Shulou(Shulou.com)06/03 Report--

Foreword:

SSH remote management

1. Configure the OpenSSH server

two。 Use the SSH client program

3. SSH system for key pair Verification

Overview of TCP Wrappers (management mechanism for programs)

Overview of 1.TCP Wrappers

2.TCP Wrappers access policy

1: openSSH server remote access 1.1 ssh protocol provides a secure shell environment for clients to remotely manage the default port: TCP 221.2 openssh service name: sshd server main program: / usr/sbin/sshd server configuration file: / etc/ssh/sshd_config

The second kind of remote access: telnet is also remote access, which is transmitted in plaintext without encryption, and the message 23 tcp port can be directly obtained by packet grabbing tool, while ssh is a typical ciphertext access.

Therefore, tlelent is mainly used in local area network; ssh can be used.

The third type of remote access is remote Desktop, 3389 port number, with graphical access

Example: remote Desktop access form in mstsc Command windows

Users who access remotely must set a password for them.

Vnc software can be connected between Microsoft system and linux system

Teamviewer software phone connects to computer

The remote party can manually close and reject the remote.

Ssh_config is targeted at the client

Shhd_config is the server.

1.2 Service listening options port number, protocol version, listening IP address disable reverse resolution [root@localhost ~] # vim / etc/ssh/sshd_config.#Port 22 'port number (can be modified)' # ListenAddress 0.0.0.0 'listening address' Protocol 2 'version' # UseDNS no 'DNS reverse resolution No' control prohibit ROOt users, Empty password user-user level control login time, number of retries-user attribute control AllowUsers, DenyUsers-use whitelist control

AllowUsers whitelist: login only

DenyUsers blacklist: deny login only

[root@localhost ~] # vim / etc/ssh/sshd_config#LoginGraceTime 2m 'login time 2min exceeds 2min automatic logout' # PermitRootLogin yes' allows root login is preceded by a # symbol note, you cannot use'# StrictModes yes' strictly follow the standard mode is'# MaxAuthTries 6 'maximum number of attempts 6'#MaxSessions 10' maximum creation session is 10'PermitEmptPasswords no 'allow empty password to log in No 'AllowUsers jerry admin@61.23.24.25' whitelist Only the following are allowed to log in from the specified terminal and the user is separated by a space'

The permission of AllowUsers is larger than that of DenyUsers. Do not use AllowsUsers with DenyUsers at the same time.

1.3 login verification 1.3.1 login verification local user account 1.3.2 login authentication method password verification: check whether the user name and password match key pair verification: check whether the customer's private key and server public key match

The way of key pair needs to be created by yourself

The key pair contains the public key and the private key, which are called key pairs together.

The public key is given to the other party, and the private key is kept by itself. This method is called asymmetric key rsa, which is equivalent to Tiger symbol.

Des or aex or 3des mode is a symmetric key, equivalent to a door key

[root@localhost ~] # vim / etc/ssh/sshd_ config # PubkeyAuthentication yes' key pair authentication is enabled is'# PasswordAuthentication yes' identity password authentication is' AuthorizedKeysFile .ssh / authorized_keys' key pair public key store file path'

Enable password authentication, key pair authentication, specify public KeyStore location

