:all authentication tokens updated successfully.
[Email protected] ~]# ? Prompt for Super Administrator root
[Email protected] ~]$ ? Common user Oldboy corresponding prompt
Prompt @ The preceding character represents the current user (WhoAmI), followed by the hostname (hostname). Controlled by environment variables ($PS 1).
View Current User: WhoAmI
- [Email protected] root]$ WhoAmI
- Oldboy
Role switching: su– user name,-parameter switch user environment variable. The root password is required from normal user to root, and no password is needed from root to normal user.
Tuning and security setting off SELinux function after installing Linux system
The closing method is as follows:
1, modify the configuration file, so that the closed SELinux permanent effect:
View configuration Files
- #查看配置文件
- [Email protected] ~]# Cat/etc/selinux/config
- # This file controls the state of the SELinux on the system.
- # selinux= can take one of these three values:
- #开启状态
- # Enforcing-selinux Security Policy is enforced.
- #警告状态
- # Permissive-selinux Prints warnings instead of enforcing.
- #关闭状态
- # disabled-no SELinux Policy is loaded.
- #当前状态
- Selinux=enforcing
- # selinuxtype= can take one of these the values:
- # targeted-targeted processes is protected,
- # Mls-multi level Security protection.
- selinuxtype=targeted
Vim Modify configuration file:
- [Email protected] ~]# Vim/etc/selinux/config
Change selinux=enforcing to selinux=disabled.
2. SED replacement modification
Back up the modified files first:
- [Email protected] ~]# cp/etc/selinux/config/etc/selinux/config.oldboy.20161203
SED replacement
- [Email protected] ~]# sed-i ' s#selinux=enforcing#selinux=disabled#g '/etc/selinux/config
Check:
- [[email protected] ~]# grep =disabled/etc/selinux/config
- Selinux=disabled
See if it takes effect:
- [Email protected] ~]# Getenforce
- #没有生效
- Enforcing
Implementation takes effect:
- [Email protected] ~]# Setenforce
- #0表示警告不启用, 1 means open
- Usage:setenforce [Enforcing | Permissive | 1 | 0]
- [Email protected] ~]# Setenforce 0
- [Email protected] ~]# Getenforce
- #当前状态警告不启用
- Permissive
Set Run level
Linux operating level:
- [Email protected]ldboy66 ~]# Tail/etc/inittab
- # Default RunLevel. The runlevels used is:
- #停机状态
- # 0-halt (Do not set initdefault to this)
- #单用户模式
- # 1-single User mode
- #多用户模式 (no NFS)
- # 2-multiuser, without NFS (the same as 3, if you don't have networking)
- #完整的多用户状态 (with NFS)
- # 3-full Multiuser mode
- #暂未使用
- # 4-unused
- #图形界面
- # 5-x11
- #重启
- # 6-reboot (Do not set initdefault to this)
- #
- Id:3:initdefault:
Command:
RunLevel: View current system RunLevel
- [Email protected] ~]# RunLevel
- N 3
Init: Toggles the run level, followed by the corresponding level of the number.
Streamlined Boot system startup
Enterprise environment after the Linux system is installed, it is necessary to keep the start-up service to 5.
This service is required to connect to a Linux server remotely, so it must be turned on or it will not be able to connect to the Linux server remotely.
A mechanism provided by the operating system, the system daemon usually uses Rsyslog to write various kinds of information to each system log file, CentOS6 formerly this service name is syslog.
If you want to activate/deactivate each network interface when the system starts, you should consider turning it on.
This service is used to perform periodic system and user-configured task schedules. To perform a recurring task that needs to be turned on, this service is almost a software that must be used to generate the scenario.
Sysstat is a software package that includes group tools for monitoring system performance and efficiency, which are useful for collecting system performance data, such as CPU usage, hard disk and network throughput data, which can be used to determine whether the system is functioning properly, so it is a good system to improve the operating efficiency, Assistant to run the service safely.
Main tools for Sysstat package integration:
The Iostat tool provides data on CPU usage and hard drive throughput.
The Mpstat tool provides data related to a single processor or multiple processors.
The SAR tool collects, reports, and stores information that is active on the system.
Setting up the boot-up service
Method One:
View Services:
Chkconfig--list
To view the services started under Level 3:
Chkconfig--list|grep 3:on
View services that exclude sshd, network, Rsyslog, Crond, Sysstat:
Chkconfig--list|awk ' {print '} ' |grep-ev ' Sshd|network|rsyslog|crond|sysstat '
Turn off all services except sshd, network, Rsyslog, Crond, Sysstat:
- for name in ' chkconfig--list|grep 3:on |awk ' {print '} ' |grep-ev 'Sshd|network|rsyslog|crond|sys Stat"'; do chkconfig $name off;done
To view the execution effect:
Chkconfig--list|grep 3:on
Method Two:
First, the command to execute the shutdown service is spelled out:
Chkconfig--list|grep 3:on|awk ' {print '} ' |grep-ev ' Sshd|network|rsyslog|crond|sysstat ' |sed-r ' s# (. *) #chkconfig \1 Off#g '
Output Result:
Chkconfig ATD Off
Chkconfig ntpd off
...
Then give it to bash for execution:
Chkconfig--list|grep 3:on|awk ' {print '} ' |grep-ev ' Sshd|network|rsyslog|crond|sysstat ' |sed-r ' s# (. *) #chkconfig \1 Off#g ' |bash
View results:
Chkconfig--list|grep 3:on
Method Three:
First, the command to execute the shutdown service is spelled out:
- Chkconfig--list|grep 3:on|awk ' {print '} ' |grep-ev 'sshd|network|rsyslog|crond|sysstat' |awk ' {print ' Chkconfig "$" off"}"
Output Result:
Chkconfig ATD Off
Chkconfig ntpd off
...
Then give it to bash for execution:
- Chkconfig--list|grep 3:on|awk ' {print '} ' |grep-ev 'sshd|network|rsyslog|crond|sysstat' |awk ' {print ' Chkconfig "$" off"} ' |bash
View results:
Chkconfig--list|grep 3:on
Method Four:
Setup Select execution
Close Iptables Firewall
To view the firewall:
- [Email protected] ~]# iptables-l-N
To turn off the firewall:
- [[email protected] ~]#/etc/init.d/iptables stop
To view the firewall status:
- [Email protected] ~]#/etc/init.d/iptables status
- #已经关闭
- Iptables:firewall is not running.
Set Boot not on:
- [Email protected] ~]# chkconfig iptables off
Chkconfig set the boot-up service.
The minimization principle of Linux system security
- Install the Linux system minimized, that is, the package is minimized, yum installation package is minimized, the package is not installed.
- Start-up service is minimized, that is, useless services are not turned on.
- The operation commands are minimized. For example rm–f test.txt without RM–FR test.txt
- Logging on to Linux users is minimized.
- The normal user authorization permission is minimized, that is, to give only the necessary management system commands.
- Linux system files and directories to minimize the permissions settings, prohibit arbitrary creation, change, delete files.
Linux Basics Introduction "Second article"