Use ssh for secure connections

Source: Internet
Author: User
Tags ssh access ssh port

You certainly want to use ssh to use your server from a remote site, but some skills are required to make the process smooth. MindTerm, socat, and VNC. Oh, my God! Although remote work has always been one of the favorite Linux advantages of system programmers and administrators, setting remote access is not a simple task.
Select the appropriate remote service
Every month, server clinics describe how to maximize the use of hardware in server rooms. This column often involves Linux methods, which are not as well known as they should be: Using Linux for Fortran programs, using Linux for applications designed for the old operating system, and so on.
The second topic is the topic of this column: security.
Your server should be physically isolated, and all unnecessary Internet access should be disabled, and you can only access the server through ssh or better. It is particularly worth mentioning that it is too dangerous to use as few real-time telnet, ftp, rlogin, rsh, and related services as possible.
Assume that you have done all these things. Now you are out-you may be demonstrating the product, negotiating with new customers to discuss the demand, or closing a meeting, which is included in your training budget ). You need to call up some materials in the company. So what should we do?
First, you should try it. Programmers and administrators could have been working in their own quiet work places during normal working hours, but they liked to force themselves to perform the work in an emergency. Don't let yourself fall victim to such behavior! Make sure that your connection is valid for business purposes and is not in violation.
However, if you have these organizational questions in the past, the answer to the connection question is "Use ssh ". Even if you are more dependent on Virtual Private Network VPN in principle) than ssh, I still think that if you cannot use the conventional method in case of an emergency, set ssh access with caution. VPN is still difficult to handle and relies on special hardware configuration. If you use a common desktop machine to call a host over a client network, you can make extremely limited choices.
Ssh meets your needs
The good news is that ssh is usually able to meet the needs of these limitations. Even if you go out to work, but in public access points such as "Internet cafes"), you may still have enough resources for ssh to work.
You may not depend on your own device. To be more serious, taking any device that is larger than a handheld device around is another security risk; to be worse, it is not allowed to insert external hardware in many places. You must use the hardware provided to you.
However, the download of puTTY, ssh, or MindTerm clients is usually very fast. And I also like that. Any host that has enough network stacks and can be connected to your server room can have a Web browser that allows download. Be careful when using the installed client. For some people, it is too easy to replace the client with a modified client that can capture the key information or worse.
Another way is to construct a Web page embedded with the MindTerm client as an applet, which looks attractive on the surface. My experience tells myself that this method is useless. In most cases, Java is disabled, or browsers with only the old Java Runtime Engine JRE are provided, or other methods are used to reduce the convenience of the applet. If I want to use MindTerm, I only want to download and install the client and compatible JRE. For the construction of end-user applications, applet is usually a good technology. The applet is also suitable for Read-Only configuration. However, I found that this method is rarely used. Therefore, in order to make your work more efficient, it is not worth the time to solve possible problems in the applet environment. I have always felt that it is more convenient to find a MB of free large-capacity memory and install ssh on it.
After you sit down for a while, you should install a new ssh client and start it. However, this may not be enough. In some cases, the firewall has disabled most ports, or at least many ports including ssh standard port 22.
There is another way to prepare for help. On at least one of my hosts, I want the sshdssh daemon to run on ports that are usually assigned to common Internet services such as ftp, http, smtp, or pop3. Even the strictest firewall must open one of ports 21, 8080, 25, and 110. By setting a machine as a "capture" communication, you can make it pass through most firewalls.
Does this sound like an illegal intruder talking? I do not agree to abuse the internet. Some employees in other companies often invite me to use their networks, although they also know that they use sensitive methods such as temporary port 22) changing their firewalls is not feasible in terms of corporate systems. I gradually accepted this idea: preparing to adopt the "left-side" approach is also part of the current professional practice, but I need to ensure that I only do this in a responsible way.
Of course, with the opening of the ssh channel, I have almost all the functions like sitting in front of the console in the server room. If graphical display is required, I can use X or VNC through the channel, or access all other common activities from the command line.
In this way, my work session is started. Then, I download and reference the ssh client, quickly install and start them, then, use the SSL-protected password to verify a sshd that is running in the server room.
Please note that I am still vulnerable to attacks from tampered hosts. A fully modified desktop machine or a vigilant "sp" can log on to the SSL database before hitting the key information. In this case, the solution is to use the one-time password OTP) system. So far, in my opinion, OTP has brought more trouble than security. The cost and benefits OTP brings to you are certainly at least slightly different. In any case, returning to a daily workplace may be a good time to update your password.
Use Standard Parts
I want the server clinic to display work code every month. In this article, it is difficult to add any code. The recommended configuration is very simple and has been fully recorded in the standard references. For example, to add the ssh service to the second port, you only need to add the following lines:

Port 8080
Add to the existing/etc/ssh/sshd_config and Restart sshd. Another method is to use a "network proxy" or "port forwarder" such as netcat or socat) to point it back to the standard ssh port of the local host localhost, this method is useful in running tests and tuning log records or for additional security.
Agent
The "proxy" in the context here is a small "converter", which only allows network traffic to pass through. If I set the sshd server on port 22 and want to set another sshd server on port 110, one way to achieve this is to install the network proxy program. Such a proxy is used as a server on port 110 to receive external traffic. It acts as a client on port 22 to process these groups. The basic sshd server completes all the actual work; the proxy function is to convert from one port to another port, possibly on another host ).
The true value of this special column is not profound code, but rather a clear concept. You should enable your own remote services with this purpose. I have tried many methods. Using this experience, especially understanding what to do, at least understanding what to do when you set up the server room for the first time: Prohibit Telnet, do not keep unused services on, do not worry about the applet, especially the applet signature), and do not log on remotely if you feel something is wrong.
On the other hand, standard components must be used. I have tried a lot of clever ideas to adjust the ssh protocol or my own firewall to prevent "Black Hat" hackers from using network techniques to intrude into the network for destruction ). Compared with the small security enhancements provided by these ideas, their maintenance is relatively difficult, so it is worth the candle. Unless I have a clear budget for a security project and have a clear long-term goal, it is best to spend time using ssh instead of trying to improve it.
With the preceding steps, you will have a server room, which is much more secure than installing a standard Linux server. You can also remotely manage almost all synchronization connections around the world. This is a good start point for your own security plan.
Link: http://www-128.ibm.com/developerworks/cn/linux/l-sc15/index.html

Related Articles]

  • Use SSH to Securely connect to the Site Server
  • Use SSH to build the safest route switch device
  • Security Enhancement measure use Openssh to build a security network

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.