As a network administrator, we can not always operate in the computer room server, for Windows Server, we are able to operate through remote terminal or NetMeeting. But what about Linux servers? We can also use Remote Tools to operate, commonly used remote management services, such as TELNET,SSH,VNC, these remote management services can be used for remote management, but they are in the function and use of the same. Today, let's talk about managing a Linux server using these different remote management services tools. The server IP address in this article is 192.168.99.9, the server uses the system as: CentOS 5.
First,
Telnet
1.
Software Installation:We can use the Rpm-qa|grep telnet command to query the system installed Telnet, such as: The system is installed by default Telnet client, does not install Telnet Server, Telnet server needs xinetd support, So we need to install these two packages manually, such as:
2.
Start
Telnet
ServiceUsing the command vi/etc/xinetd.d/telnet, edit the Telnet service, and the Telnet service will be activated Disable=yes this is disable=no. Use the service xinetd Start command to start the Telnet service. We can use telnet IP command to test, such as Telnet 192.168.99.199 this machine, for example, can be normal telnet to 192.168.99.199. We'll find another Windows machine to telenet our Linux service, if we log in with the root account, we will prompt login incorrect because Telnet does not allow Telnet to the Linux system as root by default.
3.
Configuration
telnet
ServiceTelnet transmits passwords and data in plaintext, and if used directly by default, there is a significant security risk, so we have to make some restrictions on the Telnet service. Use the command vi/etc/xinetd.d/telnet to edit the Telnet service, such as: Description: bind=192.168.99.9 #本机的IP地址only_from =192.168.99.0/24 # Only allow 192.168.99.0--192.168.99.255 the address of this network segment telnet in, if necessary can also be set to allow only one machine telnet in. no_access=192.168.99. {11,13} #不允许192.168.99.11 and 192.168.99.13 These two IP addresses telnet in. access_times=8:00-12:00 #每天只在这个时间段内开放telnet服务.
4.
Set
telnet
PortTelnet uses port 23 to communicate by default, which we all know and can easily be exploited by someone with ulterior motives, so we will need to change the default port to increase security, such as 2300 instead. Using the vi/etc/services command, locate Telnet 23/tcp and Telnet 23/udp to telnet 2300/tcp and Telnet 2300/upd, such as:
5.
Open
Root
User LoginAlthough Telnet does not allow the root user to log on by default, we can still turn it on, use the command Mv/etc/securetty/etc/securetty.bak, restart the Telnet service, and now log in with the root user. As shown, however, it is not recommended to turn on the login permission of the root user, which increases the security risk.
Second,
OpenSSHBecause Telnet is transmitted in plaintext, there is a significant security risk and is now being superseded by another remote Management Service-SSH service. SSH uses encrypted transmission, and in the user authentication method, the public key encryption method can be used, the overall security is improved. Let's take a look at what the SSH service is about:
1.
Software InstallationThe system already has OpenSSH installed by default, and we can view the installation of OpenSSH by command Rpm-qa|grep OpenSSH, as shown in:
2.
Use
Windows
Client Logon ServerWindows XP itself does not have its own SSH client program, so we need to install the SSH client on Windows, the common Windows version of the SSH client software winscp and putty, etc. WINSCP support the Chinese language, but also provides a friendly graphical operation interface, the user can be very convenient to operate it, let us first introduce WINSCP: for example, fill in the hostname or IP address can be logged in: When logged in, if the key is not loaded Wenjian, Will pop up a warning window as shown, because we are not using key authentication now, so we can go directly to the point. WINSCP provides a Windows Explorer-like interface, such as: Users can easily perform file operations, such as uploading, downloading, file, directory renaming and other work. WINSCP also provides a console for executing commands, such as, however, it is not very convenient to use. It is easier to use the putty if you want to use the command line as easily as you would under Linux. If you enter the computer name or IP address, you can connect to the SSH server. During the connection process, a warning dialog box will also pop up, prompting for key issues, and we'll continue with the point yes. such as: After the system connection, you will be prompted to enter a user name and password, enter the correct user name and password, you can use the command line as in Linux to operate it. By default, you are allowed to log on by using the root account. Such as:
3.
Configuration
SSH
ServiceBy default, we can already use the client to log on to the SSH server, however, there is a security risk of direct use, so we also need to continue to configure the SSH service: 1) Use the command vi/etc/ssh/sshd_config to configure the SSH service, Modify the following line (row with red line): Protocol 2 # Default support SSH1 and SSH2, modified, only use ssh2serverkeybits 1024x768 #将ServerKey强度改为1024比特 Permitrootlogi n No # Modified, do not allow the use of root login passwordauthentication No # modified, do not allow password login permitemptypasswords No # After the modification, prohibit blank password login 2) system is allowed by default All addresses are connected to the SSH server, so we also need to restrict access addresses: Use the command Vi/etc/hosts.deny, modify the masking rules, add: Sshd:all at the end, and block requests from all SSH connections. Now all the computers can not connect to the SSH server, so we also need to use the command Vi/etc/hosts.allow modify the Allow rule, add one at the end of the line: sshd:192.168.99. , allow the SSH connection request from 192.168.99.0/24 this network segment, of course, here can also set only allow some IP address SSH connection, this can be set according to their own needs. After Setup is complete, you need to restart the SSH service to take effect. We can connect with putty again, can't log in. Because the password can not be verified now, you need to use the "key".
