In a real production environment, it is impossible to manage the server locally all the time. Most enterprise servers are managed by remote login.Remote maintenance is more advantageous when hundreds of server hosts need to be managed from one workstation.
Introduction to SSH
SSH (Secure Shell) is a secure channel protocol, which mainly implements the functions of remote login, remote copy of character interface.The SSH protocol encrypts data transfers between the two communicating parties, including the user password entered when the user logs in.The SSH protocol provides better security than traditional methods such as Telnet (remote login), RSH (remote command execution) and so on.
1. Configure OpenSSH server
OpenSSH is an open source software project that implements the SSH protocol.In CentOS 7.3 system.OpenSSH servers are provided by packages such as openssh, openssh-server, which are installed by default, and sshd has been added as a standard system service.
1. Service listening options
The default port number used by the sshd service is 22. It is recommended that you modify this port number if necessary and specify the specific IP address of the listening service to improve concealment in the network.In addition, the SSH protocol version using v2 is more secure than v1. Disabling DNS reverse resolution can improve the response speed of the server.
[root@localhost ~]# Vim/etc/ssh/sshd_config //Modify the main configuration file for sshd services ............ //Omit some content Port 22 //Listening port is 22 ListenAddress 0.0.0.0 //The listening address is 0.0.0.0, meaning all listening Protocol 2 //Use SSH v2 version UseDNS no //Disable DNS reverse resolution to improve response speed ............ //Omit some content [root@localhost ~]# systemctl restart sshd //restart sshd service
2. User login control
The sshd service allows root users to log on by default, but it is a major security risk in the network. The common practice is for ordinary users to switch to root users.
[root@localhost ~]# Vim/etc/ssh/sshd_config //Modify the main configuration file for sshd services ............ //Omit some content LoginGraceTime 2m //Logon verification takes 2 minutes PermitRootLogin no //Prevent root user from logging on MaxAuthTries 6 //Maximum number of retries is 6 PermitEmptyPasswords no //Disable empty password login ............ //Omit some content [root@localhost ~]# systemctl restart sshd //restart sshd service
AllowUsers or DenyUsers configurations can be used when you want to allow or disable only one user to log on, but be careful not to use them together.For example, xiaoli and xiaozhang users are allowed to log in, and only xiaozhang users can log in remotely from an IP address of 192.168.1.2.
[root@localhost ~]# Vim/etc/ssh/sshd_config //Modify the main configuration file for sshd services ............ //Omit some content AllowUsers xiaoli firstname.lastname@example.org //Separate multiple users with spaces [root@localhost ~]# systemctl restart sshd //restart sshd service
3. Logon Authentication Method
The sshd service supports two authentication methods: **Password Authentication: ** Verify the login name and password of the local system user on the server.This is the easiest way to use it, but passwords for users of the system may be exhausted (cracked by force); **Key pair validation: ** Require matching key information to pass validation.Typically, a pair of keys is created in the client, and then the public key file is stored in a specified location on the server.When logging on remotely, the system will use public and private keys for encryption/decryption verification. This method is not easy to be counterfeited, and can avoid interactive login. It is widely used in Shell.
When both password validation and key pair validation are enabled, the server will use key pair validation first!No special requirements, we recommend both ways to enable!
[root@localhost ~]# Vim/etc/ssh/sshd_config //Modify the main configuration file for sshd services ............ //Omit some content PasswordAuthentication yes //Enable password validation PubkeyAuthentication yes //Enable key pair validation AuthorizedKeysFile .ssh/authorized_keys //Specify Public Key Library File ............ //Omit some content [root@localhost ~]# systemctl restart sshd //restart sshd service
2. Use SSH client program
In CentOS 7.3, OpenSSH clients are provided by the openssh-clients package (installed by default), which includes ssh Remote Login commands, scp, sftp remote replication and file transfer commands.
1. Command application (ssh, scp, sftp)
1) ssh Remote Login
The ssh command allows you to login to the sshd service remotely, providing a secure Shell environment for users to manage and maintain the server!
[root@kehuduan ~]# ssh email@example.com
If the sshd server uses a non-default port number, such as 2222, you need to specify the port number with the'-p'option.
[root@kehuduan ~]# ssh -p 2222 firstname.lastname@example.org email@example.com's password: //Input password [xiaozhang@fuwuduan ~]$ //Login Successful
2) scp remote replication
[root@kehuduan ~]# scp firstname.lastname@example.org:/etc/passwd /mnt //Download Files from Server email@example.com's password: passwd 100% 2360 2.3KB/s 00:00 [root@kehuduan ~]# scp 123.txt firstname.lastname@example.org:/mnt //Upload files from client email@example.com's password: 123.txt 100% 0 0.0KB/s 00:00
Use the'-P'option if you need to specify a port!
3) sftp Secure FTP
With the sftp command, files can be uploaded and downloaded with the remote host by using SSH security connection. The login process and interactive environment similar to FTP are used to facilitate directory resource management.
[root@kehuduan ~]# sftp firstname.lastname@example.org email@example.com's password: Connected to 192.168.1.1. sftp> put 456.txt //Upload Files Uploading 456.txt to /root/456.txt 456.txt 100% 0 0.0KB/s 00:00 sftp> get /root/789.txt //Download Files Fetching /root/789.txt to 789.txt sftp> bye
2. Graphical tools
The Windows host can use some graphic tools such as Xshell, SecureCRT, Putty to support Telnet, SSH, SFTP and other protocols for remote management of Linux host.These graphical tools all provide a Chinese interface, functions and operations are relatively simple, no further in-depth introduction will be made here.
