Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

SSH remote Management and TCP Wrappers Control

2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/03 Report--

I. SSH protocol and configuration files

SSH service profile:

 service name: sshd

 server main program: / usr/sbin/sshd

 server profile: / etc/ssh/sshd_config

2. Service monitoring options:

 port number, protocol version, listening IP address

 disables reverse parsing

Third, user login control

 forbids root users, empty password users

 login time, number of retries

 AllowUsers,DenyUsers (manually added in the configuration file)

4. SSH service experiment analysis:

1. By default, other terminals can use SSH to log in to the server as root for maintenance.

2. Prohibit other terminals from logging in to the server as root using SSH.

(1) execute the "vim etc/ssh/sshd_config" command to enter the configuration file of the ssf server.

(2) delete the "#" symbol at the beginning of "PermitRootLogin" and change "yes" to "no".

Execute the "systemctl restart sshd" command to restart the ssh service.

(4) the terminal will not be able to log in using the root identity.

(5) however, the terminal can use other users as a springboard and use the su command to switch root users.

(6) We can enable the PAM authentication module and execute the "vim / etc/pam.d/su" command to enter the pam authentication module configuration file.

(7) delete the "#" symbol at the beginning of line 6 in the configuration file to turn on pam authentication.

(8) at the beginning of the id command, we see that the czt user belongs to the pam authenticated wheel group, while the lisi user does not belong to the wheel group.

(9) lisi users who do not belong to the wheel group cannot switch root users, while czt users who belong to the wheel group can switch root users.

3. We can set the number of login verifications to prevent password cracking.

(1) execute the "vim etc/ssh/sshd_config" command to enter the configuration file of the ssf server.

(2) remove the "#" symbol at the beginning of "MaxAuthTries 6" to enable login authentication.

Execute the "systemctl restart sshd" command to restart the ssh service.

(4) by default, we only enter three times before we are designated to log out.

(5) We can add a parameter "ssh-o NumberOfPasswordPrompts=8 lisi@192.168.174.151" when we log in.

"you can enter the password repeatedly according to the default number of attempts, and log out automatically after six errors.

4. It is recommended to set a whitelist online-AllowUsers

(1) execute the "vim etc/ssh/sshd_config" command to enter the configuration file of the ssf server.

(2) manually enter "AllowUsers zhaoliu" in the blank line. Only zhaoliu users can log in.

Execute the "systemctl restart sshd" command to restart the ssh service.

(4) other users cannot log in to the server, only zhaoliu users can log in.

Fifth, SSH key pair login verification

1. Execute the "vim etc/ssh/sshd_config" command to enter the configuration file of the ssf server.

2. Delete the "#" symbol before "PubkeyAuthentication yes" to turn on the key pair verification function.

3. Execute the "systemctl restart sshd" command on the server to restart the ssh service.

4. Execute "ssh-keygen-t ecdsa" on the client side

"command to create a key pair; press enter to keep the default path unchanged; enter the password of the key pair to get the encrypted key.

5. We execute the "cd .ssh /" command on the client side to enter the hidden folder to see the "id_ecdsa" private key file, as well as the "id_ecdsa.pub" public key file.

6. Execute "ssh-copy-id-I id_ecdsa.pub czt@192.168.174.151"

"command pushes the public key file to the server.

7. Execute the "cd .ssh /" command on the server side to enter the hidden directory to see if you have received the public key file from the ccc user.

8. The client needs to verify the key the next time it logs in, and enter the key password to log in successfully.

9. However, login requires password authentication interactive steps, and we can use the proxy feature to achieve interactive login-free (it is recommended not to use it on public devices).

VI. Sftp service

1. We can execute the "sftp root@192.168.174.151" command to log in to the server's home directory.

2. On the server side, we can execute the thouch command to create files.

3. The client can safely download the file to the server by using the "get" command.

4. The client can also use the "put" command to safely upload files to the server.

7. TCP Wrappers control

1. Configuration file of access control policy:

 / etc/hosts.allow

 / etc/hosts.deny

2. Set access control policy:

 policy format: service list: client address list

List of  services: multiple services are separated by a comma, and ALL represents all services

3. The order in which the policies are applied:

 checks the hosts.allow first, and access is allowed if a match is found.

 otherwise check the hosts.deny again and deny access if you find it

 if there is no matching policy in both files, access is allowed by default

4. Experimental analysis:

(1) execute "vim / etc/hosts.allow" on the server side

"the command enters the whitelist profile.

(3) Writing "ssh:192.168.174.110" in the whitelist configuration file allows only hosts with this IP address to log in.

(4) execute "vim / etc/hosts.deny"

"the command enters the blacklist profile.

(5) write "sshd:ALL" in the configuration file not yet to deny all ip logins.

(6) unable to log in except that the terminal IP address is "192.168.174.110".

(7) execute "vim / etc/hosts.allow" on the server side

"the command enters the whitelist profile.

(8) only write "ssh:192.168.174.110" in the blacklist configuration file. Only hosts with this IP address are denied login. Hosts with other IP addresses are available to log in.

(9) all hosts of IP can log in except that the terminal IP address is "192.168.174.110".

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report