4.
establishment of public and private keysSwitch to a normal user to establish a public and private key based on this user. (Here I use the admin this self-built account for example), the operation process, such as: Public key and private key after the establishment, still need to do some processing, such as: OK, has now been configured to complete. Next, we need to copy the private key to the client computer, the private key file storage location:/home/admin/.ssh/id_rsa.
5.
converting private keys from the server sideBecause the server-generated private key cannot be used directly by the client, we also need to convert the private key. Let's take the example of the most commonly used putty client for illustration. For the Putty client, we can use the Puttygen tool to convert the private key. Run Puttygen, then click Load, load the private key, such as: To start the conversion, a dialog box will pop up, asking for the password to establish this private key on the server side, such as: After the conversion is completed, a successful conversion dialog box, such as: Click "Save private Key" to save the private key, such as: Private key conversion is complete.
6.
Use
Putty
Logon ServerOpen the Putty tool, click on the left panel auth (authentication), then click Browse on the right panel, load the private key just converted, such as: then click on the left panel session, back to the Host Connection Information dialog box, such as: In the "host name" entry in the host name or IP address, Then fill in the "Saved Sessions" entry with the name of the connection (which can be any name), then click Save to save the host connection settings, such as: Double-click the newly established connection, enter the user name and password to connect. Note: The password here is not the user password, but the password that was set when the private key was created. OK, the setting to log in to the SSH server via the "key" method is now complete. Here's another thing to note: If you want to allow a user to connect to a server using SSH, you must establish a corresponding public and private key based on that user.
Third,
VNCSSH can be used to securely connect to a Linux server, but if the connection is interrupted, the commands executed during the connection are aborted. When you execute some programs during an SSH connection, the interruption is dangerous and can have some impact on the system. Therefore, we also need to consider another solution, for some special cases to use. VNC just can meet this demand, using VNC connection, in the case of network interruption, the original execution of the command, etc. will not be affected, the system will continue to execute. And VNC can provide a complete Linux interface, through which you can operate the Linux server like the native computer. Let's take a look at the use of VNC connections:
1.
Software InstallationWe can use the command rpm-qa|grep VNC to check the installation of VNC, the system has been installed by default. If the system is not installed, you can find the package on the installation CD. Use RPM to install it.
2.
Start
VNC
ServiceThe VNC service can be started using the command vncserver:1, where "number" 1 represents the desktop number. The first time you execute, you will need to enter the connection password, which is saved in/root/.vnc/passwd, and the Xstartup profile is automatically created for the user in the. VNC subdirectory of the user's home directory, and the configuration information in the file is read each time the VNC service is started. We enter "192.168.99.9:1" via the VNC Viewer in Windows, then click OK and enter the password to connect to the server via VNC. For example, you are already connected to a Linux server, but the interface looks ugly because you are using a x-windows desktop environment. In addition, in addition to using the VNC viewer to log in, we can also use the browser to connect, but you need to install the Java Support Environment and VNC viewer for Java)
3.
Configuration
VNC
Desktop environment for
KDE
or
GNOME
Desktop Environment: The VNC service uses the TWM graphical desktop environment by default, which we have seen, is not beautiful. Fortunately, we can modify it, using the command: Vi/root/.vnc/xstartup, change the last line of TWM to Startkde to the KDE desktop environment, and modify it to gnome-session as the GNOME desktop environment. For example, we will change it to the KDE desktop environment, such as: Restart the VNC service, such as: we re-connect with the VNC viewer, now appears to be the KDE desktop environment, such as:
4.
Configuring multiple desktop EnvironmentsUse the command/etc/sysconfig/vncservers to modify the configuration file (see the Change section in the red box), such as: Here we set the desktop 1 as the root user's desktop, Desktop 2 is set to the Admin user's desktop. Note: After setting up, you need to log in as the corresponding user, manually execute the vncserver:<number> command once to initialize the $home/.vnc/xstartup and $home/.vnc/passwd files. Later, you can use the/etc/init.d/vncserver Start command and you can now log in using the VNC viewer:
5.
Modify
VNC
Access Password:We can modify the user's connection password by command vncpasswd, note that if there are many different users, they need to modify their connection password in the user environment of different users. OK, three different remote management services have been introduced, everyone in the daily work in accordance with their own needs of the server to be configured accordingly, in order to better remote management.
This article is from the "Tonyguo de blog" Knowledge: "blog, be sure to keep this source http://tonyguo.blog.51cto.com/379574/179084
Linux Server Deployment Series VI-Remote management chapter