Two: use the SSH client program 2.1ssh command-remote secure login

Ssh user@host

Ssh the local user name of the connected host @ hostname

Option-p specifies the port number

2.2 scp command-remote secure replication

Scp user@host:file 1 file2

Copy the file file under the target host to your own file2

Scp file1 user@host:file2

Copy the files under your own file1 to the file1 of the target host

2.3 sftp command-secure FTP download

Sftp user@host

Enter the sftp mode of the target host

2.4.1 ssh command remote secure login

The ip address of test01 is 192.168.139.128

The ip address of test02 is 192.168.139.129

[root@test01 ~] # cd / etc/ssh 'switch to / etc/ssh directory' [root@test01 ssh] # lsmoduli ssh_host_ecdsa_key ssh_host_ed25519_key.pubssh_config ssh_host_ecdsa_key.pub ssh_host_rsa_keysshd_config ssh_host_ed25519_key ssh_host_rsa_ key.pub[ root @ test01 ssh] # vim sshd_config 'Edit server configuration file' # semanage Port-a-t ssh_port_t-p tcp # PORTNUMBER 16 # 17 Port 22 'port number 22 Remove # enable'18 # AddressFamily any 19 # ListenAddress 0.0.0.0 20 # ListenAddress:: 21 22 HostKey / etc/ssh/ssh_host_rsa_key 23 # HostKey / etc/ssh/ssh_host_dsa_key 24 HostKey / etc/ssh/ssh_host_ecdsa_key 25 HostKey / etc/ssh/ssh_host_ed25519_key 26 [root@test01 ssh] # systemctl restart sshd 'restart sshd Service' [root@test02 ~] # ssh root@192.168.139.128 'Connect to the host with the remote service enabled Login as root to 'The authenticity of host' 192.168.139.128 (192.168.139.128) 'can't be established.ECDSA'' means key pair 'key fingerprint is SHA256:dXWxtS2ShXQgfb7R672V7+l3i7rGqHBbIB5MTcFnAws.ECDSA' means key pair' key fingerprint is MD5:59:fb:20:f0:28:96:5e:14:90:82:63:c9:ae:67:d6:e9.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added '192.168.139.128' (ECDSA) to the list of known hosts.root@192.168.139.128's password: Last login: Wed Nov 20 17:13:57 2019 [root@test01 ~] #' Note the hostname At this time, you have successfully remotely logged in to'[root@test01 ~] # ifconfig'to check your own I network card (which is already remotely on the test01) 'ens33: flags=4163 mtu 1500 inet 192.168.139.128 netmask 255.255.255.0 broadcast 192.168.139.255 [root@test01 ~] # exit' exit 'logoutConnection to 192.168.139.128 closed. [root@test02 ~] # ifconfig' check your host name Test02 hostname 'ens33: flags=4163 mtu 1500 inet 192.168.139.129 netmask 255.255.255.0 broadcast 192.168.139.255 [root@test02 ~] # ssh gsy@192.168.139.128'' login as gsy, or gsy@192.168.139.128's password: Last login: Wed Nov 20 18:07:37 2019 [gsy@test01 ~] $exit 'exit' logoutConnection to 192.168.139.128 closed.

When connecting to the target host remotely, either root or ordinary users can be used.

[root@test01 ssh] # vim / etc/ssh/sshd_config 'configuration 28 sshd server configuration file' 38 PermitRootLogin no 'line 38 uncomment character, root login' [root@test01 ssh] # systemctl restart sshd 'restart ssh service to effectively configure' [root@test02 ~] # ssh root@192.168.139.128'to connect 28, use root identity The authenticity of host '192.168.139.128 (192.168.139.128)' can't be established.ECDSA key fingerprint is SHA256:dXWxtS2ShXQgfb7R672V7+l3i7rGqHBbIB5MTcFnAws.ECDSA key fingerprint is MD5:59:fb:20:f0:28:96:5e:14:90:82:63:c9:ae:67:d6:e9.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added '192.168.139.128' (ECDSA) to the list of known hosts.root@192.168.139.128's password: Permission denied, please try again. 'deny permission, please try again 'root@192.168.139.128's password: [root@test02 ~] # [root@test02 ~] # ssh gsy@192.168.139.128' to connect with gsy identity No problem. 'gsy@192.168.139.128's password: Last login: Wed Nov 20 18:08:14 2019 from 192.168.139.129 [gsy@test01 ~] $[gsy@test01 ~] $su-root' and then su switches to root'Password: Last login: Wed Nov 20 18:30:29 CST 2019 on pts/5Last failed login: Wed Nov 20 18:32:37 CST 2019 on pts/5There was 1 failed login attempt since the last successful login. [root@test01 ~] #' success'

Permission denied permission denied

In order not to switch between ordinary users and root at will, pam.d/su can be configured on server 28. When pam.d/su is enabled, users who are not in the wheel group cannot

