Remote Access and Control for CentOS 7

In a real production environment, it is impossible to manage the server locally all the time. Most enterprise servers are managed by remote login.Remote maintenance is more advantageous when hundreds of server hosts need to be managed from one workstation.

Introduction to SSH

SSH (Secure Shell) is a secure channel protocol, which mainly implements the functions of remote login, remote copy of character interface.The SSH protocol encrypts data transfers between the two communicating parties, including the user password entered when the user logs in.The SSH protocol provides better security than traditional methods such as Telnet (remote login), RSH (remote command execution) and so on.

1. Configure OpenSSH server

OpenSSH is an open source software project that implements the SSH protocol.In CentOS 7.3 system.OpenSSH servers are provided by packages such as openssh, openssh-server, which are installed by default, and sshd has been added as a standard system service.

1. Service listening options

The default port number used by the sshd service is 22. It is recommended that you modify this port number if necessary and specify the specific IP address of the listening service to improve concealment in the network.In addition, the SSH protocol version using v2 is more secure than v1. Disabling DNS reverse resolution can improve the response speed of the server.

[root@localhost ~]# Vim/etc/ssh/sshd_config //Modify the main configuration file for sshd services
                              ............                          //Omit some content
Port 22                                                          //Listening port is 22
ListenAddress 0.0.0.0                                  //The listening address is 0.0.0.0, meaning all listening
Protocol 2                                                    //Use SSH v2 version
UseDNS no                                                 //Disable DNS reverse resolution to improve response speed
                              ............                        //Omit some content
[root@localhost ~]# systemctl restart sshd //restart sshd service 

2. User login control

The sshd service allows root users to log on by default, but it is a major security risk in the network. The common practice is for ordinary users to switch to root users.

[root@localhost ~]# Vim/etc/ssh/sshd_config //Modify the main configuration file for sshd services
                              ............                  //Omit some content
LoginGraceTime 2m                                        //Logon verification takes 2 minutes
PermitRootLogin no                                        //Prevent root user from logging on
MaxAuthTries 6                                               //Maximum number of retries is 6
PermitEmptyPasswords no                           //Disable empty password login
                              ............                          //Omit some content
[root@localhost ~]# systemctl restart sshd //restart sshd service 

AllowUsers or DenyUsers configurations can be used when you want to allow or disable only one user to log on, but be careful not to use them together.For example, xiaoli and xiaozhang users are allowed to log in, and only xiaozhang users can log in remotely from an IP address of 192.168.1.2.

[root@localhost ~]# Vim/etc/ssh/sshd_config //Modify the main configuration file for sshd services
                              ............                                       //Omit some content
AllowUsers xiaoli xiaozhang@192.168.1.2                         //Separate multiple users with spaces
[root@localhost ~]# systemctl restart sshd //restart sshd service 

3. Logon Authentication Method

The sshd service supports two authentication methods:
**Password Authentication: ** Verify the login name and password of the local system user on the server.This is the easiest way to use it, but passwords for users of the system may be exhausted (cracked by force);
**Key pair validation: ** Require matching key information to pass validation.Typically, a pair of keys is created in the client, and then the public key file is stored in a specified location on the server.When logging on remotely, the system will use public and private keys for encryption/decryption verification. This method is not easy to be counterfeited, and can avoid interactive login. It is widely used in Shell.

When both password validation and key pair validation are enabled, the server will use key pair validation first!No special requirements, we recommend both ways to enable!

[root@localhost ~]# Vim/etc/ssh/sshd_config //Modify the main configuration file for sshd services
                              ............                             //Omit some content
PasswordAuthentication yes                                                //Enable password validation         
PubkeyAuthentication yes                                                    //Enable key pair validation
AuthorizedKeysFile      .ssh/authorized_keys                      //Specify Public Key Library File
                              ............                            //Omit some content
[root@localhost ~]# systemctl restart sshd //restart sshd service 

2. Use SSH client program

In CentOS 7.3, OpenSSH clients are provided by the openssh-clients package (installed by default), which includes ssh Remote Login commands, scp, sftp remote replication and file transfer commands.

