Remote access and control that operation and maintenance personnel must understand

Posted by [e]r!k on Tue, 14 Dec 2021 19:56:52 +0100

Remote access and control of [Linux dictionary]

preface

SSH is basically used for remote management of linux systems. The reason is very simple:
Telnet, FTP and other transmission methods transmit user authentication information in plaintext, which is inherently unsafe and has the risk of being eavesdropped by the network. SSH (Secure Shell) is currently more reliable and is a protocol designed to provide security for remote login sessions and other network services. Using SSH protocol can effectively prevent information disclosure in the process of remote management. All transmitted data can be encrypted through SSH, and DNS spoofing and IP spoofing can also be prevented.

1, SSH service

What is SSH?
SSH (Secure Shell) is a secure channel protocol, which is mainly used to realize the functions of remote login and remote replication of character interface. SSH protocol encrypts the data transmission between the communication parties, including the user password entered when the user logs in. SSH is a security protocol based on application layer and transmission layer.

network
SSH client < ------------------------------ > ssh server
Data transmission is encrypted to prevent information leakage
Data transmission is compressed to improve transmission speed

  • ssh server mainly includes two service functions: ssh Remote link and sftp service
    Function: SSHD service uses SSH protocol, which can be used for remote control or transfer files between computers. Compared with the previous Telnet method, it is much safer to transfer files, because Telnet uses plaintext transmission and SSH is encrypted transmission.

  • SSH client: Putty, Xshell, CRT, MobaXterm

  • Ssh server: OpenSSH OpenSSH is an open source software project to implement SSH protocol, which is applicable to various UNIX and Linux operating systems. The OpenSSH related software package is installed by default in the CentOS 7 system, and the sshd service is added as the start-up. The sshd service can be started by executing the "systemctI start sshd" command;

    There are two common OpenSSH configuration files, / etc/ssh/ssh_config and / etc/sshd_config
    ssh_config: it is a client configuration file to set client related applications, which can be implemented through this file
    sshd_config: it is a server-side configuration file, which can be used to set applications related to the server-side.
    Summary: ssh_config and sshd_config is the configuration file of ssh server. The difference between the two is that the former is the configuration file for the client and the latter is the configuration file for the server

  • By default, the SSHD service uses port 22 of TCP. The security protocol version is sshv2. In addition to v2, there is V1 (vulnerable)
    The default configuration file for the SSHD service is / etc/ssh/sshd_config; The main program is / usr/bin/sshd

2, SSH Remote Login mode

2.1 login method

Method 1:

ssh [Remote host user name] @[Remote server hostname or IP address] -p port

When another Linux host is remotely connected to a Linux host, for example, if the currently logged in user is root, when another host is also logged in with root, SSH IP can be directly used, and the port can be used by default. If the port is not the default, you need to use - p to specify the port.

RSA algorithm is based on a very simple number theory fact: it is very easy to multiply two large prime numbers, but it is extremely difficult to factorize their product. Therefore, the product can be disclosed as an encryption key.

Method 2:

ssh -l [Remote host user name] [Remote server hostname or IP address] -p port

#-l:-l option to specify the login name.
#-p:-p option, specify the login port (when the port of the server is not the default, you need to use - P to specify the port for login)

Note: when logging in the server for the first time, the system does not save the information of the remote host. In order to confirm the identity of the host, the user will be prompted whether to continue connecting. Enter yes and log in. At this time, the system will write the information of the remote server to $home / In the SSH / known hosts file, the next time you log in, you will not be prompted because the host information is saved.

#In normal work, sometimes SSH login is required to other Linux hosts, but sometimes SSH login is prohibited, and the following similar prompts pop up:
The authenticity of host '192.168.10.9 (192.168.10.9)' can't be established.
ECDSA key fingerprint is SHA256:AaGpHeEiRuxMy96oezzv6Toei 5nJJmz1e/diqR7gcvk 
ECDSA key fingerprint is MD5:78:al:b1:1c:36:76:c7:34:54:87:cc:ea:51:3f:0c:24.
Are you sure you want to continue connecting (yes/no)? yes
warning: Permanently added 1192.168.10.9' (ECDSA) to the list of known hosts.
Authentication failed.
  • Reason: there are multiple Linux systems on a host, which will switch frequently. Then these systems use the same ip, and after logging in once, they will record the SSH information in the local ~ / ssh/known_ In the HSOTS file, after switching the system and then accessing the host with SSH, a conflict warning will appear. You need to delete and modify the known manually_ Content in HSOTS.

