preface

Most enterprise servers are managed by remote login
When hundreds of server hosts need to be managed from one workstation, remote maintenance will be more advantageous
Next, we will learn how to use a secure remote management approach for Linux environment and provide access control for applications through TCP Wrappers mechanism

1, SSH Remote Management

1. SSH definition

SSH (Secure Shell) is a secure channel protocol, which is mainly used to realize the functions of remote login and remote replication of character interface.
SSH protocol encrypts the data transmission between the communication parties, including the user password entered when the user logs in. Therefore, SSH protocol has good security.

2. SSH benefits

① Data transmission is encrypted to prevent information leakage
② Data transmission is compressed, which can improve the transmission speed

3. SSH profile

① The default configuration file for the sshd service is /etc/ssh/sshd_config
②ssh_config and sshd_config is the configuration file of ssh server
The difference is ssh_config is a configuration file for the client, sshd_config is the configuration file for the server.

4. SSH client and server

① SSH client: Putty, Xshell, CRT
② SSH server: OpenSSH

OpenSSH is an open source software project to realize SSH protocol, which is applicable to various UNIX and Linux operating systems.
CentOS 7 system has installed openssh related software package by default, and added sshd service as self startup.

2, Configure OpenSSH server

During the simulation experiment, we use two virtual machines, one as the server (IP address: 192.168.28.20). As a client, the configuration file is modified on the server. Don't mix it up

1,sshd_ Common option settings for config configuration files

vim /etc/ssh/sshd_config

Port 22 					#The listening port is 22
ListenAddress 0.0.0.0 		#The listening address is any network segment. You can also specify the specific IP address of the OpenSSH server

LoginGraceTime 2m 			#The login verification time is 2 minutes
PermitRootLogin no 			#Disable root login
MaxAuthTries 6 				#The maximum number of retries is 6

PermitEmptyPasswords no	    #Prohibit users with blank passwords from logging in
UseDNS no 					#Disable DNS reverse resolution to improve the response speed of the server

#Only zhangsan, lisi and wangwu users are allowed to log in, and wangwu users can only log in remotely from the host with IP address 192.168.28.20
AllowUsers zhangsan lisi wangwu@192.168.28.20 #Multiple users are separated by spaces

#Prohibit some users from logging in. The usage is similar to AllowUsers (note not to use them at the same time)
DenyUsers zhangsan

among

Allowusers......    #Only so and so users are allowed to log in


Denyusers ......    #Prohibit some users from logging in. The usage is similar to AllowUsers (note not to use them at the same time)

2. Two authentication methods of sshd service

1. Password verification

Verify the login name and password of the local system user in the server. Simple, but it may be brutally cracked
We've been using password authentication before

2. Key pair verification

Matching key information is required to pass the verification. Usually, a pair of key files (public key and private key) are created in the client, and then the public key file is placed in the specified location in the server. When logging in remotely, the system will use public key and private key for encryption / decryption Association verification. It can enhance security and avoid interactive login.

vim /etc/ssh/sshd_config
PasswordAuthentication yes # enables password authentication
PubkeyAuthentication yes # enables key pair authentication
AuthorizedKeysFile .ssh/authorized_keys # specifies the public key library file

3. Configure key pair authentication

Steps:

1. Create a key pair on the client

adopt ssh-keygen The tool creates a key pair file for the current user. Available encryption algorithms are RSA,ECDSA or DSA Etc( ssh-keygen Imperative“-t"Option to specify the algorithm type.
useradd chenwei
echo "123123" | passwd --stdin chenwei
su - chenwei

ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ecdsa): #Specify the location of the private key. Press enter to use the default location
Created directory '/home/admin/.ssh'. #The generated private key and public key files are stored in the hidden directory of the host directory by default ssh / down
Enter passphrase (empty for no passphrase): #Set the password for the private key
Enter same passphrase again: #Confirm input
#### 2. After setting, you can see There will be a private key file and a public key file under ssh

id_ecdsa It is a private key file, and the permission is 600 by default; id_ecdsa.pub Is a public key file used to provide SSH The server

