Shulou(Shulou.com)06/03 Report--

This chapter environment: VM virtual machine, a server as a server, a server as a client purpose: to understand sshd remote login management, key pair authentication, Tcp wappers access control 1. SSHD remote login 1. Check out the sshd service [root@localhost ~] # netstat-ntap | grep 22tcp 0 0192.168.122.1 netstat 53 0.0.0.0netstat * LISTEN 3252/dnsm tcp 000.0.0.0netstat 22 0.0.0.0netstat * LISTEN 968/sshd / / default our SSHD is on The tcp 0 0127.0.0.1 TIME_WAIT 6010 0.0.0.0 TIME_WAIT * LISTEN 16227/sshot@pt tcp 0 192.168.17.128 TIME_WAIT 49342 180.97.251.226 tcp 0 192.176.11080 2. Understanding the SSHD server profile

[root@localhost ~] # vim / etc/ssh/sshd_config / / SSHD configuration file on the server side

17 # Port 22 / / Port

18 # AddressFamily any

19 # ListenAddress 0.0.0.0 / / listening address

20 # ListenAddress:: / / IPV6 address

37#LoginGraceTime 2m / / 2 minutes session time 38 # PermitRootLogin yes / / allow ROOT to login 39 # StrictModes yes / / verify your access 40 # MaxAuthTries 6 / / verify 41 # MaxSessions 10 / / access maximum number of connections 10 # PubkeyAuthentication yes / / Public key authentication on 3. ROOT user [root@test02 ~] # ssh root@192.168.17.128The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.Are you sure you want to continue connecting (yes/no) using the client to remotely log in to the server? YesWarning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.root@192.168.17.128's password: Last login: Mon Sep 16 12:07:36 20194. Turn off the server's remote login ROOT users 37 # LoginGraceTime 2m 38 # PermitRootLogin no / / prohibit remote users from logging in 39 # StrictModes yes 40 # MaxAuthTries 6 41 # MaxSessions 105. Go to the server to verify whether you can log in to ROOT user [root@test02 ~] # ssh root@192.168.17.128root@192.168.17.128's password: Permission denied, please try again.root@192.168.17.128's password: 6. The client switches to the ordinary user lisi, and then cuts to the ROOT user (unsafe) [root@test02 ~] # ssh lisi@192.168.17.128lisi@192.168.17.128's password: [lisi@test01 ~] $su-root password: last login: the last failed login on the CST 2019pts/2 at 12:17:31 on September 16: there was the last failed login attempt on the CST 2019pts/2 after the last successful login at 12:25:59 on September 16. [root@test01] # 7. Open the PAM authentication vim / etc/pam.d/su// on the server and remove the "#" from auth required pam_wheel.so use_uidauth substack system-authauth include postlogin8. Then go to the client to verify [lisi@test01 ~] $su-root password: su: deny permission 9. When the client tries to type the wrong password three times, it is returned when it is found. What we originally set on the server is 6 times [root@test02 ~] # ssh chen@192.168.17.128chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again. [root@test02 ~] # 10. On the client side, cut to the ROOT user and set the number of validations to 8 [root@test01 ~] # ssh-o NumberOfPasswordPrompts=8 chen@192.168.17.128The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied Please try again.chen@192.168.17.128's password: Received disconnect from 192.168.17.128 port 22:2: Too many authentication failuresAuthentication failed. [root@test01] # 11. Set the blacklist and whitelist for SSH remote login 37 # LoginGraceTime 2m 38 # PermitRootLogin no 39 # StrictModes yes 40 # MaxAuthTries 6 41 # MaxSessions 10 42 Allow Users chen@192.168.17.130// to allow only chen to log in to [root@test01 ~] # systemctl restart sshd12 with the address 192.168.17.130. Learn about three kinds of remote management scp remote replication sftp get remote download files sftp put remote upload files II. Key pair authentication login 1. The server opens the public and private key authentication login

[root@localhost ~] # vim / etc/ssh/sshd_config / / SSHD configuration file on the server side