SSH will record the public key of each computer you have accessed in ~ / ssh/known_hosts, when you visit the same computer next time, OpenSSH will check the public key. If the public keys are different, OpenSSH will issue a warning to prevent you from being attacked by DNS Hijack and so on.

2.2 OpenSSH service package

To install OpenSSH, there are four packages:
OpenSSH software package provides server-side background programs and client-side tools to encrypt data in the process of remote control and file transmission, so as to replace the original similar service Telnet or Ftp.

OpenSSH The service requires 4 software packages:
openssh-5.3p1-114.e16_7.x86 64          #Contains the core files required by OpenSSH server and client.
openssh-clients-5.3p1-114.e16_7.x86_64  #OpenSSH client package
openssh-server-5.3p1-114.e167.x86_64    #OpenSSH Server package
openssh-askpass-5.3p1-114.e16-7.x86_64  #It supports the display of dialog window, which is based on x system

3, Service configuration and management

3.1 service configuration

Experiment: listening port modification; Set the SSHD listening port number.

SSH The default is 22 port, Multiple can also be used port, That is, reuse port This setting!
For example, want to open SSHD Ports 22 and 222 , Then add one more line as: Port 222 Just.
Then restart SSHD That's good. I suggest you modify it port number For other ports, Prevent others from brutally cracking.

#ListenAddress listening address
ListenAddress 0.0.0.0
 set up SSHD Server bound IP address, 0.0.0.0 Means listening to all addresses

Security suggestion: if the host does not need to access ssh from the public network, you can change the listening address to the intranet address
This value can be written as local IP address or all addresses, i.e. 0.0 0.0 means all IP addresses

# Protocol 2
 Represents all IP

# Protocol 2
 Set protocol version to SSH1 or SSH2, SSH1 Existing loopholes and defects, choice SSH2

#UseDNS yes
 generally speaking, In order to judge whether the source of the client is normal and legal, Therefore, it will be used DNS Check the host name of the client, But usually when the intranet is interconnected, The base is set to no, Therefore, the online speed will be faster

Note: disable DNS reverse resolution to improve the response speed of the server

#SyslogFacility AUTHPRIV

When someone logs in to the System Using SSH, SSH will record information. The type of information to be recorded is AUTHPRIV. The sshd service log is stored in: / var/log/secure.

3.2. Security tuning

####LoginGraceTime 2m
·grace It means how many seconds the system gives to log in. (Default 2 minutes, 0 Indicates unlimited)
·When the user is connected SSH server after , The screen of entering password will appear, In this screen.
·How long has it not been successfully connected SSHserver Forced disconnection! If there is no unit, the default time is seconds. You can modify the actual situation according to the actual situation

### Permitrotlogin yes experiment
 Allow root Login, The default is allowed, But it is recommended to set it to no, Real production environment server, Is not allowed root The account is logged in directly, Only ordinary users are allowed to log in, Need to use root The user then switches to root User.
Case list
 Create user zhangsan, lisi
 Query group
grep "wheel" /etc/group
gpasswd -a zhangsan wheel   #zhangsan user has joined wheel group
 open pam modular

####passwordAuthentication yes
 Password verification is certainly required!So it's written here yes, It can also be set to no, On a real production server, According to different security level requirements, Some settings do not require a password to log in, Log in with an authenticated secret key.

#### permitEmptyPasswords no
 Allow users with blank passwords to log in,Default to no, Login with empty password is not allowed

####PrintLastLog yes
 Displays the last login information! Default to yes

###MaxAuthTries 6
 Specify the maximum number of authentication allowed per connection. The default value is 6.
If the number of authentication failures exceeds half of this value, The connection will be forcibly disconnected, Additional failure log messages are generated 
Default 3 times

verification ssh -o NumberofPasswordPrompts=8 lisi@192.168.10.9


######AllowUsers
 When you want to allow or disable only some users to log in, have access to AllowUsers or DenyUsers to configure, The usage of the two is similar (Be careful not to use it at the same time)
to configure A1lowUsers
 for example, If only allowed zhangsan, wangwu User login,other (lisi) user
AllowUsers zhangsan@192.168.10.10 wangwu
 Black and white conclusion
  • Perform security checks on RPM packages that are not security certified
  • Linux user hardening
  • Set password policy
  • Setting of user password strength
  • Limit the number of user logins
  • Prohibit ROOT users from logging in remotely
  • Set the number of historical commands saved and the account timeout
  • Set that only the specified user group can use the su command to switch to the root user
  • Manage Linux accounts
  • Important files are locked and cannot be deleted even by ROOT users
  • Establish log server

https://suijimimashengcheng.bmcx.com/ Random Password Generator

3.3 SSHD service supports two authentication methods

Mode 1:

  • Password verification: verify the login name and password of the local system user in the server. This method is the easiest to use, but from the client's point of view, the connected server may be counterfeited: from the server's point of view, when encountering exhaustive passwords
    (brute force cracking) the defense ability is weak when attacking.