[root@test01 ssh] # vim / etc/pam.d/su 'Edit the corresponding configuration file' 6 auth required pam_wheel.so use_uid'to uncomment, enable the su function of pam.d'[root@test01 ssh] # useradd lisi 'newly created user lisi The user is not in the wheel group'[root@test01 ssh] # passwd lisiChanging password for user lisi.New password: BAD PASSWORD: The password is shorter than 8 charactersRetype new password: passwd: all authentication tokens updated successfully. [root@test02 ~] # ssh lisi@192.168.139.128' uses 29 to link 28'lisi@192.168.139.128's password: [lisi@test02 ~] $'lisi login successful' [lisi@test02 ~] $su-root 'su switch root' password: su: deny permission' failed'[root@test01 ssh] # vim / etc/ssh/sshd_config 'manually add whitelist to 28 configuration sshd_config' 21 AllowUsers gsy' That is, only gsy is allowed to log in to'[root@test01 ssh] # systemctl restart sshd'to restart the sshd service'[root@test02 ~] # ssh gsy@192.168.139.128'as gsy 29 remote 28'gsy@192.168.139.128's password: Last failed login: Wed Nov 20 18:51:43 CST 2019 from 192.168.139.129 on ssh:nottyThere was 1 failed login attempt since the last successful login.Last login: Wed Nov 20 18:48:54 2019 from 192.168.139.128 [gsy@test01 ~] $logout 'login succeeded Then exit 'Connection to 192.168.139.128 closed. [root@test02 ~] # ssh root@192.168.139.128' as root identity 29 to remote 28'root@192.168.139.128's password:' enter password 'Permission denied, please try again. 'permission denied, please try again 'root@192.168.139.128's password: Permission denied, please try again.2.4.2 scp command-remote secure copy [root@test01 ssh] # vim / etc/hosts' at this time at 28 Use hosts file as experiment 'test01 192.168.139.128' add content 'test02 192.168.139.129' add content'[root@test01 ssh] # vim / etc/ssh/sshd_config'to configure sshd'#AllowUsers gsy 'cancel whitelist That is, everyone can log in to 'PermitRootLogin no' and comment on remote root login'[root@test01 ssh] # systemctl restart sshd 'restart sshd service' [root@test02 ~] # ssh root@192.168.139.128' as root 29 to remote 28'root@192.168.139.128's password: Last failed login: Wed Nov 2019: 05:55 CST 2019 from 192.168.139.129 on ssh:nottyThere were 8 failed login attempts since the last successful login .Last login: Wed Nov 20 18:41:42 2019 'login successful' [root@test01 ssh] # scp / etc/hosts root@192.168.139.129:etc/hosts'on 28 at this time Scp copies the local / etc/hosts file to 29:/etc/hosts'The authenticity of host '192.168.139.129 (192.168.139.129)' can't be established. ECDSA key fingerprint is SHA256:+uy+1TNy69jB97B7+AoYqhNEaBi42DuOYb0oE4pJ8s0.ECDSA key fingerprint is MD5:00:78:0c:c1:c2:7b:01:45:7c:31:c2:3b:53:4d:5c:10.Are you sure you want to continue connecting (yes/no)? Yes' asks if you want to connect The selection is' Warning: Permanently added '192.168.139.129' (ECDSA) to the list of known hosts.root@192.168.139.129's password: hosts 100% 204 87.9KB/s 00:00 'Show Progress' [root@test01 ssh] # [root@test01 ssh] # ssh root@192.168.139.129' as root 28 remote 29'root @ 192.168.139.129s password: Last login: Wed Nov 2019: 18:41 2019 from 192.168.139.129 [root@test02 ~] # cat / etc/hosts' View the / etc/hosts file under 29 '127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6test01 192.168.139.128test02 192.168.139.129 [root@test02 ~] # logout' Login' Connection to 192.168.139.129 closed. [root@test01 ssh] # cd / opt/ [root@test01 opt] # lsrh [root@test01 opt] # touch abc.txt 'create an empty file locally' [root@test01 opt] # scp / opt/abc.txt root@192.168.139.129:/home/' copy the local / opt/abc.txt file as root to the / home/ directory of the 192.168.139.129 host 'root @ 192.168.139.129's password: 'password confirmation' abc.txt 100 0 0.0KB/s 00:00 [root@test01 opt] # [root@test02 ~] # cd / home [root@test02 home] # lsabc.txt gsy [root@test02 home] # vim / etc/ssh/sshd_config 'modify sshd_config server configuration' Port 22 'enable API' [root@test02 home] # systemctl restart sshd 'restart' [root@test02 home] # mkdir abc [root@test01 opt] # scp / opt/abc.txt gsy@192.168.139.129:/home/abc/gsy@192.168.139.129's password: scp: / home/abc//abc.txt: Permission denied 'replication failed' [root@test02 home] # ls-altotal 0drwxr-xr-x. 4 root root 43 Nov 20 19:32. Dr-xr-xr-x. 17 root root 224 Oct 24 15:42.. 'drwxr-xr-x. 2 root root 6 Nov 20 19:32 abc' insufficient permissions'- rw-r--r--. 1 root root 0 Nov 20 19:22 abc.txtdrwx-. 3 gsy gsy 78 Oct 24 15:36 gsy [root@test02 home] # chmod 777 abc [root@test02 home] # ls-altotal 0drwxr-xr-x. 4 root root 43 Nov 20 19:32. Dr-xr-xr-x. 17 root root 224 Oct 24 15:42.. 'drwxrwxrwx. 2 root root 6 Nov 20 19:32 abc-rw-r--r--. 1 root root 0 Nov 20 19:22 abc.txtdrwx-. 3 gsy gsy 78 Oct 24 15:36 gsy [root@test02 home] # [root@test01 opt] # scp / opt/abc.txt gsy@192.168.139.129:/home/abc/' retry 'gsy@192.168.139.129's password:' all right 'abc.txt 100% 0.0KB/s 00:00

