1. ssh and openssl Summary:
SSH:
ssh is the secure shell, is used to provide secure remote access via the network tools, C / S structure, before the ssh, the first remote computer connectivity tools are telnet
telnet is cleartext communication, so security is poor, except in an emergency, do not use telnet.
ssh telnet is safer than many, but openssl is an open source implementation of ssh,
OPENSSH
It can be used as rlogin, rsh rcp and telnet direct use of alternatives. Furthermore, any other TCP / IP connections can be tunneled securely via SSH / forwarding. OpenSSH encrypts all traffic to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. OpenSSH is maintained by the OpenBSD project.
Login using rlogin or telnet session was established. When connecting, SSH utilizes a key fingerprint system for verifying the authenticity of the server. Only when the first connection, the user will be asked to enter yes. After the connection will be verified against the saved fingerprint key. If you save the login does not match the fingerprint received, then it will be given a warning. Fingerprint is stored in ~ / .ssh / known_hosts, for SSH v2 fingerprints is ~ / .ssh / known_hosts2.
By default, the newer version of OpenSSH only accept SSH v2 connections. If you use version 2 client program automatically, otherwise it will fall back to version 1. In addition, you can also command line parameter to -1 or -2 respectively enforce using version 1 or 2. Maintaining the client’s version of an ability to consider an earlier version of compatibility.
SSH has two versions:
1. sshv1
sshv1 do CRC-32 based MAC (integrity check), without encryption, just check code, it is strongly recommended not to use. Very unsafe
2. sshv2
sshv2 based on the negotiation host MAC choose the safest way
Encryption and MAC mechanism negotiated by the parties selected:
DH-based algorithm, key exchange, authentication implement RSA or DSA based
The client to determine whether to continue to communicate through a host key checking server
Actual use, command line parameters can be correspondingly Protocol 2,1 forced to use version 1 or 2.
Maintaining the client’s version of an ability to consider an earlier version of compatibility.
You can also write only two, and give compatible unsafe sshv1
2. OPENSSH clients:
openssh is C / S structure, so there is the server and client of two parts, used under linux client software ssh, windows under the commonly used putty, xshell, secrecrt, sshshellclient etc.
2.1 openssh client components:
2.1.1 ssh configuration file is / etc / ssh / ssh_config
Syntax:
ssh [username]host [COMMAND] [-p PORT]
ssh -l username host [COMMAND]
# If you do not specify username, the user tries to log in using the local current, if the remote host does not exist this user will get an error
#COMMAND, Is not remote login, COMMAND is executed on the remote host, and then returns the results to the machine.
For instance:
192.168.229.202 host ifconfig need to obtain information, ssh port to listen on port 2222:
#ssh root@192.168.229.202 ifconfig -p 7767
2.1.2 scp: use ssh protocol between the host secure file transfer tool
Syntax:
scp SRC1 … DEST
Two cases:
1. the original document in the machine, the target for the remote
#scp / path / to / somefile … USERNAME @ HOST: / path / to / somewhere
Is the local / path / to / somefile file to USERNAME user login to the remote host HOST, copied to the remote host / path / to / somewhere
For instance:
Copy the local / etc / fstab file to www.881027.com host / under tmp, note www.881027.com host ssh port 2222
#scp -P 2222 / etc / fstab root@www.881027.com: / tmp
# Note that the parameter -P location must immediately follow the scp command, and -P specify the remote host ssh port
# Note that if the current user is logged in this unit root, then root@www.881027.com the root @ can be omitted
2. The source file in the remote and local target
#scp USERNAME @ HOST: / path / to / somewhere / path / to / somewhere
-r: When copying catalog
-p: maintaining metadata information source file, including the owner, is a group, mode, timestamp (if the remote host does not exist the user, nor)
-q: silent mode
-P PORT: Specifies the ssh protocol listening port
For instance:
The remote host / tmp / fstab file downloaded to the machine / etc
#scp -P 2222 root@www.881027.com / etc
2.1.3 sftp: ssh on the ftp service
