Shulou(Shulou.com)06/02 Report--

Definition:

SSH is a secure network protocol based on the application layer developed by IETF.

Function:

1. It is designed for remote login sessions (you can even use Windows to remotely log in to the Linux server for file transfer)

two。 Protocols that provide security for other network services can effectively make up for loopholes in the network.

3. Through SSH, all transmitted data can be encrypted, and DNS spoofing and IP spoofing can be prevented.

4. The transmitted data is compressed, so the speed of transmission can be accelerated.

So SSH has become the standard configuration of Linux system.

Security Mechanism of SSH

The reason why 1.SSH is secure is that it uses asymmetric encryption (RSA) to encrypt all transmitted data.

two。 Traditional network service programs, such as FTP, transmit data, user accounts and user passwords in clear text on the network, which can be easily obtained by others.

3. But this is not to say that SSH is absolutely secure, because it itself provides two levels of authentication methods:

The first level (password-based security authentication): as long as you know your account number and password, you can log in to the remote host. All transmitted data will be encrypted, but there is no guarantee that the server you are connecting to is the server you want to connect to. There may be other servers pretending to be real servers.

The second level (key-based security authentication): you must create a pair of keys for yourself and place the public key on the server you need to access. If you want to connect to the SSH server, the client software will send a request to the server for security authentication with your key. After the server receives the request, it looks for your public key in your home directory on the server, and then compares it with the public key you sent. If the two keys match, the server encrypts the challenge with the public key and sends it to the client software. After receiving the "challenge", the client software can use your private key to decrypt it locally and send it to the server to complete the login. Compared with the first level, the second level not only encrypts all transmitted data, but also does not need to transmit passwords on the network, so it is more secure and can effectively prevent others from destroying it.

Detailed explanation of picture and text:

Environment: 2 centos7 virtual machines

Virtual machine 1:test01 ip:192.168.220.137

Virtual machine 2:test02 ip: 192.168.220.129

1. Log in to test01 remotely with the virtual machine test02 and enter the command

[root@test02 ~] # ssh root@192.168.220.137

two。 Modify the configuration file by modifying test01 to restrict other users from logging into root accounts remotely

[root@test01 ~] # vim / etc/ssh/sshd_config

Restart the service

[root@test01 ~] # systemctl restart sshd

Use test02 to remotely log in to test01's root account at this time to verify

3. Add whitelist

[root@test01 ~] # vim / etc/ssh/sshd_config

Restart the service and verify with test02

4. Add a blacklist (note that there can only be one whitelist and a blacklist, not both)

[root@test01 ~] # vim / etc/ssh/sshd_config

Restart the service, verify

4. Secure encryption of secret key

[root@test02] # ssh-keygen-t ecdsa

Import the public key to the corresponding account to be logged in remotely

[root@test02] # ssh-copy-id-I id_ecsda.pub cheng@192.168.220.137

Verification

5. Remote login free from each other

[root@test02 ~] # ssh-agent bash

[root@test02 ~] # ssh-add

6.sftp downloads and uploads files remotely

Upload

download

7.TCP Warppers access control policy

Configuration file: / etc/hosts.allow

/ etc/hosts.deny

The application order of the strategy is as follows: 1. Check the hosts.allow file first. If you find a match, access is allowed.

two。 Otherwise, look for the hosts.deny file and deny access if you find it.

3. If no matching policy is found for both files, access is allowed by default

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.