Shulou(Shulou.com)06/03 Report--

I. basic configuration of ssh

Open two centos systems 7-1 (server) and 7-2 (client)

Connect with xshell to prove that port 22 of sshd is open.

Location of the configuration file

Enter the server configuration file and make a series of configurations: Port 22 function open, etc.

In order to distinguish the two system users, we set their user names to test01 and test02 respectively, and then log in remotely.

Enter the access command to connect and perform a series of operations

You can create abc text under each other's opt for remote operation.

Go back to the 7-1 server, enter the ssh configuration file, change does not allow the other party to log in with root identity, save and exit. That is, you can't log in on the client with root identity, even if you have a password.

But the problems that follow are that we first log in to the server with the ordinary user lisi, and then we can switch to the root user of the server to realize the springboard login.

Solution: verify the pam module and turn on the function, that is, members who are not in the wheel group cannot use the su command to switch users.

Log in with lisi on the client and switch root with su, which is rejected. And switch the same level of permissions of the zhangsan, can not be switched. (pam verification is very important to increase system security)

Conclusion: even peer-level users can not be switched if they are not in the wheel group. If zhangsan is in the wheel group, it can be switched to lisi users or root users.

The maximum number of validations function is turned on, but it is found that the default verification is 3 times.

If we want the number of validations to become 6, then we have to change the number of validations to 8, that is, the maximum number of validations has changed from the default of 3 to 6.

When you go back to server 7-1, insert the whitelist in the configuration file to enable both zhangsan and wangwu users to log in to the server.

At this point, we also need to open a centos7-3 Magi IP 129.168.195.130, login server wangwu (ip allowed by wangwu is not set in the configuration file, you can log in from any terminal)

Conclusion: the whitelist is only allowed, the items on the list can be executed, and none of the items that do not have can be implemented; on the contrary, the blacklist is only rejected, that is, the entries on the list are unexecutable. (whitelist is recommended in an enterprise environment)

Second, the key pair for authentication

Enable key pair verification in the configuration file

The 7-2 client is used for key generation and the user caiwu is used to verify.

There are public and private keys in the home directory. Push the public key to the server, specify the server user zhangsan, enter the login password of the other party, and generate a known_hosts in the home directory (with pushed server ip, encryption ecdsa, etc.).

Once again, back to the server, there is already a public key import file in the home directory.

View the current user method

Only the caiwu user ssh remote access server zhangsan user wants to authenticate with the key pair (key pair authentication is required for each authentication).

To prevent key authentication from happening every time, let's set up that only one authentication is required, and then we can enter it directly.

III. Ssh client

If the port of the server is changed to 123, the following command should be entered for remote access on the client, first turn on the login rights of root users available on the client (to be used for replication operation), and delete the previously established whitelist.

Scp remotely copies files to the server.

Scp remotely copies folders to the server.

Delete all the files under opt before, and download the files safely by ssh. After making a remote connection, it will go back to the home directory of the other server.

First, rename the file server, and upload the file safely with ssh, server file.

You can directly change the user directory and make any changes to the file. In order to restrict access to only the home directory of the other party's server, we have developed a method.

Find this line comment in the configuration file and turn on this feature.

And enter a series of commands.

And the permission must be 755, and the file owner and group must be root.

IV. TCP Wrappers

Before configuration, you need to delete the blacklist and whitelist in the ssh configuration file, otherwise the configuration policy will be duplicated. Configure in / etc/hosts.allow

Configure in / etc/hosts.deny

Test whether 129 clients can access the server and find that they can

Test whether 130 clients can access the server and find that it is directly rejected (black and white list is allowed to enter password, different)

Now configure two of the same content: both 129, found to allow access.

Conclusion: check the allow first, and access is allowed if a match is found. Otherwise, check the hosts.deny again and deny access if you find it; if there is no content in both files, all files are allowed access by default.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.