Cloud computing [Phase 1 (29)] Remote access and control

2024-07-12

1. SSH remote management

1.1、SSH (secureshell) protocol

A secure channel protocol
The communication data is encrypted for remote management functions
The SSH protocol encrypts the data transmission between the two communicating parties, including the user password entered when the user logs in.
A security protocol built on the application layer and transport layer.
SSH client<------------------------------>SSH server
Data transmission is encrypted to prevent information leakage
Data transmission is compressed, which can increase the transmission speed

1.2、openssh

Service name: sshd
Server main program: /usr/sbin/sshd
Server configuration file: /etc/ssh/sshd config

SSH client: Putty, Xshell, CRT, MobaXterm, FinalShell
SSH server: OpenSSH

SSH server: By default, it uses TCP port 22, and the security protocol version is sshv2. In addition to port 2, there is another port 1 (which has vulnerabilities).

The ssh server mainly includes two service functions: ssh remote connection and sftp service

Function: The SSHD service uses the SSH protocol to perform remote control or transfer files between computers.
Compared with the previous method of transferring files using Telnet, it is much safer because Telnet uses plain text transmission, while SSH uses encrypted transmission.

OpenSSH is an open source software project that implements the SSH protocol and is applicable to various UNIX and Linux operating systems. By default, the CentOS 7 system has installed openssh-related software packages and added the sshd service as a startup service.

[However, version 7 has a vulnerability and needs to be upgraded. The latest version is 9.8]

View version:ssh -V

Execute the "systemctl start sshd" command to start the sshd service

ssh_config and sshd_config are both configuration files of ssh server. The difference between them is that the former is the configuration file for the client, while the latter is the configuration file for the server.

Remote management of Linux systems basically requires the use of SSH. The reason is simple: telnet, FTP and other transmission methods transmit user authentication information in plain text, which is inherently unsafe and poses a risk of network eavesdropping. SSH (Secure Shell) is currently more reliable.
It is a protocol designed to provide security for remote login sessions and other network services. The use of the SSH protocol can effectively prevent information leakage during remote management. Through SSH, all transmitted data can be encrypted and DNS spoofing and IP spoofing can be prevented.

1.3, ssh remote login method

1.3.1. Login method 1
ssh [remote host username] @[remote server host name or IP address] -p port

If you want to log in as user namelisiThe identity is connected to the IP address192.168.1.100The server has its SSH service running on port22You should use the following command:

当在 Linux 主机上远程连接另一台 Linux 主机时，如当前所登录的用户是 root 的话，当连接另一台主机时也是用 root 用户登录时，可以直接使用 ssh   IP，端口默认即可，如果端口不是默认的情况下，需要使用-p 指定端口。

Attached

Host Mapping

1.3.2 Login method 2
ssh -l [remote host username] [remote server host name or IP address] -p port
-l: -l option specifies the login name.
-p: -p option, specify the login port (when the server port is non-default, you need to use -p to specify the port for login)

(Not often used)

Query about public key

Query on the client side

The server queries its own public key

Note: When you log in to the server for the first time, the system does not save the remote host information. In order to confirm the host identity, the user will be prompted whether to continue connecting. Enter yes and log in. At this time, the system will write the remote server information to the $HOME/.ssh/known_hosts file in the user's home directory. The next time you log in, you will not be prompted again because the host information is saved.

The next time you access the same computer, OpenSSH will verify the public key. If the public key is different, OpenSSH will issue a warning to protect you from attacks such as DNS Hijack.
Solution
1. When logging in to ssh to connect to the remote host, add the "-o StrictHostKeyChecking=no" option, as follows:

　　ssh -o StrictHostKeyChecking=no 192.168.xxx.xxx

2. A way to completely remove this prompt is to modify the configuration in the /etc/ssh/ssh_config file (or $HOME/.ssh/config) and add the following two lines of configuration:
StrictHostKeyChecking no
UserKnownHostsFile /dev/null

But it is best not to add

2. Service Configuration and Management

General configuration server

vim /etc/ssh/sshd_config

The port needs to be changed to prevent others from brute force cracking

ListenAddress sets the IP address that the SSHD server is bound to. 0.0.0.0 means listening on all addresses.
Security advice: If the host does not need to be accessed from the public network through SSH, the listening address can be changed to the intranet address. This value can be written as the local IP address or all addresses, that is, 0.0.0.0 represents all IP addresses.

When someone uses SSH to log in to the system, SSH will record information. The type of information to be recorded is AUTHPRIV. The sshd service log is stored in: /var/log/secure.

Generally speaking, in order to determine whether the client source is normal and legitimate, DNS will be used to reverse check the client's host name, but usually when interconnecting within the intranet, this basic setting is set to no, so that the connection speed will be faster
Note: Disable DNS reverse resolution to improve server response speed

And some security configuration and security tuning

PermitRootLogin Whether to allow root login. The default is to allow, but it is recommended to set it to no.The real production environment server does not allow the root account to log in directly, only ordinary users are allowed to log in, and you need to use the root user and then switch to the root user.

PasswordAuthentication yes
Password verification is of course required, so you can write yes here, or you can set it to no. On a real production server, depending on the different security level requirements, some are set up so that no password is required to log in, and you can log in with an authentication key.

PermitEmptyPasswords no
Whether to allow users with empty passwords to log in. The default value is no, which means users with empty passwords are not allowed to log in.

PrintLastLog yes
Display the last login information! Default is yes

MaxAuthTries 6
Specifies the maximum number of authentication attempts allowed per connection. The default value is 6.
If the number of failed authentications exceeds half of this value, the connection will be forcibly disconnected and additional failure log messages will be generated.
Default 3 times

Enable the pam module

Notes

Black and white list

AllowUsers
When you want to allow or deny certain users to log in, you can use the AllowUsers or DenyUsers configuration, which are similar in usage (be careful not to use them at the same time).
Configuring AllowUsers
For example, if only users zhangsan and wangwu are allowed to log in to other (lisi) users

Add to
AllowUsers [email protected] wangwu

3. Login using key

It is divided into 3 steps:

The client creates a key (public key and private key) in the Xshell client;

Place the public key in the ~/.ssh/authorized_key file on the Linux server;

Configure the ssh client (Xshell client) to log in using a key

3.1. Key login in xshell

1. Generate a public key in the xshell tool first

Adjust the length to 2048, and then click the next step. You can set the name and password.

After the generation is complete, there will be a public key, save

Files ending with pub

Then open our linux machine

Switch to the ~/.shh directory (you need to ssh for the first time without a password, otherwise there may be no .shh file)

Upload public key

Of course, you also need to change the standard name authorized_keys

Generate a private key backup

Password-free login

3.1.1. The process of logging in using a key

3.2. Generate key login on Linux

Prepare a springboard

The "-t" option of the ssh-keygen command is used to specify the algorithm type to generate public and private keys.

ssh-copy-id [email protected]

usessh-copy-idtool: This will automatically handle the copying process of the public key. This command will automatically handle yourid_rsa.pubAppend the public key content to the remote server~/.ssh/authorized_keysin the file.

enter password: Since this is your first time connecting to a remote server in this way, you may be asked to enter the remote root user's password.