3. Construct SH system for key pair verification
Key pair authentication provides better security for remote login, flowchart:
1) First method:
1. Create key pairs on the client side
In the LInux client, a key pair file is created for the current user through the ssh-keygen tool, and the available encryption algorithms are ECDSA or DSA (the'-t'option of the ssh-keygen command is used to specify the algorithm type)
root@kehuduan ~]# su - xiaowang //Switch to user xioawang [xiaowang@kehuduan ~]$ ssh-keygen -t ecdsa //Create SSH key pair based on ECDSA algorithm Generating public/private ecdsa key pair. Enter file in which to save the key (/home/xiaowang/.ssh/id_ecdsa): //Specify the location where the private key is stored Created directory '/home/xiaowang/.ssh'. Enter passphrase (empty for no passphrase): //Set private key phrase Enter same passphrase again: //Confirm the phrase you set Your identification has been saved in /home/xiaowang/.ssh/id_ecdsa. Your public key has been saved in /home/xiaowang/.ssh/id_ecdsa.pub. The key fingerprint is: 13:c2:03:63:bc:2e:d8:7e:be:f1:1b:1d:95:6b:4c:49 xiaowang@kehuduan The key's randomart image is: +--[ECDSA 256]---+ | .+ E | | ..+ . o | | .+ . = | | . o = . | | o . S + | |. o . . + | | . .. . . | | . .o . | | oo.o. | +-----------------+ [xiaowang@kehuduan ~]$ ls -lh ~/.ssh/id_ecdsa* -rw-------. 1 xiaowang xiaowang 227 8 August 16:45 /home/xiaowang/.ssh/id_ecdsa -rw-r--r--. 1 xiaowang xiaowang 179 8 August 16:45 /home/xiaowang/.ssh/id_ecdsa.pub
In the newly generated key pair file, id_ecdsa is a private key file with 600 permissions and needs to be properly stored; id_ecdsa.pub is a public key file that is used to provide SSH servers.
2. Upload the public key file to the server
Upload the public key file you just generated to the public key database of the server-side user.
[xiaowang@kehuduan ~]$ scp ~/.ssh/id_ecdsa.pub firstname.lastname@example.org:/mnt email@example.com's password: //Input password id_ecdsa.pub 100% 179 0.2KB/s 00:00 //Upload Successful
3. Import public key text into the server
On the server, the public key database of the target user (the account logged on remotely with Ali) is located in the ~/.ssh directory with the default file name "authorized_keys", which needs to be created manually by himself!
[root@fuwuduan ~]# mkdir /home/xiaozhang/.ssh [root@fuwuduan ~]# cat /mnt/id_ecdsa.pub >> /home/xiaozhang/.ssh/authorized_keys [root@fuwuduan ~]# cat /home/xiaozhang/.ssh/authorized_keys ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJmtmVbjnjH6NbWBRQcFjbYHoDBILQYclqrIHbVe0oyA15IXd+WBGsOcX3FYX8FYnIPHfL36Auj7aWb2MuVqmac= xiaowang@kehuduan
4. Validate using key pairs on clients
[xiaowang@kehuduan ~]$ ssh firstname.lastname@example.org
Last login: Thu Aug 8 16:03:33 2019 from 192.168.1.2
//Connect without entering a password, experiment complete!
2) Second implementation:
[root@kehuduan ~]# ssh-keygen -t ecdsa //Using root as an example, generate a root user's key pair file [root@kehuduan ~]# ssh-copy-id -i ~/.ssh/id_ecdsa.pub email@example.com //'-i'is used to specify the public key file, which combines the second and third steps /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys firstname.lastname@example.org's password: //Enter the server root user password Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'email@example.com'" and check to make sure that only the key(s) you wanted were added. [root@kehuduan ~]# ssh firstname.lastname@example.org Last login: Thu Aug 8 17:03:20 2019 //Verify experimental results
When you log in using key pair authentication, you do not need to know the mask of the target user, but rather verify the client user's private key phrase and check whether the private key and public key are paired, which is more secure.
4. TCP Wrappers Access Control
1) Overview of TCP Wrappers
TCP Wrappers "wrap" the TCP service program, instead of toughening the TCP service program's ports, adding a security monitoring process through which outbound connection requests must first be monitored to obtain a license to access the real service program.Figure:
For most Linux distributions, TCP Wrappers are provided by default.The package used by CentOS 7.3 is tcp_wrappers-7.6-77.el7.x86_64.rpm.
There are two implementations corresponding to TCP Wrappers protection mechanism: 1. Using TCPD program directly to protect other service programs requires running tcpd; 2. The libwrap.so. * link library is called by other network service programs without running the tcpd program. In general, the Link Library approach is more widely used and efficient.
2) Access Policy for TCP Wrappers
The TCP Wrappers mechanism protects various network service programs by controlling access to the client addresses of access services. The corresponding two policy files are/etc/hosts.allow and/etc/hosts.deny, which use Ali to set the allowed and rejected policies respectively.
1. Policy Configuration Format
Service List: Client Address List
A list of server programs, with client addresses separated by colons and commas between items in the list.
1) List of service programs
2) Client Address List
2. Order of Policy Application
Check hosts.allow first and allow access if a match is found Otherwise check hosts.deny again, find it and deny access Access is allowed by default if neither file has a matching policy
3. Configuration Instances
Requirements: Hosts in the 192.168.1.0 segment are expected to be allowed access to sshd services only
[root@fuwuduan ~]# vim /etc/hosts.allow sshd:192.168.1. [root@fuwuduan ~]# vim /etc/hosts.deny sshd:ALL