Then check the verification on the 29 host.

[root@test02 home] # ls-al abc total 0drwxrwxrwx. 2 root root 21 Nov 20 19:38. Drwxr-xr-x. 4 root root 43 Nov 20 19:32..-rw-r--r--. 1 gsy gsy 0 Nov 20 19:38 abc.txt

If it is passed by a user, it will be written by the owner of that user.

[root@test01 opt] # scp root@192.168.139.129:/home/gsy.txt / opt' on 28, copy / home/gsy.txt files as root on the 29 host to 'root@192.168.139.129's password: gsy.txt' success under / opt. 100% 4 1.4KB/s 00:00 [root@test01 opt] # ls-ltotal 4 RW Murray. 1 root root 0 Nov 20 19:21 abc.txt'-rw-r--r--. 1 root root 4 Nov 20 19:46 gsy.txt'drwxr-xr-x. 2 root root 6 Mar 26 2015 rh [root@test01 opt] # cat gsy.txt gsy [root@test01 opt] #

If you want to ssh other remotely, you need to let go of other permissions.

2.4.3 sftp command-secure FTP download [root@test01 ~] # sftp root@192.168.139.129' ftp download connection: 29'root@192.168.139.129's password: Connected to 192.168.139.129.sftp > sftp > ls-a. .. .ICEauthority .Xauthority .bash _ history .bash _ logout .bash _ profile .bashrc .cache .config .cshrc .dbus .esd _ auth .local .Mozilla .ssh .tcshrc .viminfo anaconda-ks.cfg initial-setup-ks.cfg download public picture document desktop Template video music sftp > cd / optsftp > lsrh sftp > mkdir aaasftp > lsaaa rh sftp > rm-rf aaarm: Invalid flag-rsftp > lsaaa rh sftp > sftp > helpAvailable commands:bye Quit sftpcd path Change remote directory to 'path'chgrp grp path Change group of file 'path' to' grp'chmod mode path Change permissions of file 'path' to' mode'chown own path Change owner of file 'path' to' own'df [- hi] [path] Display statistics for current directory or filesystem containing 'path'exit Quit sftpget [- afPpRr] remote [local] Download filereget [- fPpRr] remote [local] Resume download filereput [- fPpRr] [local] remote Resume upload filehelp Display this help textlcd path Change local directory to 'path'lls [ls-options [path]] Display local directory listinglmkdir path Create local Directoryln [- s] oldpath newpath Link remote file (- s for symlink) lpwd Print local working directoryls [- 1afhlnrSt] [path] Display remote directory listinglumask umask Set local umask to 'umask'mkdir path Create remote directoryprogress Toggle display of progress meterput [- afPpRr] local [remote ] Upload filepwd Display remote working directoryquit Quit sftprename oldpath newpath Rename remote filerm path Delete remote filermdir path Remove remote directorysymlink oldpath newpath Symlink remote fileversion Show SFTP version!command Execute 'command' in local shell! Escape to local shell? Synonym for helpsftp > rmdir aaasftp > lsrh sftp >

In sftp mode, the command is somewhat different from the command of linux

Third, construct the SSH system of key pair verification.