43 PubkeyAuthentication yes remove "#" to enable public and private key authentication login 44 45 # The default is to check both. Ssh / authorized_keys and. Ssh / authorized_keys 2 46 # but this is overridden so installations will only check. SSH / authorized_keys 47 AuthorizedKeysFile. SSH / authorized_keys / / the generated public and private keys will be in this directory. Client Generate keys for chen users [root@client ~] # ls / home/chen [root@client ~] # ssh-keygen-t ecdsa Generating public/private ecdsa key pair.Enter file in which to save the key (/ root/.ssh/id_ecdsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in / root/.ssh/id_ecdsa.Your public key has been saved in / root/.ssh/id_ecdsa.pub.The key fingerprint is:SHA256:HqV9MQWYPqLHSodJciQEDpGhsbQheF3gVqXLMD6mhTo root@ ClientThe key's randomart image is:+--- [ECDSA 256]-+ | Barri.roomoooo.. O... | | * = + .o. | O. | | oo. = o. O | | +. + o.. roomo | |. = + oval S.... | |. +. =. + . | | E. . +. | |. . | +-[SHA256]-+ 3. Check the public and private key directory [root@client ~] # ls-an among chen users. .bash _ logout .dbus .Mozilla template.. .bash _ profile .esd _ auth .ssh video .1234.txt.swp .bashrc .ICEauthority .tcshrc Picture abc .cache initial-setup-ks.cfg test document abc.txt chen is this download anaconda-ks.cfg Chenchen .lesshst .viminfo music. Anacond-ks.cfg.swp .config .local .Xauthority desktop. Bash_history .cshrc lshelp1.txt Public [root@client ~] # cd .ssh / [root@client .ssh] # lsid_ecdsa id_ecdsa.pub known_hosts4. Send the chen public key to the server's public key directory [root@client .ssh] # ssh-copy-id-I id_ecdsa.pub chen@192.168.17.128/usr/bin/ssh-copy-id: INFO: Source of key (s) to be installed: "id_ecdsa.pub" The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.ECDSA key fingerprint is MD5:fa: C3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.Are you sure you want to continue connecting (yes/no)? Yes/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key (s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key (s) remain to be installed-- if you are prompted now it is to install the new keyschen@192.168.17.128's password: Number of key (s) added: 1Now try logging into the machine With: "ssh 'chen@192.168.17.128'" and check to make sure that only the key (s) you wanted were added.5. Go to the server to see if there is a chen user's public key [root@localhost chen] # cd .ssh / [root@localhost .ssh] # lsauthorized_ Keys [root @ localhost .ssh] # cat authorized_keys ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3jJu7k3skpOWd5azNtHhohBCyQvcE5vMQblIICOn48GGL3h2tQ9d7m34liu7YdXcdY+oLyQvgl23xiP9Au8ug= root@client6. Client remote key pair login authentication [root@client .ssh] # ssh chen@192.168.17.128Enter passphrase for key'/ root/.ssh/id_ecdsa': Last login: Sat Aug 10 00:32:52 20197. No interaction Login authentication without key pair [chen@localhost ~] $exit login Connection to 192.168.17.128 closed. [root@client .ssh] # ssh-agent bash / / proxy bash environment [root@client .ssh] # ssh-add / / add the password of our key pair Enter passphrase for / root/.ssh/id_ecdsa: Identity added: / root/.ssh/id_ecdsa (/ root/.ssh/id_ecdsa) [root@client .ssh] # ssh chen@192.168.17.128Last login: Mon Sep 16 13:09:06 2019 from 192.168.17.134 [chen@localhost ~] $III. Tcp wappers access control

Access Control Policy:

Check the hosts.allow first. If a match is found, access is allowed.

 otherwise check the hosts.deny again and deny access if you find it

 if there is no matching policy in both files, it is allowed by default.

Visit

1. Set access control to the server

[root@localhost ~] # vim / etc/hosts.allow

Hosts.allow This file contains access rules which are used to allow or deny connections to network services that either use the tcp_wrappers library or that have been started through a tcp_wrappers-enabled xinetd. See 'man 5 hosts_options' and' man 5 hosts_access' for information on rule syntax. See 'man tcpd' for information on tcp_wrapperssshd:192.168.17.130 / / add an address that only allows access ~

[root@localhost ~] # vim / etc/hosts.deny

Hosts.deny This file contains access rules which are used to deny connections to network services that either use the tcp_wrappers library or that have been started through a tcp_wrappers-enabled xinetd. The rules in this file can also be set up in / etc/hosts.allow with a 'deny' option instead. See 'man 5 hosts_options' and' man 5 hosts_access' for information on rule syntax. See 'man tcpd' for information on tcp_wrapperssshd:192.168.17.128 ~ ~ ~ that's all we have.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.