Shulou(Shulou.com)06/03 Report--

Openss Service Deployment and Security Optimization

1. Openssh Service Overview

2. Experimental environment settings

3. The ssh command

4. Key authentication of Openssh service

5. Common configuration parameters of Openssh service

1. Openssh Service Overview

1. Openssh function introduction

2. The ssh command

3. Key authentication of Openssh services

4. Security optimization of Openssh service

Openssh Features Overview

Openssh is free open source software under the ssh (secure shell) protocol

Software installation name Openssh-server

The configuration file/etc/ssh/sshd-conf

Default port 22 ip: gate interface: small door

Client command ssh

2. Setting up the experimental environment

Set workstation IP address,

ip addr show See if it is set

The same applies to IP of servera.

After setting the addresses of the two hosts, ping workstation in servera

Server side, test side?

Workstation: Client: Used for testing

Server: Server is set on server side, set on test side

Set the firewall: Who sets who: Server

Cd Switch to Home Delete.ssh file (on both hosts)

When the network is unstable: change the network card

1. System tools virtual machine manager

2. ip addr show in Server to see which NIC to delete the corresponding mac value

After changing the network card to reset the previous steps

3. Ssh command

Ssh remoteUSER@remoteIP remote host

-l Specify login user-i Specify key-X Open graphics-p Specify port-f Background run-o Specify connection parameters-t Specify connection springboard

Ssh @172.25.254.70 ssh -l root 172.25.254.70

w : See which users are logged in

w-i see where to log in

Text links, graphics cannot be opened

You can turn on graphics for remote hosts

Open gedit process in servera, you can use ps aux| prep gedit filter

The default interface is 22

occupied terminal

Do not occupy the terminal Open gedit in the background on the remote host

Use man command to view help ssh -o view parameters

-t

On servera, you see that it is connected by 1, and use 1 as a springboard.

4. Openssh key authentication

Openssh authentication method

Password authentication Key authentication 1. At least 6 characters 1. New authentication method 2. Contains numbers, letters, underscores, special symbols, etc. 2. Public key upload server 3. Easy to leak 3. Private key pairing authentication 4. Can be cracked by brute force 4.*** 5. Passwords are easy to lose

Public key: lock private key; password

Openssh key

Supports RSA and DSA encryption

encryption method

1. Generate key: ssh -keygen

2. Upload key: ssh-copy-id -i keyfile remoteUSER@remoteIP

Experiment: delete the.ssh file in the home directory first

Server encryption with public key lock, lock server users have a private key can log in without secret, no brute force cracking (always try), there are security risks, so to turn off the function, no private key can not try to log in

You can modify the lock so that users who originally have private keys cannot log in.

1.ssh-keygen Enter, then enter to generate the public key, the private key is stored in different files.

2，

3

Lock has been generated (public key)

Anyone who wants to connect to servera can log on to workstation only if they have the key.

No private key can not be secret login, but can be brute force cracking, always try, 70 host authentication security risks

So turn off the function in servera (original authentication function)

Line 78, replace yes with no

1 user without a private key is not authorized to attempt to log in to servera user

You can change the key name ssh service can not recognize, users with keys can not log in, permission is denied

Change the key name back so that users who previously owned the private key can log in.

5. Common configuration parameters of Openssh service

Before doing the experiment, restore the original authentication function changed in the previous experiment

Common configuration parameters of sshd service

Configuration file configuration parameters/etc/ssh/sshd_configPort 22 Listens on port 17 Line Protocol 2 Specify protocol version ListenAddress Binding IP;Hostkey Set hostkey path;Permitrootlogin Set whether superuser can log in PubkeyAuthentication Public key authentication switch PasswordAuthentication Private key authentication switch AllowUsers whitelist DenyYUsers blacklist

setenforce 0 before doing experiments

1. systemctl reload sshd with netstat -anltupe after changing ports in configuration file| grep sshd View port number

2. Binding IP (with multiple IPs) specifies that only one IP can be connected

You can only connect to port 70.

3. Set whether superusers can log in to line 46

Systemctl restart sshd restart (in servera)

4. After completing the previous experiment, we have to restore the previous data

set a blacklist

Westos users cannot log in

Similarly: Set up a white list

Only whitelisted users can log in.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.