1, Introduction
SSH (Secure Shell) security shell protocol is a security protocol designed to provide security for remote login sessions and other network services, such as our common Telnet protocol and ftp protocol. They all use plaintext transmission. Data is easy to be monitored and vulnerable to man in the middle attacks. ssh is a security protocol created at the application layer and transport layer, During data transmission, the transmitted data packet can be encrypted.
Workflow:
(1) In the version number negotiation stage, SSH currently includes SSH1 and SSH2. Both parties determine the version to be used through version negotiation
(2) In the key and algorithm negotiation stage, SSH supports a variety of encryption algorithms. Both parties negotiate the final algorithm according to the algorithms supported by the local end and the opposite end
(3) In the authentication stage, the SSH client sends an authentication request to the server, and the server authenticates the client
(4) In the session request phase, after the authentication is passed, the client sends a session request to the server
(5) In the interactive session stage, after the session request is passed, the server and the client interact with each other
Security verification method:
(1) Password based security authentication: you can log in to the target host through the account and password
(2) Key based security verification: first generate a "key pair" locally and then transfer the public key to the server for a match
Install: apt get install SSH
Default port: 22
Server main configuration file: / etc/ssh/sshd.conf
Customer service main configuration file: / etc/ssh/ssh.conf
Check whether to install: server -- status all | grep SSH
All configuration files are parsed last
2, Connect to xsell7 using password authentication
vim /etc/ssh/sshd.conf
The port is changed to 2021
Open allow root user login
Enable password authentication (turn it off if key authentication is enabled)
Remember to restart ssh service after modification!!!
systemctl enable sshd.conf //Start and start ssh service systemctl stop sshd.conf //Stop ssh service systemctl restart sshd.conf //Restart ssh service systemctl status sshd.conf //View ssh service status
After entering the password, you can log in
3, Use of key security authentication
1. Install SSH and listen on the work port in 19210
Here's a look. There are more 6010 in my process because we use Xshell connection.
Just comment this out. Remember to restart the service after modifying the configuration file!!!
After we quit Xshell, there was no 6010 process
2. After allowing ssh access to the 192.168.31.219 network, all other host requests should be rejected
Modify the configuration files / etc/hosts.allow and / etc/hosts.deny to remotely restrict an IP and an IP address to allow or deny access to Linux SSH, FTP, telnet and other services, where / etc/hosts.allow indicates the IP allowed to access and / etc/hosts.deny indicates the IP denied to access. Remember that hosts.deny has higher priority than hosts.allow.
Add these two at the bottom of the file.
Let's try whether the 192.168.31.251 ip can be accessed on machines in the same network segment.
3. Only user user01 is allowed to log in without password with secret key, and other users refuse to log in (including root user)
useradd -m user01 // Create a user01 user and its user home directory
vim /etc/ssh/sshd.conf
Annotate PasswordAuthentication yes and permitrotlogin yes to the dot
Cancel the comments on these two articles
Add this one
use
Both machines use SSH keygen - t RSA to generate keys. Just enter
Using ssh user01@192.168.31.211 -p 19210
4, Profile resolution
/etc/ssh/sshd_config
# Commonly used Port 22 # Port number AddressFamily any # Specify which address protocol to use (default: any, IPv4: IPv4 only, IPv6: IPv6 only) ListenAddress 0.0.0.0 # Listening address (0.0.0.0 means all addresses) ListenAddress :: # Listening address (IPv6 address) Protocol 2 # Specify the protocol version of SSH, 1 or 2 (if you need to support both, just use commas to separate them, such as 1, 2) LogLevel INFO # Log level (quiet, fat, error, info, verbose, debug, debug1, debug2, and debug3) UserDNS no # Disable DNS reverse resolution # User related PermitRootLogin no # Disable root login PermitEmptyPasswords no # Prohibit users with blank passwords from logging in LoginGraceTime 2m # The login verification time is 2 minutes MaxAuthTries 6 # Maximum number of retries: 6 AllowUsers steven # Only steven users are allowed to log in DenyUsers steven # Login user steven is not allowed # verification PasswordAuthentication yes # Enable password authentication (if configuring key login, this item needs to be turned off) PubkeyAuthentication yes # Enable key authentication RSAAuthentication yes # Security verification using RSA algorithm AuthorizedKeysFile .ssh/authorized_keys # Specify the public key database file (for key login)
/etc/ssh/ssh_config
Host * # Valid hosts (multiple hosts can be separated by spaces, "*" indicates all hosts) ForwardAgent no # Is the connection forwarded to the remote computer through proxy authentication (if yes) ForwardX11 no # Connections are automatically redirected to secure channels and display sets RhostsRSAAuthentication no # rhosts based security authentication without RSA algorithm (Version 1 only) RSAAuthentication yes # Security verification using RSA algorithm PasswordAuthentication yes # Use password authentication HostbasedAuthentication no # Similar to RhostsRSAAuthentication (used by version 2). GSSAPIAuthentication no # Whether GSSAPI based user authentication is allowed (the default value is "yes", which is only used for version 2) BatchMode no # If it is "yes", the prompt of password / password will be disabled CheckHostIP yes # Set whether SSH checks the IP address of the host connected to the server to prevent DNS spoofing (it is recommended to set it to "yes") AddressFamily any # Specify which address protocol to use (default: any, IPv4: IPv4 only, IPv6: IPv6 only) ConnectTimeout 0 # Set connection timeout StrictHostKeyChecking ask # If it is set to "yes", the computer's key will not be automatically added to the "HOME/.ssh/known_hosts" file, and the connection will be rejected once the computer's key changes IdentityFile ~/.ssh/identity # Sets the file from which the user's RSA Security Authentication ID is read IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_ecdsa IdentityFile ~/.ssh/id_ed25519 Port 22 # Set port number Protocol 2 # Specify the protocol version of SSH, 1 or 2 (if you need to support both, just use commas to separate them, such as 1, 2) Cipher 3des # Set password for encryption Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # Specify the encryption algorithm used by version 2 (multiple algorithms are separated by commas) MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # Specify which message digest algorithms are allowed to be used in version 2 for data verification
/etc/hosts.allow
/etc/hosts.allow
sshd:10.1.82.18 // Allow 10.1.82.18 this network to access ssh services
#sshd:10.1.82.* // Allow 10.1.82. * this network segment to access ssh services
#in.telnetd:10.1.82.18 // Allow 10.1.82.18 this ip to be accessed through Telnet service
#in.Telnetd:10.1.82.* // Allow 10.1.82. * this network segment can be accessed through Telnet service
#all: 10.1.82.18 // Allow this ip address to log in to the linux server remotely from any server
#all:10.1.82.* // similar
/etc/hosts.dent
/etc/hosts.deny sshd:all Prohibit all ip Can't pass ssh Sign in linux The server #in.telnet:all // Prohibit all ip addresses from logging in to the linux server through telnet #all: all // Prohibit all ip addresses from logging in to the linux server through any service
In fact, there are still a lot to write, but I really can't roll my child. I really want to sleep. That's it.