[root@test02 ~] # ssh-keygen rsa 'option to create a key pair' Too many arguments.usage: ssh-keygen [- Q] [- b bits] [- t dsa | ecdsa | ed25519 | rsa | rsa1] [- N new_passphrase] [- C comment] [- f output_keyfile] ssh-keygen-p [- P old_passphrase] [- N new_passphrase] [- f keyfile] ssh- Keygen-I [- m key_format] [- f input_keyfile] ssh-keygen-e [- m key_format] [- f input_keyfile] ssh-keygen-y [- f input_keyfile] ssh-keygen-c [- P passphrase] [- C comment] [- f keyfile] ssh-keygen-l [- v] [- E fingerprint_hash] [- f input_keyfile] ssh-keygen-B [- f Input_keyfile] ssh-keygen-D pkcs11 ssh-keygen-F hostname [- f known_hosts_file] [- l] ssh-keygen-H [- f known_hosts_file] ssh-keygen-R hostname [- f known_hosts_file] ssh-keygen-r hostname [- f input_keyfile] [- g] ssh-keygen-G output_file [- v] [- b bits] [- M memory] [- S start_point] ssh-keygen-T output_file-f input_file [- v] [- a rounds] [- J num_lines] [- j start_line] [- K checkpt] [- W generator] ssh-keygen-s ca_key-I certificate_identity [- h] [- n principals] [- O option] [- V validity_interval] [- z serial_number] file... Ssh-keygen-L [- f input_keyfile] ssh-keygen-A ssh-keygen-k-f krl_file [- u] [- s ca_public] [- z version_number] file... Ssh-keygen-Q-f krl_file file... [root@test02 ~] # ssh-keygen-t rsa 'create a key pair-t' Generating public/private rsa key pair.Enter file in which to save the key (/ root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in / root/.ssh/id_rsa.Your public key has been saved in / root/.ssh/id_rsa.pub.The key fingerprint Is:SHA256:ZL4EmtVT8fXoCPScBgL7bldPv380zK93PQnA9kmORF8 root@test02The key's randomart image is:+--- [RSA 2048]-+ |. =. . | | o + * o E | | + = + Bo. | | + *. B = | | o S o O * | | o. O B =. | | +. O.* | |. . OB |. + * | +-[SHA256]-+ [root@test02 ~] # ls-a. .bash _ logout .dbus .ssh picture.. .bash _ profile .esd _ auth .tcshrc document 123123 .bashrc .ICEauthority .viminfo desktop 123123.pub .cache initial-setup-ks.cfg .Xauthority template anaconda-ks.cfg .config .local download video .bash _ history .cshrc .Mozilla Public Music [root@test02 ~] # cd .ssh [root@test02 .ssh] # lsid_rsa id_rsa.pub known_ hosts [root @ test02 .ssh] # ssh-copy-id-I id_rsa.pub gsy@192.168.139.128 'copy the public key of the key pair to the 28 server As gsy'/ usr/bin/ssh-copy-id: INFO: Source of key (s) to be installed: "id_rsa.pub" / usr/bin/ssh-copy-id: INFO: attempting to log in with the new key (s) To filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key (s) remain to be installed-- if you are prompted now it is to install the new keysgsy@192.168.139.128's password: 'enter password' Number of key (s) added: 1Now try logging into the machine With: "ssh 'gsy@192.168.139.128'" and check to make sure that only the key (s) you wanted were added. [root@test01 ~] # cd / home/gsy [root@test01 gsy] # ls download public picture document desktop template video music [root@test01 gsy] # ls-a. .bash _ logout .cache .ICEauthority .ssh picture template.. .bash _ profile .config .local download documentation video .bash _ history .bashrc .esd _ auth. Mozilla Public Desktop Music [root@test01 gsy] # cd [root@test01 .ssh] # ls' verify whether it has been successfully copied to the 28 server 'authorized_ Keys [root @ test02 ~] # ssh gsy@192.168.139.128' to log in to the service remotely again Enter the password 'Last failed login: Wed Nov 20 20:17:55 CST 2019 from 192.168.139.129 on ssh:nottyThere was 1 failed login attempt since the last successful login.Last login: Wed Nov 20 18:51:51 2019 from 192.168.139.129 [gsy@test01 ~] $' login successful'[gsy@test01 ~] $exitlogoutConnection to 192.168.139.128 Closed. [root@test02] # ls-a. .bash _ logout .dbus .ssh picture.. .bash _ profile .esd _ auth .tcshrc document 123123 .bashrc .ICEauthority .viminfo desktop 123123.pub .cache initial-setup-ks.cfg .Xauthority template anaconda-ks.cfg .config .local download video .bash _ history .cshrc .Mozilla Public music [root@test02] # ls-a. SSH. .. Id_rsa id_rsa.pub known_ hosts [root @ test02 ~] # ssh-agent bash 'create automatic proxy function' [root@test02 ~] # ssh-add 'interaction-free' Enter passphrase for / root/.ssh/id_rsa: 'enter password confirmation' Identity added: / root/.ssh/id_rsa (/ root/.ssh/id_rsa) [root@test02 ~] # [root@test02 ~] # ssh gsy@192.168 . 139.128 'log in to 28 servers as gsy again' Last login: Wed Nov 20 21:33:22 2019 from 192.168.139.130 'the network is switched Client IP address change'

