Shulou(Shulou.com)06/03 Report--

Brief introduction:

SSH is an acronym for secure shell and was developed by IETF's network team (Network Working Group). SSH is a security protocol based on the application layer. SSH is currently a reliable protocol designed to provide security for remote login sessions and other network services. The use of SSH protocol can effectively prevent information leakage in the process of remote management. SSH was originally a program on the UNIX system, and then rapidly expanded to other operating platforms. When used correctly, SSH can make up for loopholes in the network. The SSH client is suitable for a variety of platforms. Almost all UNIX platforms-including HP-UX, Linux, AIX, Solaris, Digital UNIX, Irix, and others-can run SSH.

Basic functions:

1. First of all, we open two Linux systems, one as a server and one as a client. We first use the vim editor to edit the ssh server configuration file "/ etc/ssh/sshd_config".

Port 22 listening port, which is used by default to listen on port 22 # AddressFamily any IPV4 or IPV6 protocol family. Any indicates that both have # ListenAddress 0.0.0.0 indicating the monitoring address. 0.0.0.0 indicates all addresses on this machine # ListenAddress:: indicates all address formats of the listening IPV6

# LoginGraceTime 2m session time. The default is 2 minutes. Whether the PermitRootLogin yes allows the administrator to log in directly. 'yes' means whether to allow the sshd to check the permission data of the user's home directory or related files, MaxAuthTries 6, the maximum number of authentication attempts. You can try to enter the password up to 6 times. # maximum number of sessions allowed in MaxSessions 10 (delete "#" to enable the feature)

two。 Remember to restart the service before it takes effect after configuration. Let's try to connect to the server with the client.

We can directly enter the login user root (note that it is the server user) and the server IP address, and then enter the user password to log in. I have logged in before, if not, the system will ask you if you want to connect, you just need to type "yes".

If the user name of the client is the same as that of the server, the user name can be omitted when logging in.

The default port for the SSH service is 22, and if you do not set the port, the login request will be automatically sent to port 22 of the remote host. If we change the port number in the configuration file, we can use the-p option to specify the port number. For example, the port has been changed to 123:

3. We know that root users are administrators of the system, and it is certainly not safe for others to log in at will. So we can modify the configuration file to prevent others from logging in through root users. Remember to restart the service after modification.

Once again, we log in with the root user, enter the password and show permission denied, while the zhangsan user can log in again.

4. Although we restrict the use of root users to login, when we log in with zhangsan users, we can still switch to root users with the "su" command.

So we can turn on the PAM security authentication function of the "su" command, we just need to add the users who are allowed to use the "su" command to the "wheel" group.

You can see that the user "jiang" is in the "wheel" group and the user "zhangsan" is not there. We switch again with "zhangsan" users root users have been shown permission denied, while the "wheel" group user "jiang" can still switch root users.

5. Earlier, I opened the maximum number of authentication attempts 6 times, and we can test whether it is successful or not.

You can see that when we tried 6 times, we were automatically disconnected. But we have to use the "- o NumberOfPasswordPrompts=8" option to test successfully. If we enter it directly, it will be disconnected by default for 3 times.

6. We can also limit login users and IP addresses by adding a blacklist and whitelist to the server profile.

Blacklist and whitelist cannot exist at the same time. Whitelist is commonly used in enterprises. Here is a demonstration of whitelist.

First of all, we add a whitelist to the configuration file to restrict zhangsan users to log in only on hosts with ip 192.168.52.132, and lisi users can log in on any host. Restart the service when the configuration is complete.

When we log in on the host with ip 192.168.52.132, we can see that because of the whitelist, the user "jiang" is no longer on the list, while zhangsan and lisi users can still log in.

When we log in on a host with ip 192.168.52.128, only lisi users can log in, but zhangsan users cannot, because we restrict zhangsan users to log in only on hosts with ip 192.168.52.132.

Scp command and sftp command

1. We delete the previously set whitelist, allow root users to log in to "yes", and restart the service.

two。 First create a new file "ssh_client.txt" and a directory "ssh" in the "/ opt/" directory of the client host, and then use the scp command to copy them all to the "/ opt/" directory of the server host.

3. Then under the "/ opt/" directory of the client host, create a file "test01", and then use the scp command on the "server" host to copy the file over.

4. We delete the newly created directories and files under the "/ opt/" directory of the two hosts, and create two files, demo01 and demo02, under the "/ opt/" directory of server and client, respectively.

5. We can also log in to the client host to upload and download files with the sftp command. Upload with the "put" command, download with the "get" command, and we can also use the cd command to switch directories.

6. We can see that we can use the cd command to change directories at will, which is very insecure, so we can modify the ssh server configuration file to limit the sftp command to the directory we specify after connecting.

First, edit the file "/ etc/ssh/sshd_config" with the vim editor and comment out "Subsystem sftp / usr/libexec/openssh/sftp-server". Then add the following command:

Subsystem sftp internal-sftpMatch User zhangsanChrootDirectory / home/zhangsanX11Forwarding noForceCommand internal-sftpAllowTcpForwarding no (don't forget to restart the service after configuration)

Then we go to the "/ home/" directory and set the permissions of our specified directory "zhangsan" to "755", and the owner and group are changed to root.

Let's create 5 new empty files under the "/ home/zhangsan/" directory.

Once again, we use the client host to connect to the server host through sftp, and we can see that we are directly logged in to the "zhangsan/ directory". When we want to switch to another directory, we can't succeed.

Key pair login

1. Modify the previous configuration that restricts the sftp login switch directory, enable the key pair login function (delete #), and restart the service.

two。 First, use the "ssh-keygen-t ecdsa" command to generate the key pair, and store the key file in the "/ home/zhangsan/.ssh/" directory.

3. Import the public key file "id_ecdsa.pub" under the directory "/ home/zhangsan/.ssh/" into the server host with the command "ssh-copy-id-I id_ecdsa.pub zhangsan@192.168.52.131".

4. When we log in with the ssh command again, all we have to do is enter the previous key.

5. But it will be troublesome for us to enter the key every time we log in, at this time we just need to use the bash agent to add the key, and we don't have to enter the key the next time we log in.

TCP Wrappers strategy

Configuration file for control policy:

/ etc/hosts.allow (whitelist file) / etc/hosts.deny (blacklist file)

The order in which the policies are applied:

First check the hosts.allow file, find a match, directly allow access, no longer check the hosts.deny file; if it is not in the hosts.allow file, then detect the hosts.deny file, and then deny access; if there is no matching policy in the two files, access is allowed by default.

1. First edit the file "/ etc/hosts.allow" with the vim editor to add a whitelist ip192.168.52.132.

two。 Then use the vim editor to edit the file "/ etc/hosts.deny" to blacklist all ip.

3. Next, we log in with the host client with ip 192.168.52.132 and the host client02 with ip 192.168.52.128, respectively. Only the client hosts in the whitelist can log in.

4. Delete the client host ip from the whitelist, add it to the blacklist, and then log in with the client host. As a result, you cannot log in.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.