Shulou(Shulou.com)06/02 Report--

1. What is a sshd service?

The client host starts the service of the server host shell in the server host through the network

The client connects to the server through the network, and controls the server, that is, the client opens the shell of the server

two。 Construction of experimental environment

1 > Open the virtual machine desktop,server in the real machine (in order to clean the experimental environment, first reset two virtual machines)

2 > configure Ip for two hosts

3 > delete / root/.ssh/ in the shell of both hosts (delete this directory rm-rf / root/.ssh or delete the file rm-rf / root/.ssh/* in this directory)

Note: the client host connects to the server host for the first time to generate the known_hosts file under this directory. In order to verify the effect of this experiment, clear this directory or delete the hidden directory directly.

Type ls-a directly under the home directory (view all files, including non-hidden files and hidden files) or l. (view only hidden files)

4 > modify two host names

Enter hostnamectl set-hostname client.hhh.com (desktop host) on the client host

Enter hostnamectl set-hostname server.uuu.com (server host) on the server host

Related content of 3.sshd (client connects server host)

1 > Connect in text mode

The client can enable the text mode function on the server side

One host can be connected to another host and can manipulate each other's text mode 1:

If the client connects to the server, the client can manipulate the text mode of the server

If the server connects to the client, the server can manipulate the text mode of the client

Format: ssh username@Ip needs to enter the password of the connected host when connecting

Note:

When you connect to a strange host for the first time, you need to establish an authentication text (~ / .ssh / know_hosts file), so you will be asked if you want to do so, just enter yes.

When connecting to the secondary host again, there is no need to enter yes again because the ~ /. Ssh/know_hosts file has been generated.

Mode 2:

(text mode is turned on by default, if you want to turn on graphic editing mode)

Format: ssh-X username@ip

4. Remote replication

Note: all file paths are absolute.

1. Copy files from one host to another

Format: scp file root@ip:dir

two。 Download the remote file

Format: scp username@ip:file dir download

Rsysnc for transmission:

The difference between scp and rscp

Scp is the equivalent of copying, pasting, and, if any, covering, which is time-consuming and unintelligent. Rsync is copied, if there are duplicate files, it will be skipped directly, and its own algorithm is optimized. Scp copies all the files, when the files are modified or all the files are copied over, rsync synchronizes all the files for the first time, and when the files are modified, only the modified files are synchronized.

Secret-free operation of 5.sshd service

1. Reason: if the client knows the ip address and password of the server host, it can control the server remotely. If any client knows the ip address and password of the server host, and knows the storage path of the important files in it, then it can copy the server files, which is very insecure in the actual enterprise.

two。 Using keys and locks

Key1: enter: ssh-keygen on the server side to generate the key and password. Id_rsa is the key and id_rsa.pub is the lock.

Enter ssh-keygen on the server for three times and enter each time for a reason:

1 > the first enter is the key and password storage path (you can enter directly and store it in the default path)

2 > the second enter is the password (you can enter directly without setting the password)

3 > the third carriage return is also a password (you can enter directly without setting a password)

You can also set parameters without having to enter:

Key2: enter: ssh-copy-id-I / root/.ssh/id_rsa.pub username@ip on the server side to lock yourself first, that is, lock the server side

Key3: enter: scp / root/.ssh/id_rsa username@ip:/root/.ssh/ on the server side to pass the password to the client

This file (directory) of client / root/.ssh/ must exist, which is equivalent to upload

Note: if the client does not have the file: / root/.ssh/, and the client reconnects to server with a password, the file will be regenerated.

Key4: verify whether the client can connect to server without secret connection

Security settings for 6.sshd?

1. Reason: because the root permission of server is too large, it is extremely insecure for the client to use the root permission of server. In order to ensure the security of the ssh server, server cannot open too many permissions and generally does not allow the client host to use the superuser root of the server host.

two。 Common safety regulations

Line 78 of 1 > / etc/ssh/sshd_config

Whether to allow any existing user of server to authenticate sshd through the password of the login system

Line 48 of 2 > / etc/ssh/sshd_config

Whether to allow root users of server to pass through sshd services

3 > join AllowUesrs student westos

Set the whitelist of users, in which users can do sshd services (multiple users can be separated by spaces if there is no direct input in the file)

4 > join DenyUsers westos

Set the blacklist of users, this list

Note: systemctl restart sshd.service is required after modification.

5 > verify line 78 PasswordAuthentication yes | no

Whether any existing user of server is allowed to authenticate sshd through the password of the login system (the original way of entering a password by remote connection), and whether it is possible to enable others to log in with a trial password when they do not have a key. Yes indicates that you can try the password and no means that you cannot try the password, and the comment is equivalent to no.

6 > verify the PermitRootLogin yes of line 48 | no

Whether root users of server are allowed to use sshd services (whether clients can remotely connect to server through root users of server)

Prohibit super users from logging in, and restrict super users from using root identity to log in to ssh. Default is yes.

Note: we have previously set up super users to connect without secret.

Therefore, we should cancel the secret-free operation of root before doing this experiment.

Delete keys on both the client and server, that is, rm-rf / root/.ssh/*

If it is not allowed, the password will always be displayed.

Modify port: port num modify port

7. Add sshd login information

1 > reason: in order to enable the client to see the relevant information of the server intuitively when connecting to server, it is necessary to add information, that is, to make the client log in, and display some information of server when server.

Methods: 1. Set some information of the server itself in the / etc/motd file of server

The contents of the 2.vim / etc/motd file are the information displayed after login.

8. User's login audit

Add: / var/log/wtmp,/var/log/btmp,: this file stores the information found by last, but the file cannot be viewed with cat, it can be viewed with file.

W-f view users who are using the current system

-I show the source of use

/ var/run/utmp

2.last / var/log/utmp to view user information that has been used and exited

3.lastb / var/log/btmp users who attempt to log in but fail

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.