Ssh-agent bash create automatic proxy function

Ssh-add interaction-free

Can be used for remote scripting in shelle

IV: Overview of TCP Wrappers

Implementation of the protection mechanism 1: wrapping other service programs through the tcpd main program 2: other service programs call the libwrap.so.* link library 4.2 access control policy configuration file / etc/hosts.allow/etc/hosts.deny

Among them, ssh is the service that can be controlled by it.

[root@test01 .ssh] # ldd `which sshd` linux-vdso.so.1 = > (0x00007ffd5eb16000) libfipscheck.so.1 = > / lib64/libfipscheck.so.1 (0x00007f4e20f2b000) libwrap.so.0 = > / lib64/libwrap.so.0 (0x00007f4e20d20000) libaudit.so.1 = > / lib64/libaudit.so.1 (0x00007f4e20af7000) libpam.so.0 = > / lib64/libpam.so.0 (0x00007f4e208e8000) libselinux.so.1 = > / lib64/libselinux.so.1 (0x00007f4e206c1000) libsystemd.so.0 = > / lib64/libsystemd.so.0 (0x00007f4e20698000) libcrypto.so.10 = > / lib64/libcrypto.so.10 (0x00007f4e20237000) libdl.so.2 = > / lib64/libdl.so.2 (0x00007f4e20033000) libldap-2.4.so.2 = > / lib64/libldap-2.4.so.2 (0x00007f4e1fdde000) liblber-2.4.so.2 = > / lib64/ Liblber-2.4.so.2 (0x00007f4e1fbcf000) libutil.so.1 = > / lib64/libutil.so.1 (0x00007f4e1f9cc000) libz.so.1 = > / lib64/libz.so.1 (0x00007f4e1f75000) libcrypt.so.1 = > / lib64/libcrypt.so.1 (0x00007f4e1f57e000) libresolv.so.2 = > / lib64/libresolv.so.2 (0x00007f4e1f364000) libgssapi_krb5.so.2 = > / lib64/libgssapi_krb5.so.2 (0x00007f4e1f116000) ) libkrb5.so.3 = > / lib64/libkrb5.so.3 (0x00007f4e1ee2e000) libk5crypto.so.3 = > / lib64/libk5crypto.so.3 (0x00007f4e1ebfb000) libcom_err.so.2 = > / lib64/libcom_err.so.2 (0x00007f4e1e9f6000) libc.so.6 = > / lib64/libc.so.6 (0x00007f4e1e633000) libnsl.so.1 = > / lib64/libnsl.so.1 (0x00007f4e1e41a000) libcap-ng.so. 0 = > / lib64/libcap-ng.so.0 (0x00007f4e1e213000) libpcre.so.1 = > / lib64/libpcre.so.1 (0x00007f4e1dfb1000) / lib64/ld-linux-x86-64.so.2 (0x0000562f68c55000) libcap.so.2 = > / lib64/libcap.so.2 (0x00007f4e1ddac000) libm.so.6 = > / lib64/libm.so.6 (0x00007f4e1daa9000) librt.so.1 = > / lib64/librt.so.1 (0x00007f4e1d8a1000) Liblzma.so.5 = > / lib64/liblzma.so.5 (0x00007f4e1d67b000) libgcrypt.so.11 = > / lib64/libgcrypt.so.11 (0x00007f4e1d3f9000) libgpg-error.so.0 = > / lib64/libgpg-error.so.0 (0x00007f4e1d1f4000) libdw.so.1 = > / lib64/libdw.so.1 (0x00007f4e1cfad000) libgcc_s.so.1 = > / lib64/libgcc_s.so.1 (0x00007f4e1cd96000) libpthread.so .0 = > / lib64/libpthread.so.0 (0x00007f4e1cb7a000) libsasl2.so.3 = > / lib64/libsasl2.so.3 (0x00007f4e1c95d000) libssl3.so = > / lib64/libssl3.so (0x00007f4e1c710000) libsmime3.so = > / lib64/libsmime3.so (0x00007f4e1c4e9000) libnss3.so = > / lib64/libnss3.so (0x00007f4e1c1bf000) libnssutil3.so = > / lib64/libnssutil3.so (0x00007f4e1bf91000) libplds4.so = > / lib64/libplds4.so (0x00007f4e1bd8d000) Libplc4.so = > / lib64/libplc4.so (0x00007f4e1bb88000) libnspr4.so = > / lib64/libnspr4.so (0x00007f4e1b949000) libfreebl3.so = > / lib64/libfreebl3.so (0x00007f4e1b746000) libkrb5support.so.0 = > / lib64/libkrb5support.so.0 (0x00007f4e1b537000) libkeyutils.so.1 = > / lib64/libkeyutils.so.1 (0x00007f4e1b333000) libattr.so.1 = > / lib64/libattr.so.1 (0x00007f4e1b12d000) libelf. So.1 = > / lib64/libelf.so.1 (0x00007f4e1af15000) libbz2.so.1 = > / lib64/libbz2.so.1 (0x00007f4e1ad04000)