1. Command application (ssh, scp, sftp)

1) ssh Remote Login

The ssh command allows you to login to the sshd service remotely, providing a secure Shell environment for users to manage and maintain the server!

[root@kehuduan ~]# ssh xiaozhang@192.168.1.1


If the sshd server uses a non-default port number, such as 2222, you need to specify the port number with the'-p'option.

[root@kehuduan ~]# ssh -p 2222 xiaozhang@192.168.1.1
xiaozhang@192.168.1.1's password:                                       //Input password
[xiaozhang@fuwuduan ~]$                                                       //Login Successful

2) scp remote replication

[root@kehuduan ~]# scp root@192.168.1.1:/etc/passwd /mnt
//Download Files from Server
root@192.168.1.1's password: 
passwd                                               100% 2360     2.3KB/s   00:00    
[root@kehuduan ~]# scp 123.txt root@192.168.1.1:/mnt
//Upload files from client
root@192.168.1.1's password: 
123.txt                                              100%    0     0.0KB/s   00:00

Use the'-P'option if you need to specify a port!

3) sftp Secure FTP

With the sftp command, files can be uploaded and downloaded with the remote host by using SSH security connection. The login process and interactive environment similar to FTP are used to facilitate directory resource management.

[root@kehuduan ~]# sftp root@192.168.1.1
root@192.168.1.1's password: 
Connected to 192.168.1.1.
sftp> put 456.txt                                      //Upload Files
Uploading 456.txt to /root/456.txt
456.txt                                              100%    0     0.0KB/s   00:00    
sftp> get /root/789.txt                             //Download Files
Fetching /root/789.txt to 789.txt
sftp> bye

2. Graphical tools

The Windows host can use some graphic tools such as Xshell, SecureCRT, Putty to support Telnet, SSH, SFTP and other protocols for remote management of Linux host.These graphical tools all provide a Chinese interface, functions and operations are relatively simple, no further in-depth introduction will be made here.

3. Construct SH system for key pair verification

Key pair authentication provides better security for remote login, flowchart:

1) First method:

1. Create key pairs on the client side
In the LInux client, a key pair file is created for the current user through the ssh-keygen tool, and the available encryption algorithms are ECDSA or DSA (the'-t'option of the ssh-keygen command is used to specify the algorithm type)

root@kehuduan ~]# su - xiaowang //Switch to user xioawang
[xiaowang@kehuduan ~]$ ssh-keygen -t ecdsa              //Create SSH key pair based on ECDSA algorithm
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/xiaowang/.ssh/id_ecdsa):                  //Specify the location where the private key is stored
Created directory '/home/xiaowang/.ssh'.
Enter passphrase (empty for no passphrase):                                 //Set private key phrase
Enter same passphrase again:                                                        //Confirm the phrase you set
Your identification has been saved in /home/xiaowang/.ssh/id_ecdsa.
Your public key has been saved in /home/xiaowang/.ssh/id_ecdsa.pub.
The key fingerprint is:
13:c2:03:63:bc:2e:d8:7e:be:f1:1b:1d:95:6b:4c:49 xiaowang@kehuduan
The key's randomart image is:
+--[ECDSA  256]---+
|   .+     E      |
|   ..+   . o     |
|     .+ . =      |
|    .  o = .     |
| o .    S +      |
|. o .  . +       |
| . .. . .        |
|  . .o .         |
|   oo.o.         |
+-----------------+
[xiaowang@kehuduan ~]$ ls -lh ~/.ssh/id_ecdsa*
-rw-------. 1 xiaowang xiaowang 227 8 August 16:45 /home/xiaowang/.ssh/id_ecdsa
-rw-r--r--. 1 xiaowang xiaowang 179 8 August 16:45 /home/xiaowang/.ssh/id_ecdsa.pub

In the newly generated key pair file, id_ecdsa is a private key file with 600 permissions and needs to be properly stored; id_ecdsa.pub is a public key file that is used to provide SSH servers.

