Use ssh for secure connections

Article Title: Use ssh for secure connections. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

You certainly want to use ssh to use your server from a remote site, but some skills are required to make the process smooth.

MindTerm, socat, and VNC. Oh, my God! Although remote work has always been one of the favorite Linux advantages of system programmers and administrators, setting remote access is not a simple task.

Select the appropriate remote service

Every month,Server ClinicDescribe how to use the hardware in the server room to the maximum extent. This column often involves Linux methods, which are not as well known as they should be: Using Linux for Fortran programs, using Linux for applications designed for the old operating system, and so on.

The second topic is the topic of this column: security.

Your server should be physically isolated, and all unnecessary Internet access should be disabled, and you can only access the server through ssh or better. It is particularly worth mentioning that as few real-time applications as possibletelnet,ftp,rloginAndrshAnd related services; they are too dangerous.

Assume that you have done all these things. Now you are out-you may be demonstrating the product, negotiating with new customers to discuss the demand, or closing a meeting (which is included in your training budget ). You need to call up some materials in the company. So what should we do?

First, you should try it. Programmers and administrators could have been working in their own quiet work places during normal working hours, but they liked to force themselves to perform the work in an emergency. Don't let yourself fall victim to such behavior! Make sure that your connection is valid for business purposes and is not in violation.

However, if you have these organizational questions in the past, the answer to the connection question is "Use ssh ". Even if you are more dependent on Virtual Private Network (VPN) than ssh in principle, I still think that if you cannot use the conventional method in case of an emergency, set ssh access with caution. VPN is still difficult to handle and relies on special hardware configuration. If you call a host through a client network (mostly using a common desktop machine), you can make extremely limited choices.

Ssh meets your needs

The good news is that ssh is usually able to meet the needs of these limitations. Even if you go out to work, you may still have enough resources to work on ssh at public access points (such as Internet cafes.

You may not depend on your own device. To be more serious, taking any device that is larger than a handheld device around is another security risk; to be worse, it is not allowed to insert external hardware in many places. You must use the hardware provided to you.

However, the download of puTTY, ssh, or MindTerm clients is usually very fast. And I also like that. Any host that has enough network stacks and can be connected to your server room can have a Web browser that allows download. Be careful when using the installed client. For some people, it is too easy to replace the client with a modified client that can capture the hit key information (or worse.

Another way is to construct a Web page embedded with the MindTerm client as an applet, which looks attractive on the surface. My experience tells myself that this method is useless. In most cases, Java is disabled, browsers that only have the old Java Runtime Engine (JRE) are provided, or other methods are used to reduce the convenience of the applet. If I want to use MindTerm, I only want to download and install the client and compatible JRE. For the construction of end-user applications, applet is usually a good technology. The applet is also suitable for Read-Only configuration. However, I found that this method is rarely used. Therefore, in order to make your work more efficient, it is not worth the time to solve possible problems in the applet environment. I have always felt that it is more convenient to find a MB of free large-capacity memory and install ssh on it.

After you sit down for a while, you should install a new ssh client and start it. However, this may not be enough. In some cases, the firewall has disabled most ports, or at least many ports including ssh standard port 22.

There is another way to prepare for help. On at least one of my hosts, I want sshd (ssh daemon) to run on ports that are usually assigned to common Internet services (such as ftp, http, smtp, or pop3. Even the strictest firewall must open one of ports 21, 8080, 25, and 110. By setting a machine as a "capture" communication, you can make it pass through most firewalls.

Does this sound like an illegal intruder talking? MeNoIn favor of network abuse. There are often employees in other companiesInvitationI use their network, although they also know that changing their firewall in a sensitive way (such as temporarily enabling port 22) is not feasible in terms of the company's system. I gradually accepted this idea: preparing to adopt the "left-side" approach is also part of the current professional practice, but I need to ensure that I only do this in a responsible way.

Of course, with the opening of the ssh channel, I have almost all the functions like sitting in front of the console in the server room. If graphical display is required, I can use X or VNC through the channel, or access all other common activities from the command line.

In this way, my work session is started. Then, I download and reference the ssh client, quickly install and start them, then, use the SSL-protected password to verify a sshd that is running in the server room.

Please note that I am still vulnerable to attacks from tampered hosts. A fully modified desktop machine or a vigilant "sp" can log on to the SSL database before hitting the key information.This situationThe solution is to use the one-time password (OTP) system. So far, in my opinion, OTP has brought more trouble than security. The cost and benefits OTP brings to you are certainly at least slightly different. In any case, returning to a daily workplace may be a good time to update your password.

Use Standard Parts

I hopeServer ClinicThe work code is displayed every month. In this article, it is difficult to add any code. The recommended configuration is very simple and has been fully recorded in the standard references. For example, to add the ssh service to the second port, you only need to add the following lines:

Port 8080

Add to the existing/etc/ssh/sshd_config and Restart sshd. Another method is to use "network proxy program" or "port forwarder" (such as netcat or socat) to direct it back to the standard ssh port of the local host (localhost, this method is useful in running tests and tuning log records or for additional security.

Agent The "proxy" in the context here is a small "converter", which only allows network traffic to pass through. If I set the sshd server on port 22 and want to set another sshd server on port 110, one way to achieve this is to install the network proxy program. Such a proxy is used as a server on port 110 to receive external traffic. It acts as a client on port 22 to process these groups. The basic sshd server performs all the actual work. The proxy function is to convert from one port to another (possibly on another host ).

The true value of this special column is not profound code, but rather a clear concept. You should enable your own remote services with this purpose. I have tried many methods. Take advantage of this experience, especially to understandNoWhat to do, at least know what to do when you set up the server room for the first time: Prohibit Telnet, do not keep unused services open, do not worry about applet (especially do not worry about applet signature ), and do not log on remotely if you feel something is wrong.

On the other hand, standard components must be used. I have tried many clever ideas to adjust the ssh protocol or my own firewall to prevent "Black Hat" hackers (who use network techniques to intrude into the network and destroy the network, translator's note ). Compared with the small security enhancements provided by these ideas, their maintenance is relatively difficult, so it is worth the candle. Unless I have a clear budget for a security project and have a clear long-term goal, it is best to spend time using ssh instead of trying to improve it.

With the preceding steps, you will have a server room, which is much more secure than installing a standard Linux server. You can also remotely manage almost all synchronization connections around the world. This is a good start point for your own security plan.

 

Link: http://www-128.ibm.com/developerworks/cn/linux/l-sc15/index.html