Shulou(Shulou.com)06/03 Report--

-- Overview-SSH is a secure channel protocol, mainly used to achieve remote login of the character interface, remote replication and other functions. SSH protocol encrypts the data transmission between the two sides of the communication, including the user password entered when the user logs in. Compared with the early applications such as telnet (remote login), rsh (Remote Shell) and rcp (Remote File Copy), SSH protocol provides better security.

SH service: sshd allows remote login access services (ciphertext transmission) corresponding to port number TCP 22-system environment-

CentOS7 one as a server (SSH server) and one as a client, and modify the hostname to 01 and 02, respectively

-the experimental process-

Modify the configuration file

1. Modify the SSH main configuration file. SSH main configuration files: "/ etc/ssh/ssh_config" (client configuration file) and "/ etc/ssh/sshd_config" (server configuration file). Delete "#" to enable the service. Don't forget to save and exit.

Vim / etc/ssh/sshd_configPort 22 listening port, default listening 22 port # AddressFamily any can choose IPV4 and IPV6 protocols. Any indicates that both use # ListenAddress 0.0.0.0 to indicate the listening address (IPV4) # ListenAddress:: indicates the listening address (IPV6)

# LoginGraceTime 2m talk time (default time is 2 minutes)

# whether PermitRootLogin yes---- allows root users to log in remotely (yes means allowed)

# StrictModes yes- verifies access permissions

# MaxAuthTries 6-number of password verifications (default is 6)

# MaxSessions 10-maximum number of connections accessed

! [] (https://s1.51cto.com/images/blog/201909/10/64f1840fd1609512e53f3064d992da40.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)

2. Restart the service after modifying the configuration file

Systemctl restart sshd

3. Next, use the client host to remotely access the server, and the root user logs in when we are currently using it.

Ssh root@192.168.100.128

4. Everyone knows that root users are administrators of the system and have relatively high privileges. It will be very insecure if others can log in remotely. You can modify the permissions in the configuration file to make it impossible for others to log in using root users when logging in remotely. Be sure to restart the service after modification.

5. At this time, we use the root user to log in remotely. After entering the password, the permission is denied. When we switch to an ordinary user, we can access it.

6. At this time, can we use ordinary users as a springboard to switch to root users? The answer must be yes.

7. If you encounter the above situation, you can use PAM security authentication. Add users who are allowed to use "su" to the "wheel" group.

Vim / etc/pam.d/su

8. Using the "id" command, you can see that the "akg" user has been added to the "wheel" group, while the "boss" user has not been added to the "wheel" group. Then use the "boss' user to switch between root users can display, permission denied, but users added to the" wheel "group can still switch.

9. Before, the maximum number of password attempts in the configuration file was 6. Enter the configuration file to open it. Now we can test it. We can also use "- o NumberOfPasswordPrompts=8" to test (enter 8).

You can see that the default input attempts to enter a password three times will exit, but if you set more than 6 attempts, you will find that the upper limit is 6 times.

10. You can also restrict user login by adding a blacklist and whitelist in the configuration file. Now the user boss can only log in in 192.168.100.55. Lisi can log in on any host and restart the service after configuration.

11. When we log in using the host of 192.168.100.55, because the whitelist is set, the user "akg" cannot log in, only "lisi" and "boss" can log in.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.