Query function module `followed by command

TCP Wrappers policy application 5.1 sets access control policy format: service list: client address list service list multiple services are separated by commas, ALL means all services client address lists are separated by commas, ALL means that all addresses are allowed to use wildcards? And * network segment address, such as 192.168.4. Or 192.168.4.0 com5.2 255.255.255.0 area address, such as .bennet, the order in which the com5.2 policy is applied checks the hosts.allow first, and if a match is found, access is allowed; otherwise, the hosts.deny is checked, and access is denied if there is no matching policy in both files. By default, all other addresses are allowed to access the protected service [root@localhost ~] # echo "sshd:61.63.65.67192.168.2.*" > / etc/hosts.allow [root@localhost ~] # vi / etc/hosts.allowsshd:61.63.65.67192.168.2.* [root@localhost ~] # echo "sshd:ALL" > / etc/hosts.deny [root@localhost ~] # vi / etc/hosts.denysshd:ALL [root@localhost ~] #

Read allow first, and then deny again

If you only want to prohibit some hosts from logging in, only blacklist is made, whitelist is not written.

Summary:

Ssh port 22

Server profile / etc/ssh/sshd_config

Port 22 'port number' ListenAddress 192.168.155.155 'listening address' Protocol 2 'version number' UserDNS no 'DNS reverse parsing, No' LoginGraceTime 2m 'login time 2m'PermitRootLogin no' allow root login No 'MaxAuthTries 6' maximum number of attempts 6 'PermitEmptyPasswords no' disable empty password 'AllowUsers gsy lisi@192.168.88.88' only allow gsy login Lisi logged in from 192.168.88.88, no one else can. 'PasswordAuthentication yes' requires password authentication is' PubkeyAuthentication yes'to open key pair verification is' AuthorizedKeyFile .ssh / authorized_keys' key pair file location 'remote login

Ssh user name @ ip address-p specifies the port number

Remote replication

The destination location to which the files to be copied by scp are copied

Scp user name @ ipdizhi: source file path destination path

Remote upload and download

Sftp user name @ ip address

Construction of key pairs in ssh

Ssh-keygen-t rsa (or dsa algorithm) creates a key pair

Ssh-copy-I public key file path username @ destination ip address

Ssh-copy-I / .ssh/id_rsa.pub gsy@192.168.88.88

Ssh-agent bash create automatic proxy function

Ssh-add interaction-free

TCP Wrappers protects the main program

Ldd which sshd

Configuration file for access control policy

/ etc/hosts.allow

/ etc/hosts.deny

If you blacklist, you don't have to write the whitelist.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.