sftp landed in, you can use a lot of bash commands, such as ls, cd, mkdir, put, get and other ftp commands
Usage: sftp USERNAME @ HOST
For instance:
sftp login to www.881027.com, ssh port 2222, and download www.881027.com host / etc / fstab file to your local
#sftp -oPort = 2222 sbi.881027.com
# -oPort To specify the remote port, do not specify a default 22
3. openssh server-side: sshd
Configuration file: / etc / ssh / sshd_config
ssh port sshd service control various operating parameters, the following best practices, there are many applications
This command can be issued
#man sshd_config
To see a detailed description of each parameter and Help
Service Script: /etc/rc.d/init.d/sshd
Control sshd service status, start, stop, restart, view status
Script configuration file: / etc / sysconfig / sshd
3.1 often need to modify the parameters:
PORT: Modify the default listening port
ListenAddress 0.0.0.0; default listening on all local addresses may be set to listen only on specific ip address
Protocol 2,1; 2 preference, backward compatible sshv1
HostKey / etc / ssh / ssh_host_rsa_key; When a client connects, the send key
HostKey / etc / ssh / ssh_host_dsa_key; When a client connects, the send key, DSA can only do authentication
KeyRegenerationInterval 1h; key exchange interval, the server automatically performed
LoginGraceTime 2m; grace login window is the pop-up login window, to the time you enter the account password
PermitRootLogin yes
yes: allows the first direct ssh root user login
no: do not allow the first direct ssh root user login, but if necessary, from ordinary users su – root
MaxAuthTries 6; maximum number of failed login
MaxSessions 10; the number of session up support
RSAAuthentication yes; whether to enable the RSA Authentication
PubkeyAuthentication yes; whether to enable public key authentication (asymmetric encryption)
AuthorizedKeysFile .ssh / authorized_keys; authorized key file, we can append the public key information to the authorized_keys, to avoid password
ClientAliveInterval 0; time server to the client request message interval, 0 to not send
ClientAliveCountMax 300; the number of client server does not respond after issuing a request reaches a certain value
And so on
I only list some common options, there are a lot of options not list them all, you can look through the document #man sshd_config it.
4. sshd authentication:
1. password-based authentication:
Nothing to say, user name, password authentication
2. Based on the key (the public key of the key) certification:
Logic:
a. requires a pair of children key local retention private key,
. b The public key into the user’s home directory on the remote host: ~ / .ssh /
c. Set the local public key is appended to the remote host home directory ~ / .ssh / authorized_users
Steps:
# Ssh-keygen -t rsa generate the key pair
The default key for id_rsa, id_rsa.pub
-f path / to / somefile: key file location
-p ” designated oldpasswd
You can also use the tool to generate the key pair children directly, and upload them directly to the remote host:
# Ssh-copy-id -i ~ / .ssh / id_rsa.pub USERNAME @ HOST
ssh-copy-id -i id_rsa.pub “-p 7767 root@sbi.881027.com”
ssh -p 222 hostname
5. ssh best practice service:
1. Do not use the default port 22
2. Do not use protocol 1
3. Restrictions can be found on the user
White-list:
AllowUsers user1 user2 user3 …
AllowGroups grp1 grp2 ….
Blacklist:
DenyUsers user1 user2
DenyGroups grp1 grp2
# Black list can not be used, only use one
4. Set idle session timeout period
ClientAliveInterval 300 # number of seconds
ClientAliveCountMAX 0 # idle count a maximum of 0
5. Use the firewall settings ssh access policy:
6. Listen-only on a specific IP address, rather than all of the IP address of the machine
7. Use a strong password policy
#tr -dc A-Za-z0-9 dev / urandom | head -c 20 | xargs 8. Using key-based authentication 9, prohibit the use of blank passwords 10. Prohibition administrator directly log The display ssh access frequency iptables can do 12. Well logs, often analysis The server according to the best practices to optimize something, in contrast to the ssh lastb under attack, you will see significant results. So after learning iptables, doing further optimize it. Also, put a small software dropbear, shh embedded lightweight client tools, you can compile and install a try. Much smaller than openssh, but the function is very complete ssh open source tools.
Leave a Reply