Use SSH for secure connections in Linux

Use SSH for secure connection in Linux-Linux Enterprise Application-Linux server application information. The following is a detailed description. You certainly want to use ssh to use your server from a remote site, but some skills are required to make the process smooth.

MindTerm, socat, and VNC. Oh, my God! Although remote work has always been one of the favorite Linux advantages of system programmers and administrators, setting remote access is not a simple task.

Select the appropriate remote service

Every month, server clinics describe how to maximize the use of hardware in server rooms. This column often involves Linux methods, which are not as well known as they should be: Using Linux for Fortran programs, using Linux for applications designed for the old operating system, and so on.

The second topic is the topic of this column: security.

Your server should be physically isolated, and all unnecessary Internet access should be disabled, and you can only access the server through ssh or better. It is particularly worth mentioning that it is too dangerous to use as few real-time telnet, ftp, rlogin, rsh, and related services as possible.

Assume that you have done all these things. Now you are out-you may be demonstrating the product, negotiating with new customers to discuss the demand, or closing a meeting (which is included in your training budget ). You need to call up some materials in the company. So what should we do?

First, you should try it. Programmers and administrators could have been working in their own quiet work places during normal working hours, but they liked to force themselves to perform the work in an emergency. Don't let yourself fall victim to such behavior! Make sure that your connection is valid for business purposes and is not in violation.

However, if you have these organizational questions in the past, the answer to the connection question is "Use ssh ". Even if you are more dependent on Virtual Private Network (VPN) than ssh in principle, I still think that if you cannot use the conventional method in case of an emergency, set ssh access with caution. VPN is still difficult to handle and relies on special hardware configuration. If you call a host through a client network (mostly using a common desktop machine), you can make extremely limited choices.

Ssh meets your needs

The good news is that ssh is usually able to meet the needs of these limitations. Even if you go out to work, you may still have enough resources to work on ssh at public access points (such as Internet cafes.

You may not depend on your own device. To be more serious, taking any device that is larger than a handheld device around is another security risk; to be worse, it is not allowed to insert external hardware in many places. You must use the hardware provided to you.

However, the download of puTTY, ssh, or MindTerm clients is usually very fast. And I also like that. Any host that has enough network stacks and can be connected to your server room can have a Web browser that allows download. Be careful when using the installed client. For some people, it is too easy to replace the client with a modified client that can capture the hit key information (or worse.

Another way is to construct a Web page embedded with the MindTerm client as an applet, which looks attractive on the surface. My experience tells myself that this method is useless. In most cases, Java is disabled, browsers that only have the old Java Runtime Engine (JRE) are provided, or other methods are used to reduce the convenience of the applet. If I want to use MindTerm, I only want to download and install the client and compatible JRE. For the construction of end-user applications, applet is usually a good technology. The applet is also suitable for Read-Only configuration. However, I found that this method is rarely used. Therefore, in order to make your work more efficient, it is not worth the time to solve possible problems in the applet environment. I have always felt that it is more convenient to find a MB of free large-capacity memory and install ssh on it.

After you sit down for a while, you should install a new ssh client and start it. However, this may not be enough. In some cases, the firewall has disabled most ports, or at least many ports including ssh standard port 22.

There is another way to prepare for help. On at least one of my hosts, I want sshd (ssh daemon) to run on ports that are usually assigned to common Internet services (such as ftp, http, smtp, or pop3. Even the strictest firewall must open one of ports 21, 8080, 25, and 110. By setting a machine as a "capture" communication, you can make it pass through most firewalls.

Does this sound like an illegal intruder talking? I do not agree to abuse the internet. Employees from other companies often invite me to use their networks, although they also know that they use sensitive methods (such as temporary port 22) changing their firewalls is not feasible in terms of corporate systems. I gradually accepted this idea: preparing to adopt the "left-side" approach is also part of the current professional practice, but I need to ensure that I only do this in a responsible way.

Of course, with the opening of the ssh channel, I have almost all the functions like sitting in front of the console in the server room. If graphical display is required, I can use X or VNC through the channel, or access all other common activities from the command line.

In this way, my work session is started. Then, I download and reference the ssh client, quickly install and start them, then, use the SSL-protected password to verify a sshd that is running in the server room.

Please note that I am still vulnerable to attacks from tampered hosts. A fully modified desktop machine or a vigilant "sp" can log on to the SSL database before hitting the key information. The solution is to use the one-time password (OTP) system. So far, in my opinion, OTP has brought more trouble than security. The cost and benefits OTP brings to you are certainly at least slightly different. In any case, returning to a daily workplace may be a good time to update your password.