Linux remote login management and security hardening

Others 2020-09-14 02:07:16 views: null

SSH remote management

An SSH service configuration file

The configuration file of the Archer service is located in the /etc/ssh/sshd_config directory by default. Correctly adjusting the configuration items can improve the security of SSH remote login.

1. Service monitoring options

vi /etc/ssh/sshd_config
Port 22			//监听端口为22
ListenAddress 20.0.0.11	//监听地址为20.0.0.11(提高在网络中的隐蔽性)
Protocol 2		//使用SSH V2协议(安全性更高)
UseDNS no		//禁用DNS反向解析(可以提高服务器的响应速度)
systemctl restart sshd

2. User login control

vi /etc/ssh/sshd_config
LoginGraceTime 2m			//登录验证时间为2分钟
PermitRootLogin no		//禁止root用户远程登陆
MaxAuthTries 3			//密码重试次数不超过3次
PermitEmptyPasswords no		//禁止空密码用户登录
……
AllowUsers cen jay [email protected]	//只允许cen、jay、young用户登录,其中young用户仅能从IP地址为20.0.0.1的主机远程登录

systemctl restart sshd

3. Login verification method

The sshd service supports two authentication methods-password authentication and key pair authentication. You can set to use only one of them, or enable both methods.

vi /etc/ssh/sshd_config
PasswordAuthentication yes		//启用密码验证
PubkeyAuthentication yes		//启用密钥对验证

ssh [email protected]			//远程登录指定主机

4. Copy files remotely

pc2:cd /opt
touch 1.txt
scp 1.txt [email protected]:/opt		//从pc2拷贝到pc1的/opt目录下(注意需要输入密码)

pc1:
vi /opt/2.txt
pc2:
scp [email protected]:/opt/2.txt /opt	//从pc1拷贝到pc2

5.sftp secure FTP

Through the sftp command, you can use the SSH secure connection to upload and download files with the remote host, which involves the sftp login, browsing, and file upload process.

在pc2(20.0.0.12)中
sftp [email protected]
输入密码
sftp>ls				//浏览
sftp>put /opt/1.txt			//上传文件到pc1
sftp>get /opt/2.txt /opt/		//下载文件到pc2中的/opt目录下
sftp>bye				//退出登录

6. Build a key pair to access the host

step1: create a key pair, private key file: id_rsa public key file: id_rsa.pub
step2: upload public key file id_rsa.pub
step3: import public key information
step4: use key pair verification method

1.在客户端创建密钥对
ssh-keygen -t rsa		//-t表示type,类型
						//指定私钥位置
						//设置私钥短语
						//确认所设置的短语
2.在pc1(20.0.0.11)上传公钥
ssh-copy-id [email protected]
	yes

pc2查看
cd /root
ll -a

3.在pc1上远程登录
ssh 20.0.0.12

Two TCP Wrappers overview

Policy application sequence
1. Check hosts.allow, if a match is
found, access is allowed 2.hosts.deny,
if found, access is denied 3. If there is no matching policy in the two files, access is allowed by default

vi /etc/hosts.allow
sshd:20.0.0.0/255.255.255.0
:wq

vi /etc/hosts.deny
sshd:ALL
:wq

Means: deny all IP addresses except the 20.0.0.0 network segment to access the sshd service

Guess you like

Origin blog.csdn.net/cenjeal/article/details/107901227
Recommended
Ranking
Filecoin-the core mission of storing the most important information of mankind
Release of rush monitoring software version
Why does parseInt warn of using valueOf
Arduino与Proteus仿真实例-MAX6955驱动8位16段LED仿真
How can I define index on inherited fields in MongoDB with Spring Data?
Gradio: a new frontier for interactive Python data applications
JavaScript implements checkbox selection
JAVA study notes—IO flow
Test set: 23 groups of basic test function introduction and images (provide python code)
Ubuntu22.04 of golang builds beego development environment
Daily
More
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)
2024-07-19(0)

Code World

© 2018 codetd.com