Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to use ssh to access the Linux server behind the firewall". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

The basic method of using ssh tools to access Linux server

The first step is to open the corresponding port of the firewall on the workstation, SSH is 22.

The second step is to open SSH service.

Check the status of ssh first.

The code is as follows:

Service sshd status

Start the service

The code is as follows:

Service sshd start

Of course, you can close it.

The code is as follows:

Service sshd stop

Restart the service

The code is as follows:

Sshd restart

Step 3, modify the configuration file, / etc/ssh/sshd_config

Open this file, AllowUsers in the last place, add the user name, separate multiple with a space, of course, you can also add root. If you want to disable root login, you can do so, but don't add it here. You can also find a statement in this file: Permitrootlogin yes. Just change yes to no.

Step 4: set ssh to start randomly

The code is as follows:

Chkconfig-level xxxx sshd on / / xxxx indicates the level you want (let's put it this way), such as 2345, etc.

Step 5, log in remotely

The code is as follows:

Ssh usrname@hostname / / hostname or Ip

And then I want you to enter the password. After logging in, you can also change the user (su command). If you want graphics, it's not impossible to add-X (uppercase X): ssh-X usrname@hostname when you log in.

This is barely OK, but also has a graphical interface, that is, the response is relatively slow, emergency can.

Access the Linux server behind the NAT through a reverse SSH tunnel

What is a reverse SSH tunnel?

An alternative to SSH port forwarding is reverse SSH tunneling. The concept of reverse SSH tunneling is very simple. With this scheme, you need another host (the so-called "relay host") outside your restricted home network, which you can log in to via SSH from your current location. You can configure a relay host with a VPS instance with a public network IP address. Then all you need to do is set up a permanent SSH tunnel from your home network server to the public network relay host. With this tunnel, you can connect back to the home server from the relay host (that's why it's called a "reverse" tunnel). No matter where you are and how strict the NAT or firewall in your home network is, as long as you can access the relay host, you can connect to the home server.

Set up a reverse SSH tunnel on Linux

Let's look at how to create and use reverse SSH tunnels. Let's assume that we will set up a reverse SSH tunnel from the home server (homeserver) to the relay server (relayserver), and then we can log in to the home server from the client computer (clientcomputer) SSH through the relay server. The public network IP address of the relay server in this example is 1.1.1.1.

On the home server, open a SSH connection to the relay server as follows.

The code is as follows:

Homeserver~$ ssh-fN-R 10022:localhost:22 relayserver_user@1.1.1.1

Here port 10022 is any port number you can use. Just make sure that no other programs on the relay server use this port.

The "- R 10022:localhost:22" option defines a reverse tunnel. It forwards traffic from port 10022 of the relay server to port 22 of the home server.

With the "- fN" option, SSH will run in the background when you are successfully authenticated by the SSH server. It's useful when you don't want to execute any commands on a remote SSH server, as in our case you just want to forward the port.

After running the above command, you will return to the command line prompt box of the home host.

Log in to the relay server and verify that its 127.0.0.1 10022 is bound to the sshd. If so, it means that the reverse tunnel has been set up correctly.

The code is as follows:

Relayserver~$ sudo netstat-nap | grep 10022

The code is as follows:

Tcp 00 127.0.0.1 10022 0.0.0.0 * LISTEN 8493/sshd

You can now log in to the relay server from any other computer (client computer) and access the home server as follows.

The code is as follows:

Relayserver~$ ssh-p 10022 homeserver_user@localhost

It is important to note that the SSH login / password you entered for localhost above should be from the home server, not the relay server, because you are logged in to the home server through the local endpoint of the tunnel, so do not mistakenly enter the login / password for the relay server. After successfully logging in, you are on your home server.

Connect directly to the server after network address translation through a reverse SSH tunnel

The above method allows you to access the home server behind the NAT, but you need to log in twice: first log in to the relay server, and then log in to the home server. This is because the endpoint of the SSH tunnel on the relay server is bound to the loopback address (127.0.0.1).

In fact, there is a way to access the home server after NAT simply by logging in to the relay server. To do this, you need to have the sshd on the relay server forward not only the port on the loop address, but also the port of the external host. This is achieved by specifying the GatewayPorts of the sshd running on the relay server.

Open the / etc/ssh/sshd_conf of the relay server and add the following line.

The code is as follows:

Relayserver~$ vi / etc/ssh/sshd_conf

GatewayPorts clientspecified

Restart sshd.

Debian-based systems:

The code is as follows:

Relayserver~$ sudo / etc/init.d/ssh restart

Red Hat-based system:

The code is as follows:

Relayserver~$ sudo systemctl restart sshd

Now initialize a reverse SSH tunnel in the home server as follows.

The code is as follows:

Homeserver~$ ssh-fN-R 1.1.1.1:10022:localhost:22 relayserver_user@1.1.1.1

Log in to the relay server and use the netstat command to confirm that a reverse SSH tunnel has been successfully established.

The code is as follows:

Relayserver~$ sudo netstat-nap | grep 10022

The code is as follows:

Tcp 00 1.1.1.1 dev 10022 0.0.0.0 dev

Unlike the previous case, the endpoint of the tunnel is 1.1.1.1virtual 10022 (the public network IP address of the relay server) instead of 127.0.0.1virtual 10022. This means that the other end of the tunnel can be accessed from an external host.

Now on any other computer (client computer), enter the following command to access the home server after the network address translation.

The code is as follows:

Clientcomputer~$ ssh-p 10022 homeserver_user@1.1.1.1

In the above command, 1.1.1.1 is the public IP address of the relay server, and homeserver_user must be the user account on the home server. This is because the host you are actually logged in to is the home server, not the relay server. The latter just relays your SSH traffic to the home server.

Set up a permanent reverse SSH tunnel on Linux

Now you know how to create a reverse SSH tunnel and set the tunnel to "permanent" so that the tunnel will keep running after it starts (regardless of temporary network congestion, SSH timeout, relay host restart, etc.). After all, if the tunnel is not always valid, you will not be able to reliably log in to your home server.

For permanent tunneling, I'm going to use a tool called autossh. As the name suggests, this program allows your SSH session to automatically reconnect for whatever reason it is interrupted. Therefore, it is very useful to maintain a reverse SSH tunnel.

The first step is to set up a password-less SSH login from the home server to the relay server. In this way, autossh can restart a damaged reverse SSH tunnel without user intervention.

Next, install autossh on the home server that set up the tunnel.

On the home server, run autossh with the following parameters to create a permanent SSH tunnel to connect to the relay server.

The code is as follows:

Homeserver~$ autossh-M 10900-fN-o "PubkeyAuthentication=yes"-o "StrictHostKeyChecking=false"-o "PasswordAuthentication=no"-o "ServerAliveInterval 60"-o "ServerAliveCountMax 3"-R 1.1.1.1:10022:localhost:22 relayserver_user@1.1.1.1

The "- M 10900" option specifies the monitoring port on the relay server to exchange test data for monitoring SSH sessions. Other programs on the relay server cannot use this port.

The "- fN" option is passed to the ssh command to have the SSH tunnel run in the background.

The "- o XXXX" option makes ssh:

Use key authentication instead of password authentication.

Automatically accepts (unknown) SSH host keys.

Keep-alive messages are exchanged every 60 seconds.

Send up to 3 keep-alive messages when no response is received.

The remaining SSH tunnel-related options are the same as previously described.

If you want the SSH tunnel to run automatically when the system starts up, you can add the above autossh command to / etc/rc.local.

That's all for "how to use ssh to access the Linux server behind the firewall". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.