Shulou(Shulou.com)06/01 Report--

Ssh description

SSH (secure shell) is an encrypted network transport protocol that provides a secure transport environment for network services in an insecure network; SSH enables the connection between SSH clients and servers by creating secure tunnels in the network. People usually use SSH to transmit command-line interfaces and execute commands remotely; SSH also supports tunneling protocol, port mapping, and X11 connections. Files can also be transferred with the help of SFTP or SCP protocol. No more gossip. If you need to know more about ssh, please search it yourself.

The place where we usually come into contact with the most ssh (protocol) is to log in to the unix system through xshell xmanager or linux shell through the ssh tool; other knowledge may not be too much, but it does not matter, so do I, but today our dba puts forward a requirement that I need to help deal with.

Digression:

In the previous interview, I was asked how the two IDC hosts communicate? The next skill can be solved, but I didn't think about it at that time, but I don't need it at all, because it has to be deployed and it's not very safe. Let's see!

Scenario 1:

One server is the company's oracle database (IDC A), which is only open to the private network for security (that is, the private network ip listening of the database) Dba usually manages the database from its own local 127.0.0.1:port connection through the forward function of xshell on windows (xhell forwards the connection). A development machine is linux (IDC B), and the database needs to be called in the program. What you need to do is to call the database through the local test machine on the test linux; that is, you need the ssh tunnel forwarding function; that is, the test machine logs in to the database through the ssh private key. Through the ssh port forwarding function, the port on the database that listens on the intranet is forwarded to the intranet port on this linux test machine, so that the linux test program can call it; so OK?

Scheme:

First, you need to provide a private key password-free authentication login for the test Linux on the database (open an account to log in with a private key), then do ssh login on the test Linux machine for port forwarding, forward the remote port to the local through the ssh login persistent connection, and connect to the remote data port through the local port.

Add a login account to IDC A database server (login without password private key)

IDC B tests Linux by logging into the IDC A database machine as follows

# ssh-I test-C-f-N-g-L 1521:lanip:1521 test@x.x.x.x-p port (sshd) # description:-I private key-C compressed transmission-f foreground runs-N does not execute remote programs-g allows remote ports to be forwarded locally-L port:host:remote port is about to remote port forwarding mapping locally

Remote redis open on a public network is forwarded locally through a ssh tunnel, and redis is accessed locally.

[san@TX_zgws_test02 ~] $sudo netstat-ntpulActive Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0 ntpulActive Internet connections 6320 0.0.0.0 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp * LISTEN 25103/redis-server. Omit.

Log in and forward locally through ssh

The obliterated part is the public network ip and connection port of this host; it will take several seconds to execute the command without ctrl+c.

View local ports

San@san-dong:~$ netstat-ntpul (not all processes can be detected, all process information of non-local users will not be displayed, if you want to see all the information Then you must switch to root user) activate Internet connection (server only) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 6320 0.0.0.0 LISTEN 16968/ssh

Access 6320 on the local host

Through ssh tunnel forwarding, you can forward the 6320 that accesses the local to the remote 6320, and the remote 6320 is not open to the outside world; this bypasses the firewall, isn't it powerful? The two servers were previously accessed directly through ssh protocol tunnels without the need for * built-in ssh encryption protection. Is get available?

Scenario 2:

Since my office computer is on the intranet of the company, the host (ssh or vnc) that I want to visit when I go home can be simulated with ssh. If the network manager does not map the port 22 of my office computer, I cannot access it outside. At this time, it can be achieved in the following ways; the premise is that you have to have a host on the external network. The specific way is to log in to the third-party ssh host through the office computer ssh and forward the access to ssh port 22 on the office computer to other local ports on the remote host through the ssh tunnel; in this way, you can access the service of the company office computer by accessing the local port on the third-party host (if you have ddns at home).

The architecture is as follows:

The format is as follows:

Ssh-I san-N-f-R 2222 ip 127.0.0.1 san@ external network host (domain name or public network ip)-p port (sshd) parameter description:-R: port:host:hostport means that the local port 22 is projected to 2222 on the remote host.

Actual combat:

Perform the following on the company computer before leaving work:

That is, log in to the public network computer C through ssh and map the local port 22 to 10022 of the public network computer.

When you get home, you can log in to the company's office computer by connecting to the public network computer C 10022.

[san@TX_zgws_test02] $ssh san@127.0.0.1-p 10022

As shown in the figure:

In this way, you can access the company's office computer through the public network computer C (if the home is accessible by ddns), you can save the public network computer C. if the computer supports the ssh protocol, you can study it on your own without trying to do it under windows.

If you think it's great, get is here, don't go, why don't you say yes?

Add:

Let's talk about what we call rebound.

The so-called program is a program in the computer; the purpose is to secretly run and open the socket connection or service port for others to connect, and the other person can do whatever he wants as long as he is happy; this method works well when all computers have a public network ip (or in a network segment); it is no longer popular, and now most of the Internet surfing is through a public network ip agent (DNAT). It doesn't matter. This is the mode in which you surf the Internet in the company (so is the 4G mobile phone), which shows that everyone in the company has the same export public network ip; with this NAT and firewall, even if you wait for the other party to connect in your computer, he will not be able to get in. So the smart people think of another way. I can't get in, but I can get out. By the way, most corporate firewalls only prevent the outside from entering the enterprise, and there are generally few restrictions on going out of the enterprise. even if there are too many restrictions, it is impossible to do so, so generally enterprises only prohibit some protocols or ports with obvious problems; most of the outgoing ports are unrestricted.

In this way, after your computer has planted one, it will actively contact the outside machine and do tunnel mapping and forwarding, just like the above scene; so it bypasses your computer and the company's firewall, and the other party can manipulate your computer again in this way; this is the so-called rebound type, is the principle very similar? Be careful when you see an unknown connection on your computer similar to the following

Sudo netstat-n | grep ESTtcp 0 172.16.0.188 x.x.x.x:22 ESTABLISHED

The one above is the test I just did. I'm not afraid!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.