3. This step is to pass the public key file to the server for verification when the client accesses the server

scp ~/.ssh/id_ecdsa.pub root@192.168.126.20:/opt
mkdir /home/zhangsan/.ssh/
cat /opt/id_ecdsa.pub >> /home/zhangsan/.ssh/authorized_keys

cat /home/zhangsan/.ssh/authorized_keys

Or:#This method can be directly in / home / Zhangsan / Import public key text from SSH / directory
cd ~/.ssh/
ssh-copy-id -i id_ecdsa.pub zhangsan@192.168.126.20

4. Go to the server (virtual machine 2) and have a look at the in the home directory ssh file

5. Use key pair authentication on the client

6. Set ssh proxy function in the client to realize interactive login free

ssh-agent bash
ssh-add
Enter passphrase for /home/admin/.ssh/id_ecdsa: #Enter the password for the private key

ssh zhangsan@192.168.126.20

4. scp remote replication

1,Downlink replication (the client downloads data from the server)

scp root@192.168.28.20:/etc/passwd /root/passwd2.txt 	#Copy the / etc/passwd file from the remote host to the local machine

2,Uplink copy (upload client files to server)

scp -r /etc/ssh/ root@192.168.28.20:/opt 				#Copy the local / etc/ssh directory to the remote host under / opt

5. sftp Secure FTP

Due to the use of encryption / decryption technology, the transmission efficiency is lower than ordinary FTP, but the security is higher. The operation syntax sftp is almost the same as FTP

sftp zhangsan@192.168.28.20

Connecting to 192.168.28.20

tsengyia@172.16.16.22's password: #Input password

sftp> ls
sftp> get file name #Download files to ftp directory
sftp> put file name #Upload files to ftp directory
sftp> quit #sign out

6. TCP Wrappers access control

TCP Wrappers "wrap" the TCP service program, instead of listening to the port of the TCP service program, and adds a security detection process. External connection requests must pass this layer of security detection before they can access the real service program.
For most Linux distributions, TCP Wrappers is the default feature. rpm -q tcp_wrappers

Two implementations of TCP Wrapper protection mechanism
1. Directly use tcpd program to protect other service programs. It is necessary to run tcpd program.
2. Other network service programs call libwrap so.* Link library, no need to run tcpd program. This method is more widely used and more efficient.

Use the ldd command to view the libwrap so.* Link library
ldd $(which ssh vsftpd)

Access policy of TCP Wrappers
The protection objects of TCP Wrappers mechanism are various network service programs, which carry out access control for the client address accessing the service.
The two corresponding policy files are / etc / hosts Allow and / etc / hosts Deny, which is used to set the allow and deny policies respectively.

Format:
< service program list >: < client address list >

(1) Service program list
ALL: represents ALL services.
Single service program: such as "vsftpd".
A list of multiple service programs, such as "vsftpd,sshd".
(2) Client address list
ALL: represents any client address.
LOCAL: LOCAL address.
Multiple addresses are separated by commas
Wildcard '?' is allowed And "*", the former represents any length character, and the latter represents only one character
Network segment address, such as 192.168.126 Or 192.168.126.0 / 255.255.255.0
Regional address, such as ". benet.com", matches bdqn All hosts in the COM domain.

Basic principles of TCP Wrappers mechanism:
First check / etc / hosts Allow file. If a matching policy is found, access is allowed;
Otherwise, continue checking / etc / hosts Deny file. If a matching policy is found, access is denied;
If no matching policy can be found by checking the above two files, access is allowed.

"Allow all, reject individual"
Just in / etc / hosts Add the corresponding rejection policy to the deny file

"Allow individual, reject all"
Except in / etc / hosts In addition to adding an allow policy in allow, you also need to add an allow policy in / etc / hosts The deny policy of "ALL:ALL" is set in the deny file.

example:
If you only want to access sshd service from the host with IP address 12.0.0.1 or the host in 192.168.126.0/24 network segment, other addresses are rejected.
vi /etc/hosts.allow
sshd:12.0.0.1,192.168.126.*

vim /etc/hosts.deny
sshd:ALL

, reject all "
Except in / etc / hosts In addition to adding an allow policy in allow, you also need to add an allow policy in / etc / hosts The deny policy of "ALL:ALL" is set in the deny file.

example:
If you only want to access sshd service from the host with IP address 12.0.0.1 or the host in 192.168.126.0/24 network segment, other addresses are rejected.
vim /etc/hosts.allow
sshd:12.0.0.1,192.168.126.*

vim /etc/hosts.deny
sshd:ALL