Shulou(Shulou.com)06/02 Report--

Encryption, gpg encryption, ssh forwarding, openssl,pam first, open only one of the two local IP addresses 172.16.0.X bound sshd and vsftpd services to all hosts in the 172.16.0.0amp 16 network except the hosts in the 172.16.0.0amp24 network, but allow 172.16.0.200 access, each user visit must be recorded in the log file Note: where X is the student number / etc/hosts.allow: sshd,vsftpd: 172.16.0.0 EXCEPT 16 EXCEPT 172.16.0.0 login 24 EXCEPT 172.16.0.200: spawn echo `date` login > > / var/log/ssh.log/etc/hosts.deny: sshd,vsftpd:ALL2, write script / root/bin/checkip.sh, check every 5 minutes, if you find that login through ssh failed more than 10 times Automatically put this long-range IP on the blacklist of Tcp Wrapper to prevent [root@localhost ~] # echo'* / 5 * / data/checkip.awk / var/log/secure' > > / var/spool/cron/root [root@localhost ~] # cat / databash checkip.awkbank f/sshd.*Failed password/ binram awk-f/sshd.*Failed password/ (NF-3) IPs [IP] + +} END {for (i in ips) {if (IPs [I] > 10) {cmd= "echo sshd:" I "> / etc/hosts.deny"; system (cmd)}} 3, gpg encryption and decryption:

Interactive encryption: a box pops up

[root@localhost ~] # gpg-c virtual_machine_reset_5.sh

Interactive decryption:

Gpg-d virtual_machine_reset_5.sh.gpg

Non-interactive:

[root@localhost tmp] # echo "cX0BCoWt1+qq9ZeKYCXTtxMQeiI" | gpg-c-no-tty-batch-passphrase-fd 0 virtual_machine_reset_ 5.sh [root @ localhost tmp] # gpg-- batch-- passphrase cX0BCoWt1+qq9ZeKYCXTtxMQeiI virtual_machine_reset_5.sh.gpg

Check the gpg version: gpg-h

The gpg of CentOS7 is 2.0.22 and the gpg of Ubuntu 18.04 is 2.2.4

4. Non-interactive generation key [root@localhost tmp] # ssh-keygen-f ~ / .ssh/id_rsa-P'- C 'admin'5, ssh_config1, change port number Port 222and add host [root@localhost tmp] # tail-5 / etc/ssh/ssh_configHost testbox HostName 192.168.38.146 User root Port 2222 IdentityFile ~ / .ssh/id_rsa can be connected directly. The default is port 22, ssh command option.

ProxyCommand

-Q silent mode. Most warning messages will not be output. The standard input and output on the W host:port request client are forwarded to the host:port through a secure tunnel, which implies the "- N", "- T", ExitOnForwardFailure and ClearAllForwardings options-T forbids the allocation of pseudo terminals to ssh. -N explicitly indicates that remote commands are not executed. It is useful for port forwarding only. # ProxyCommand ssh-Q-W% hvv% p gateway.example.com is used as a springboard machine

Ssh acts as a springboard:

7. Local port forwarding: ssh-L [local_bind_addr:] local_port:remote:remote_port middle_hostroot@host3:~# ssh-L 2222 local_port:remote:remote_port middle_hostroot@host3:~# ssh 192.168.38.154VR 80 192.168.10.134-fNg

With this magic command, you can now access 192.168.38.154bure80 by visiting 192.168.10.135virtual 2222.

The "- L" option indicates local port forwarding, which works as follows: the host3 host listens on port 2222; host3 maps 192.168.38.154ssh 80 to local 2222; when someone accesses 192.168.10.135ssh 2222, the local ssh forwards the packet on this port to 192.168.10.134host 192.168.10.134 and forwards the packet to 192.168.38.15480

One more: ssh-L 2222 127.0.0.1 80 127.0.0.1-fNg

After the command is executed, the traffic from local port 2222 is forwarded to local port 80.

You can find that after the command is executed, it still accesses a port of the local IP, so it is called local forwarding.

8. Remote port forwarding

Remote port forwarding indicates that data from the remote port is forwarded locally.

This is awesome! If I forward the remote port to the local server, I can connect to the remote port and connect to the local server.

See below. Remote port forwarding uses-R. Note that the public network server needs to enable GatewayPorts.

[root@hk-server] # sed-I'$a GatewayPorts yes' / etc/ssh/sshd_config & & systemctl restart sshd # this must be turned on, or the port listens on 127.0.0.1 [root@192-16838-14040] # ssh-R 222222 systemctl restart sshd 192.168.38.154V22 47.75.136.95-fNg

It works as follows: 192.168.38.140 requests ssh on 47.75.136.95, and sets up a socket monitoring port 2222 on 47.75.136.95, which is the mapping of 192.168.38.154 22; when there is a host connection 47.75.136.95glu22, all the data in this connection is forwarded to 192.168.38.154pur22 through a secure tunnel

In this way, the blog sites built in the intranet can be mapped out, and then they can be accessed through the public network.