Password complexity (at least 16 bits); port security

Mode 2:

  • Key pair verification: matching key information is required to pass the verification. Usually, a pair of key files (public key and private key) are created in the client, and then the public key file is placed in a fixed location in the server. During remote login, the system will use the public key and private key for encryption / decryption Association verification, which greatly enhances the security of remote management.

This method is not easy to be counterfeited, and can avoid interactive login. It is widely used in Shell.

When both password authentication and key pair authentication are enabled, the server will give priority to key pair authentication. For servers with high security requirements, it is recommended to disable password authentication and only enable key pair authentication: if there are no special requirements, both methods can be enabled.

Password free login
ssh-agent bash  #Add public key to management (operate on client)
ssh-add

4, Build SSH for key pair authentication

4.1 relationship between public key and private key

  • In asymmetric encryption technology, there are two kinds of keys: private key and public key
  • The private key is held by the key pair owner and cannot be published. The public key is published by the key pair owner to others
  • The public key is used to encrypt data. The data encrypted with the public key can only be decrypted with the private key

4.2 SSH principle of building key pair verification

  • Firstly, ssh generates a key pair (public key and private key) at the client through an encryption algorithm. The public key is sent to the server and the private key is retained
  • If you want to connect to the ssh server with the public key, the client SSH software will send a request to the ssh server for security authentication with the online user key.
  • After receiving the request, the ssh server will first look for the public key of the corresponding user placed in advance under the home directory of the user connected to the ssh server, and then compare it with the public key sent by the connected SSH client.
  • If the two keys are consistent, the ssh server encrypts the "challenge" with the public key and sends it to the SSH client.

When both password authentication and key pair authentication are enabled, the server will give priority to key pair authentication. The verification method can be set according to the actual situation.

vim/etc/ssh/sshd_config 
PasswordAuthentication yes
#Enable password authentication
PubkeyAuthentication yes
#Enable key pair authentication
AuthorizedKeysFile .ssh/authorized_keys
#Specify public key library file experiment

4.3 security replication scp replication

scp is short for secure copy, which is used to remotely copy files under Linux, and scp transmission is encrypted.

1.###Copy local files to server
scp sheng root0192.168.100.141:/opt2
2.###Copy server files to local
scp root@192.168.100.141:/opt/test/ ./
3.####Copy local directory to server
scp -r 1234/ root@192.168.100.141:/opt

4.4 configure key pair verification

1.Create a key pair on the client
 adopt ssh-keygen.The tool creates a key pair file for the current user. The available encryption algorithms are RSA,ECDSA or DSA etc.(ssh- keygen Imperative“-t"Option specifies the algorithm type). 
useradd admin
echo "123123" | passwd --stdin admin 
su - admin
ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/ admin/ .ssh/id ecdsa) :
#Specify the location of the private key. Press enter to use the default location
Created directory ' /home/admin/.ssh'. 
#The generated private key and public key files are stored in the hidden directory of the host directory by default ssh / down
Enter passphrase (empty for no passphrase) :  #Set the password for the private key
Enter same passphrase again:   #Confirm input
ls -l ~/.ssh/id_ecdsa*
#id_ecdsa is the private key file, and the permission is 600 by default; id_ecdsa. Pub is a public key file, which is used to provide SSH server

2.Upload the public key file to the server
scp ~/.ssh/id_ecdsa.pub root@192.168.80.10:/opt
 or
#This method can be directly in / home / Zhangsan / Import public key text from SSH / directory
cd ~/.ssh/
ssh-coby-id -i id_ecdsa.pub zhangsan@192.168.80.10

3.Import public key text in the server
mkdir /home/zhangsan/.ssh
cat /opt/id ecdsa.pub >> /home/zhangsan/.ssh/authorized_keys

cat /home/ zhangsan/.ssh/authorized_keys

4·Use key pair authentication on the client
ssh zhangsan@192.168.80.10
Enter passphrase for key '/home/admin/.ssh/id_ecdsa' :    #Enter the password for the private key

5.Set in client ssh Agent function, Realize interactive login free; 
ssh-agent bash
ssh-add
Enter passphrass for /home/admin/ .ssh/id_ecdsa:
#Enter the password for the private key
ssh zhangsan@192.168.80.10

6, Secure transport sftp

sftp is the abbreviation of Secure File Transfer Protocol, a Secure File Transfer Protocol. It can provide a secure network encryption method for transmitting files.

