Shulou(Shulou.com)06/02 Report--

1. Check SSH client version

Sometimes you need to check the SSH client and its version number. Use the ssh -V command to get the version number. It should be noted that Linux generally comes with OpenSSH: the following example shows that the system is using OpenSSH:

$ ssh -V OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

The following example shows that the system is using SSH2:

$ ssh -V ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu

2. Connect to a remote host:

Command Format:

ssh name@remoteserver #or ssh remoteserver -l name

Note: The above two methods can be used to log in remotely to the remote host, server represents the remote host, and name is the user name of the remote host.

3. Connect to the specified port of the remote host:

Command Format:

ssh name@remoteserver -p 2222 #or ssh remoteserver -l name -p 2222

Note: The p parameter specifies the port number. Usually, when doing port mapping in the route, we will not directly map port 22 out, but convert it to other port numbers. In this case, we need to use the-p port number command format.

4. Jump to remote host 2 via remote host 1:

Command Format:

ssh -t remoteserver1 ssh remoteserver2

Note: When the remote host remoteserver2 cannot be reached directly, you can use the-t parameter, and then jump from remoteserver1 to remoteserver2. In this process, enter the password of remoteserver1 first, then enter the password of remoteserver2, and then you can operate remoteserver2.

Run remote shell commands via SSH:

Command Format:

ssh -l name remoteserver 'command'

Description: Connect to a remote host and execute the remote host command. For example: View memory usage on remote hosts.

$ ssh -l root 192.168.1.100 svmon -G

6. Modify SSH listening port:

By default, SSH listens on port 22, and attackers can see if the host is running SSH services using port scanning software. It is a wise choice to modify SSH ports to ports greater than 1024, because most port scanning software (including nmap) does not scan high-order ports by default. Open the/etc/ssh/sshd_config file and look for the following line:

Port 22

Remove the #sign from the front of the line, then change the port number and restart the SSH service:

$ /etc/init.d/ssh restart

Only SSH version 2 is allowed:

There are two versions of SSH, version 2 is more secure, and version 1 has security issues, including man-in-the-middle and insertion attacks. Edit the/etc/ssh/sshd_config file and look for lines like this:

# Protocol 2, 1 modified to Protocol 2

8. Prohibiting root user login:

Usually, do not use root user to log in to the remote host directly, because root user has super privileges, this will bring security risks, so, generally we use ordinary user login, when you need to manage the remote host, and then switch to root user. Open the/etc/ssh/sshd_config file and look for the following line:

#PermitRootLogin yes

Remove the #sign, change yes to no, restart the ssh service, and disable root login.

Remove the #sign, replace the full path of the bannertest.txt file with/some/path, save it, and restart the ssh service. When the client logs in, it will see a prompt in the bannertest.txt file.

9. Port mapping:

If the company has a web server on the intranet, but only internal and not external, so that the external network cannot be accessed, you can use ssh port mapping to achieve external network access to the intranet web server. If the web server name is webserver, webserver can be accessed to remote host remoteserver with ssh, log in to webserver, and then map with the following command

Command Format:

ssh -R 3000:localhost:80 remoteserver

After execution, on the remoteserver machine, execute netstat -an| grep 3000, check whether port 3000 is open. And execute the following command to see if you can open the web page on webserver

$ w3m http://127.0.0.1:3000

If you can open the interface, it means the mapping is successful. However, this is limited to native access to the web server, i.e. only remoteserver machines can access the web server. Because port 3000 is bound to port 127.0.0.1 of the remoteserver machine. You can edit the/etc/ssh/sshd_config file on the remoteserver machine and add the following:

Add GatewayPorts yes content, bind listening port 3000 to 0.0.0.0 address, so that all external machines can access this listening port, and then save and exit. Restart the SSH service. Once this is done, other machines can enter http://remoteserver:3000 in their browser to access webserver.

10. Set prompt information when logging in

First edit a file, such as bannertest.txt, the content of which is self-defined. Then open the/etc/ssh/sshd_config file and look for the following line:

#Banner /some/path

The above is all the content of this article, I hope to help everyone's study, but also hope that everyone a lot of support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.