One more: ssh-R 12345 127.0.0.1 22 47.75.136.95-fNg

# ssh-R 12345 fNg 127.0.1 root@192 22 47.75.136.95

Forward the request to yourself, and after the command is executed, you can access the local 192.168.38.140 through 47.75.136.95 virtual 12345.

9. Dynamic port forwarding (SOCKS proxy)

Ssh-D [bind_addr:] port remote

Ssh supports dynamic port forwarding. Ssh determines what application layer protocol is used by the tool that initiates the request, and then determines the target port according to the result of the protocol.

Can be achieved: let the intranet can not access the Internet server to the Internet:

# ssh-D 1080 127.0.0.1-fNg

Then the 192.168.10.135 machine proxies the Firefox browser settings to the socket proxy: 192.168.10.134 1080

About:config sets network.proxy.socks_remote_dns to true and turns on remote DNS

How it works: I am 192.168.38.140, I am monitoring 1080 locally, everyone can forward the data to my port 1080, and then I forward the data dynamically through the ssh tunnel.

10. Ssh_config constant change option, optimize UseDNS no # disable DNS, solve slow connection GSSAPIAuthentication no # do not enable GSSAPI authentication, solve slow connection Port 9527 # modify the default port number PermitRootLogin yes # do not allow root login PermitEmptyPasswords no # disable empty password login

For the use of ssh_config, write commonly used hosts to ssh_config or ~ / .ssh / config, for example

Host testbox HostName 192.168.38.146 User root Port 2222 IdentityFile ~ / .ssh/id_rsassh-agent Management key

Keys are often encrypted in the ​ production environment, and each connection requires a password, which is very troublesome, and when there are multiple private keys, there is no need to specify ssh-agent to manage all of them.

Start ssh-agent

Ssh-agent

Add the private key to ssh-agent for management

Ssh-add / .ssh/id_rsa

List the keys managed by ssh-agent

Ssh-add-L

Be careful

​ failed to use ssh-add, prompting Could not open a connection to your authentication agent.

Execute: ssh-agent bash try again

There is another case of ​, for example, when host A needs host B to access host C, we may need to keep the private key on B, but if we use the agent forwarding function of ssh-agent, we can use host A to log in to B and C instead of saving the private key on B.

11. Pam module-google verifier

For example, google authentication is implemented through the pam module.

How to: install google-authenticator using: epel Source

Apk: https://www.lanzous.com/i5yl8ad password: 6666

There are several temporary passwords in the hidden file of the home directory to prevent the phone from being lost. You can add several passwords to it by yourself, which is valid at one time.

Reference: http://dwz.win/j5v

12. Pam module learning

Take the pam_limits module as an example

Man to see the help first.

NAME pam_limits-PAM module to limit resourcesSYNOPSIS pam_limits.so [conf=/path/to/limits.conf] [debug] [set_all] [utmp_early] [noaudit] DESCRIPTION The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. Users of uid=0 are affected by this limits, too. By default limits are taken from the / etc/security/limits.conf config file. Then individual. Conf files from the / etc/security/limits.d/ directory are read. The files are parsed one after another in the order of "C" locale. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing. If a config file is explicitly specified with a module option then the files in the above directory are not parsed.

​ * you can see that no matter which user, even root, is affected by this restriction, and by default, the files are not / etc/security/limits.conf and / etc/security/limits.conf.d/.conf**

Use limit-a to view all current resource restrictions

[root@192-16838140 pam.d] # ulimit-acore file size (blocks,-c) 0data seg size (kbytes,-d) unlimitedscheduling priority (- e) 0file size (blocks,-f) unlimitedpending signals (- I) 1779max locked memory (kbytes,-l) 64max memory size (kbytes -m) unlimitedopen files (- n) 1024pipe size (512 bytes,-p) 8POSIX message queues (bytes,-Q) 819200real-time priority (- r) 0stack size (kbytes,-s) 8192cpu time (seconds,-t) unlimitedmax user processes (- u) 1779virtual memory (kbytes -v) unlimitedfile locks (- x) unlimited

The number of default file openings is too small and not enough, and must be modified in production. Ubuntu18.04 is now larger by default, as follows:

* soft nofile 128000 * hard nofile 256000root soft nofile 128000root hard nofile 256000

One of the ways to avoid fork is to display the number of processes per user, such as

* soft nproc 1024 * hard nproc 1024

Ulimit-n 2000 will only take effect temporarily. It is recommended to write a file.

13. Self-signed certificate and CA generation

View the expiration time of the certificate:

# openssl x509-in / etc/pki/tls/cert.pem-noout-dates | sed-nr 's/notAfter=//p'Dec 31 09:37:37 2030 GMT [root@192-16838140 ~] # openssl s_client-host www.taobao.com-port 443-showcerts / dev/null | sed-n' / BEGIN CERTIFICATE/ / END CERT/p'-n | openssl x509-noout-text | sed-n's / * Not After: * / / p'Nov 13 07:36:08 2019 GMT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.