2. Upload the public key file to the server
Upload the public key file you just generated to the public key database of the server-side user.

[xiaowang@kehuduan ~]$ scp ~/.ssh/id_ecdsa.pub root@192.168.1.1:/mnt
root@192.168.1.1's password:                         //Input password
id_ecdsa.pub                                         100%  179     0.2KB/s   00:00 
//Upload Successful

3. Import public key text into the server
On the server, the public key database of the target user (the account logged on remotely with Ali) is located in the ~/.ssh directory with the default file name "authorized_keys", which needs to be created manually by himself!

[root@fuwuduan ~]# mkdir /home/xiaozhang/.ssh
[root@fuwuduan ~]# cat /mnt/id_ecdsa.pub >> /home/xiaozhang/.ssh/authorized_keys
[root@fuwuduan ~]# cat /home/xiaozhang/.ssh/authorized_keys 
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJmtmVbjnjH6NbWBRQcFjbYHoDBILQYclqrIHbVe0oyA15IXd+WBGsOcX3FYX8FYnIPHfL36Auj7aWb2MuVqmac= xiaowang@kehuduan

4. Validate using key pairs on clients
[xiaowang@kehuduan ~]$ ssh xiaozhang@192.168.1.1
Last login: Thu Aug 8 16:03:33 2019 from 192.168.1.2
//Connect without entering a password, experiment complete!

2) Second implementation:

[root@kehuduan ~]# ssh-keygen -t ecdsa
//Using root as an example, generate a root user's key pair file
[root@kehuduan ~]# ssh-copy-id -i ~/.ssh/id_ecdsa.pub root@192.168.1.1
//'-i'is used to specify the public key file, which combines the second and third steps
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.1's password:                        //Enter the server root user password

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.1.1'"
and check to make sure that only the key(s) you wanted were added.

[root@kehuduan ~]# ssh root@192.168.1.1
Last login: Thu Aug  8 17:03:20 2019
//Verify experimental results

When you log in using key pair authentication, you do not need to know the mask of the target user, but rather verify the client user's private key phrase and check whether the private key and public key are paired, which is more secure.

4. TCP Wrappers Access Control

1) Overview of TCP Wrappers

TCP Wrappers "wrap" the TCP service program, instead of toughening the TCP service program's ports, adding a security monitoring process through which outbound connection requests must first be monitored to obtain a license to access the real service program.Figure:

For most Linux distributions, TCP Wrappers are provided by default.The package used by CentOS 7.3 is tcp_wrappers-7.6-77.el7.x86_64.rpm.

There are two implementations corresponding to TCP Wrappers protection mechanism:
1. Using TCPD program directly to protect other service programs requires running tcpd;
2. The libwrap.so. * link library is called by other network service programs without running the tcpd program.
In general, the Link Library approach is more widely used and efficient.

2) Access Policy for TCP Wrappers

The TCP Wrappers mechanism protects various network service programs by controlling access to the client addresses of access services. The corresponding two policy files are/etc/hosts.allow and/etc/hosts.deny, which use Ali to set the allowed and rejected policies respectively.

1. Policy Configuration Format

Service List: Client Address List

A list of server programs, with client addresses separated by colons and commas between items in the list.
1) List of service programs

2) Client Address List

2. Order of Policy Application

Check hosts.allow first and allow access if a match is found
 Otherwise check hosts.deny again, find it and deny access
 Access is allowed by default if neither file has a matching policy

3. Configuration Instances

Requirements: Hosts in the 192.168.1.0 segment are expected to be allowed access to sshd services only

[root@fuwuduan ~]# vim /etc/hosts.allow 
sshd:192.168.1.
[root@fuwuduan ~]# vim /etc/hosts.deny 
sshd:ALL

Tags: Linux ssh sftp openssh vim

Posted on Wed, 07 Aug 2019 22:21:33 -0400 by Orpheus13