  • SFTP and ftp have almost the same syntax and function. SFTP is a part of SSH. In fact, the SSH package already contains a secure file information transfer subsystem called SFTP (Secure File Transfer Protocol). SFTP itself does not have a separate daemon. It must use sshd daemon (port number is 22 by default) to complete the corresponding connection and reply operations.

  • Therefore, using SFTP is very safe. However, because this transmission mode uses encryption / decryption technology, the transmission efficiency is much lower than ordinary FTP. If the requirements for network security are higher, SFTP can be used instead of FTP.

sftp root@192.168.10.10   #Log in to the server

get download
get anaconda-ks.cfg /home/

upload
put abc.txt  #/ root will be uploaded by default 
put abc.txt /home/

View available commands
help  #View the commands and uses that sftp can use

Print server current location
pwd     #Print current server location
lpwd    #Print current local location

Switch directories and view files
cd     #Switch directories on the server
ls     #View the list of files in the current directory

Download files, exit sftp
get         #Download File
get -r      #Download directory
quit        #Exit sftp
put         #Upload file
 Exit command: quit, exit, bye Fine

7, TCP Wrappers access control

TCP wrappers

The TCP service program is "wrapped" and instead of listening to the port of the TCP service program, a security detection process is added. External connection requests must pass this layer of security detection before they can access the real service program.

For most Linux distributions, TCP Wrappers is the default feature. rpm -q tcp_wrappers

  • In the Linux system, many network services provide access control mechanisms for clients, such as Samba, BIND, HTTPD, OpenSSH and so on. TCP Wrappers "wrap" the TCP service program and listen to the port of the TCP service program instead. A security detection process is added. External connection requests must pass this layer of security detection before they can access the real service program
[root@localhost opt]# rpm-g tcp wrappers  #Check whether the program is installed (generally, it will be installed by default)
tcp wrappers-7.6-77.e17.x86 64 #The package provides the execution program tcpd and the shared link library file 1ibwrap so.*

TCP wrapper protection mechanism :Usually called by other network service programs 1 ibwrap.so.*Link libraries such as sshd

[root@localhost opt]# 1dd /usr/sbin/sshd I grep "libwrap" #Use the 1dd command to view the shared library of the program
    libwrap.so.0 => /1ib64/libwrap.so.0 (0x00007fc35d8f8000)

Two implementations of TCP Wrappers protection mechanism

  • 1. Directly use tcpd program to protect other service programs. You need to run tcpd program.
  • 2. Other network service programs call libwrap so.* Link library, no need to run tcpd program. This method is more widely used and more efficient.
    Use the ldd command to view the libwrap so. * Link library
    ldd $(which ssh)

Syntax format: < service program list >: < client address list >

  • (1) Service program list service program list can be divided into the following categories
    ALL: represents ALL services.
    Single service program: such as "vsftpd".
    A list of multiple service programs, such as "vsftpd,sshd".

  • (2) Client address list
    ALL: represents any client address.
    LOCAL: represents the LOCAL address.
    Multiple addresses are separated by commas

  • Wildcards' * 'and' are allowed? ", the former represents any length character, and the latter represents only one character network segment address, such as" 192.168 80. "Or 192.168.80.0 / 255.255.255.0 area address,
    Such as " benet. Com "matches all hosts in the benet. com domain.

Basic principles of access control

  • First check / etc / hosts Allow file. If a matching policy is found, access is allowed:
    Otherwise, continue checking / etc / hosts Deny file. If a matching policy is found, access is denied:
    If no matching policy can be found by checking the above two files, access is allowed

  • "Allow all, reject individual"
    Just in / etc / hosts Add the corresponding rejection policy to the deny file

  • "Allow individual, reject all"“
    Except in / etc / hosts In addition to adding an allow policy in allow, you also need to add an allow policy in / etc / hosts The deny policy of "ALL:ALL" is set in the deny file.

example:
If you only want the slave IP address to be 12.0 0.1 or 192.168 The host of the 80.0/24 network segment accesses the sshd service, and other addresses are denied.

vi /etc/hosts.allow
sshd:12.0.0.1,192.168.80.*
vi /etc/hosts. deny 
sshd: ALL

sshd, htpd: ALL

summary

Tip: here is a summary of the article:
For example, the above is what we want to talk about today. This paper only briefly introduces the use of pandas, which provides a large number of functions and methods that enable us to process data quickly and conveniently.

Topics: Linux Operation & Maintenance ssh

Hot Topics

©2024 Programmer Think