Linux Network Service 10--remote access and control

Last Update:2017-06-23 Source: Internet

Author: User

Tags wrappers secure copy

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Tag: Cal width indicates the listening port policy shel Good installation package tab

Linux Network services -Remote access and control First,SSH Overview

1. introduction to SSH

SSH(secure Shell) is a secure channel protocol, which is mainly used to realize remote login of character interface, and so on. the SSH Protocol encrypts the data transmission between the two parties, including the user password entered when the user logs in, and the ssh(telnet) application. The protocol provides better security.

2. Default listening port:TCP

two ,OpenSSH configuration

1.OpenSSH installation package

default Installation Linux system is installed automatically, if not installed, the following RPM package on the installation CD :

openssh-5.3p1-94.el6.x86_64.rpm

openssh-askpass-5.3p1-94.el6.x86_64.rpm

openssh-clients-5.3p1-94.el6.x86_64.rpm

openssh-server-5.3p1-94.el6.x86_64.rpm

• Service Name:sshd

• Server-side main program:/usr/sbin/sshd

• Server configuration file:/etc/ssh/sshd_config

• Client configuration file:/etc/ssh/ssh_config

2. Service-side OpenSSH configuration

Add Manually:

Allowusers: User amber can log in on any client, user Zhangsan only allows the IP address to be the 192.168.1.51 client login. And only allow this two users to telnet through the SSH protocol.

Denyusers: Disable user lisi Login

Note: Allowusers do not use with denyusers at the same time

After modifying the configuration file, restart the sshd service

Third, using the SSH client program

1. Command procedure:

(1)ssh command (remote secure login)

format:ssh [email protected] (if the client and host user name is the same, can save [email protected])

Port options:-P 22

(2)SCP command (remote secure copy)

format 1:SCP [email protected]:file1 file2

format 2:SCP file1 [email protected]:file2

1> copying files from the server to the client

Service side:

Client:

2> copying files from the client to the server

Client:

Service side:

(3)sftp command (secure FTP upload download)

format:sftp [email protected]

Client:

2. Common Remote access tools:xshell,CRT,Putty,xmanager (Remote graphical interface), etc.

Four , constructing the SSH system of key pair authentication

1. Create a key pair on the client

Ssh-keygen Command

available cryptographic algorithms: RSA or DSA

2. Upload the public key to the server

(1) method One: Any way can (sharing,FTP,Email,SCP、...... )

Client:

Server: Import the public key text in servers

(2) method two:ssh-copy-id command

Server deletes the previously copied public key file

[Email protected] ~]$ rm-f. Ssh/authorized_keys

Client :

Service side:

3. Use key pair authentication on client

(1) confirm that the server configuration file /etc/ssh/sshd_config has been enabled for key pair authentication

(2) The client uses a key pair to authenticate the login:

v.TCP Wrappers

1,TCP Wrappers Protection principle

2. How to implement the protection mechanism

mode 1: Wrapping other service programs through the TCPD main program

method 2: Call the libwrap.so.* link library by another service program

3 . Conditions for TCP Wrappers Protection

(1) must be a service with TCP Protocol

(2) The function library must contain libwrap.so.0(available ldd commands to view)

This shows that thesshd service can be protected with TCP Wrappers , while the httpd service is also used TCP Wrappers , but cannot be protected with TCP .

4.access Control policy configuration file

/etc/hosts.allow

/etc/hosts.deny

Access Control policy processing flowchart

Thus,the/etc/hosts.allow file has a higher priority, and if the same IP address appears in the hosts.allow , there are hosts.deny , the access request for that IP address is accepted.

5. Configuration Items and formats

(1) format:

Service List : client Address List

Service List		Client Address List
Multiple services	Example: vsftpd,sshd	Multiple addresses	Example:192.168.1.1,192.168.1.10
All services	All	All addresses	All
		wildcard characters ?	Example:192.168.1.?,192.168.2.1??
		wildcard characters *	Example:192.168.1.1*
		Network Segment Address	Example:192.168.1. or 192.168.1.0/255.255.255.0

(2) wildcard characters

1> wildcard ? : Each of the 1 192.168.1.1? 192.168.1.10~192.168.1.19 192.168.1.1?? 192.168.100~192.168.1.199

2> Wildcard *: Indicates any number of digits, or can be empty. such as 192.168.1.1* means 192.168.1.1, 192.168.1.10~192.168.1.19, 192.168.1.100~192.168.1.199

(3) Configuration Example

Experimental requirements: Allow only A host with an IP address of 192.168.1.100~192.168.1.199 accesses the sshd service and prohibits access to all other addresses.

client client1 test:

client client2 test:

Linux Network Service 10--remote access and control

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More