Network services Chapter 3 OPENSSH Remote Control and TCP Wrappers Security Protection

Introduction to SSH

As a secure channel protocol, SSH is used to implement remote login and remote replication functions on character interface. The SSH protocol encrypts the data of both parties, including the password entered during login. Compared with TELNET(remote login), RSH (remote command execution), and RCP (remote replication), SSH provides better security.

SSH listens on port 22 by default

2. OpenSSH configuration

BS and CS architecture

BS browser/server side

CS client/server

1. Listen options

[root@splitdns ~]# vim /etc/ssh/sshd_config

Port 22 Listens on Port 22

#ListenAddress 0.0.0.0 default ListenAddress 0.0.0.0

UseDNS no Disables DNS reverse lookup to speed up connections

2. The user logs in to the air control

By default, the SSH service allows user root to log in to the system. This is insecure. In the production environment, you need to disable user root to log in to the system as a common user.

[root@splitdns ~]# vim /etc/ssh/sshd_config

#LoginGraceTime 2m #Login authentication time

#PermitRootLogin yes # Disable user root from logging in

MaxAuthTries 6 Specifies the maximum number of retries

#PermitEmptyPasswords no # Disallow users with empty passwords

OPENSSH service access control

AllowUsers Allows only users to log in

DenyUsers disables only users from logging in

Pay attention to

1)AllowUsers and DenyUsers should not be used together

2) If the server is on the network, the IP address contained in the control shall be the public IP address of the company

AllowUsers [email protected] # only AllowUsers like linyu to log in

A server typically has four network adapters, EM1-4

3. Login authentication mode

1) SSH authentication mode

Password authentication

Key pair authentication

Authorizedkeysfile. SSH /authorized_keys # Specifies the location where the public key is stored

Three, SSH client program

1. Use the SSH command

SSH [email protected] touch/TMP/a.t xt

You can not only log in remotely but also execute commands remotely

2. SCP remote replication

SCP 192.168.9.10: / etc/hosts/etc/hosts

SCP -r directory plus r

3. Run SFTP

Format: SFTP IP address

Get the download

Put the upload

LCD Switching Directory

4, Windows

finalshell

putty

4. Build SSH system for key pair authentication

1. The verification process consists of four steps

2. Create a key pair on the client (the created key pair is stored in /home/.ssh of the peer directory).

On the Linux client, run the ssh-keygen command tool to create a key pair file for the current login user. The available encryption algorithm is as follows:

ECDSA, RSA, and DSA can be specified using the -t option. The default algorithm is RSA

3. Upload the public key to the server

4. Import public key text on the server

Non-interactively generates a key pair

[root@localhost ~]# ssh-keygen -t ecdsa -P "" -f .ssh/id_ecdsa

Windows generates a key pair

Click the Xshell tools TAB –> New User Key Generation Wizard

Five, the TCP Wrappers

In Linux, many network services provide access control for clients

1. Principle of TCP Wrappers protection

2. Implementation of protection mechanism

Method 1. Package other service programs through TCPD main program

Option 2. Other services call the libwrap.so connection library

3. Protection conditions

1) The service must be TCP

2) The library must contain libwrap.so.0 (shared link library), most services through this service

LDD command description

LDD is not a program itself, but a shell script: LDD lists the dynamic link libraries (SO) that a program needs.

`[root@www ~]# ldd /usr/sbin/sshd | grep libwrap

libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f3a9e0f7000)

[root@www ~]# ldd /usr/sbin/vsftpd | grep libwrap

libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f37a748a000)`

TCPWRAP principle

/ etc/hosts. Allow # allows

/ etc/hosts. # refused to deny

Access control Policy

The /etc/host.allow file has a higher priority. If the same IP address exists in hosts.allow, it also exists in hosts.deny

The IP address will be accepted.

5. Configuration format

1) format

Service list: client address list

Note 192.168.9.0/24 cannot be written to the network segment

2) Configuration examples

Only hosts whose IP addresses range from 192.168.200.100 to 192.168.200.199 are allowed to access the SSHD service.

[root@localhost ~]# vim /etc/hosts.allow

SSHD, VFSTPD: 192.168.200.1??

[root@localhost ~]# vim /etc/hosts.deny

sshd:ALL

Example for configuring public network servers: