Shulou(Shulou.com)06/02 Report--

SSH protocol:

Provides a secure shell environment for clients for remote management

Default port: TCP22

SSH service profile:

Service name: sshd

Server main program: / usr/sbin/sshd

Server profile: / etc/ssh/sshd_config

Client profile: / etc/ssh/ssh_config

Service monitoring options:

Port number, protocol version, listening IP address

Disable reverse parsing

User login control:

Disable root users, empty password users

Login time, number of retries

AllowUsers,DenyUsers

Case 1: open two Linux servers, log in with ssh, disable root login, prohibit springboard login to root

Test01 (192.168.109.133) test02 (192.168.109.132)

1, log in to test02 with ssh on test02

2. Disable root login

[root@test01 ~] # vim / etc/ssh/sshd_config change configuration file [root@test01 ~] # systemctl restart sshd restart the ssh service

3. It is forbidden to log in to root using springboard.

In fact, we can log in to root by logging in to other users

At this point, we need to open the pam authentication module.

[root@test01 ~] # vim / etc/pam.d/su

Check whether the user is in the wheel group, and use two users as a springboard to switch root

Case list 2: set the number of logins (the default is three direct logins, and we need to use one command to achieve the maximum number of logins)

[root@test01 ~] # vim / etc/ssh/sshd_config change configuration file [root@test01 ~] # systemctl restart sshd restart the ssh service

At this point, all we have to do is enter a command.

[root@test02] # ssh-o NumberOfPasswordPrompts=8 zhangsan@192.168.109.133

Case list 3: setting whitelist

Construction of SSH system for Secret key pair Verification

The overall implementation process:

1. Enable key verification and restart the ssh service

[root@test01 ~] # vim / etc/ssh/sshd_config [root@test01 ~] # systemctl restart sshd

2, create a secret key pair in test01

[root@test02 ~] # ssh-keygen-t ecdsa create a key pair of ecdsa type [root@test02 ~] # cd .ssh switch to view the file location of the key [root@test02 .ssh] # lsid_ecdsa id_ecdsa.pub known_hosts

3. Upload the public key file and import the public key information to the test1 users in test01

[root@test02 .ssh] # ssh-copy-id-I id_ecdsa.pub test1@192.168.109.133

4. Check whether the test1 user has received the public key file, and verify the key pair to log in

[root@test01 ~] # cd / home/test1/.ssh [root@test01 .ssh] # ls

5, use the secret key to verify that there is no interaction

[root@test02 .ssh] # ssh-agent bash [root@test02 .ssh] # ssh-add

Overview of TCP Wrappers

Configuration file for access control policy

/ etc/hosts.allow

/ etc/hosts.deny

Set access control policy

Policy format: service list: client address list

Order in which policies are applied

Check the hosts.allow first. If a match is found, access is allowed.

Otherwise, check the hosts.deny again and deny access if you find it.

If there is no matching policy in both files, access is allowed by default

[root@test01 ~] # vim / etc/hosts.allow whitelist [root@test01 ~] # vim / etc/hosts.deny blacklist

If both of them are set to the same host address, take a look at the allow whitelist first. If neither of them is in the list, you can log in by default.

Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.