My notes are written directly from the second chapter of Mr. Yuan:-D, some friends may not understand the way to link the terminal. Currently, my local is Vmware virtual machine + Xshell SSH link. Regarding SSH, it is not only used as a link, but also more. The previous chapter on CS with Metasploit also used the knowledge of SSH tunnel. Remote connection is not only SSH a remote connection method.
Most of the servers in the production environment are deployed in dedicated computer rooms, whether rented or self-built. In this environment, noise, electromagnetics, oxygen, humidity, and temperature are not suitable for long-term human activities. The server is placed in the computer room in order to prevent unrelated personnel from contacting the business server due to accidents and other reasons and causing the server to go down.
Ideally, the maintenance staff can remotely connect to the server in the office for management and configuration. The mainstream operating systems all support remote management technology (Windows, Linux, Mac OS:-D). Since the Ubuntu Server we are using has no graphical interface, it cannot be managed remotely from the graphical interface like Windows, but can only be managed remotely from the command line.
Telnet
The first one is Telnet, which is an ancient command line remote management tool. I checked the Wikipedia and was developed in 1969. Some features of Telnet:
Because of Telnt's plaintext transmission feature, the recommended tool is SSH. Although it is very old, we still use it in some scenarios. For example, I often use Telnet when I touch routers and switches. Use Telnet to perform simple port detection, for example: telnet smtp.163.com25
, if the link is successful, it means that the related service is opened.
sudo apt install telnetd #Install telnet service, run automatically after installation
systemctl status inetd.service #View service has been"active (running)"status
sudo netstat -pantu |grep 23 #Check the port and find that the port is also open to listen
vim /etc/issue.net #Can modify the banner information of the Telnet service
The client uses telnet IP (server IP)
, enter the account name and password, and then connect to the server remotely.
I said earlier that SSH is recommended. The SSH we are talking about here refers to OpenSSH. OpenSSH is a free and open source implementation of the SSH (SecureShell) protocol. OoenSSH is a tool suite that not only has SSH, but also sftp, scp, etc. (similar to ftp, rcp, but more secure). It is currently a sub-project of OpenBSD. Ubuntu installs Openssh-server and Openssh-client by default. If it is not available, use the apt install
command to install, port 22 is used by default (modifiable).
sudo apt install openssh-server #installation
systemctl status sshd.service #Check service status
vim /etc/ssh/sshd_config #Server-side configuration file
vim /etc/ssh/ssh_config #Client profile default profile
vim ~/.ssh/config #User profile
ssh IP #Open another machine terminal, use SSH connection to find that there is no need to enter the user name, SSH uses the local user name by default
ssh -l user IP
There are two major versions of the SSH protocol: SSH1 and SSH2. In all modern Linu distributions, the OpenSSH server has SSH1 disabled by default.
vim /etc/ssh/sshd_config #Open the server-side configuration file and explain some key parameters below
# Banner none #Default comment, can be modified"/etc/issue.net", Same as Telnet, restart to take effect
# Port 22 #The default is 22, modified to a non-known port to improve security
# PubkeyAuthentication yes #The default comment does not enable key login, and the specific configuration refers to the reference link at the end of the article. The general principle is to generate a pair of public and private keys, the server uses the public key to encrypt data, and the client uses the private key to decrypt the data and return the data to verify identity.
# ListenAddress 0.0.0.0 #The addresses of all network cards are monitored by default, and can be modified to the address of the specified network card as needed
# PermitRootLogin prohibit-password #For security reasons, Root account login is disabled by default
# PasswordAuthentication yes #Can prohibit the use of password authentication, mandatory use of key authentication
SCP is a secure remote file transfer command based on SSH login under the Linx system.
scp local_file remote_username@remote_ip:remote_folder #Copy from local to remote
scp a.txt IP: #The local account is used by default, and the default directory is the main directory
scp -rv local_folder remote_ip:remote_folder #Recursively copy the entire directory and display the output in a detailed manner
scp remote_username@remote_ip:remote_folder local_file #The parameter exchange becomes the download from remote to local
scp [email protected]:/tmp/file.txt . #Copy files to local
That's it for scp. Next, we introduce another file transfer tool—sftp. SFTP is a combination of SSH and FTP. SFTP encrypts data on the basis of FTP.
sftp remote_username@remote_ip #Based on SSH, so the link parameters are the same as SSH.
sftp> #Enter the password for successful verification and you will get a sftp shell
sftp>get file #Get the file to download the file to the local
Encryption and decryption
The following tool is about encryption and decryption. The core of encryption and decryption is the algorithm. Algorithms are divided into two categories, symmetric and asymmetric. The symmetric encryption algorithm is well understood, and both ends of encryption and decryption use the same key. Different from symmetric, an asymmetric encryption algorithm requires two keys: a public key (publickey) and a private key (privatekey).
**The public key and the private key are a pair. If the public key is used to encrypt the data, only the corresponding private key can be used to decrypt; if the private key is used to encrypt the data, only the corresponding public key can be used Decrypt. Because encryption and decryption use two different keys, this algorithm is called an asymmetric encryption algorithm. ****The basic process of asymmetric encryption algorithm to achieve confidential information exchange is: Party A generates a pair of keys and makes one of them public as a public key to other parties; Party B who obtains the public key uses the key The confidential information is encrypted and then sent to Party A; Party A then uses another private key stored by itself to decrypt the encrypted information. Party A can only use its private key to decrypt any information encrypted by its public key. **
I also think Zhihu’s answer to the main explanation is very in place
Give you an opened lock, use it to lock important things and send them back to me. I keep the keys and don't give them to anyone.
Lock = public key; key = private key-Irvine
ssh-keygen -t rsa -b 4069 #ssh-keygen is a key generation tool in OpenSSH. Here, the RSA algorithm is used to generate a 4069-length key pair. The private key password can be set during the generation process to generate two file ids._rsa (private key), id_rsa.pub (public key).
ssh-keygen -p -f ~/.ssh/id_rsa #Enter the old password, you can modify the password of the private key, pay attention to permissions
Copy the public key to the server
ssh-copy-id remote_username@remote_ip #Copy the public key file to the SSH server
ssh-copy-id -i ~/.ssh/id_rsa.pub remote_username@remote_ip #Specify file copy,Same as above, the server is in.A new public key file will be created under ssh"authorized_keys"
chmod 400~/.ssh/id_rsa #It is recommended to set the public key permission of the SSH client to read only by the owner
chmod 600~/.ssh/authorized_keys #It is recommended to set the SSH server to read and write only for the owner
ssh remote_username@remote_ip #It is the same as a normal SSH link, but the password for the private key is required below. If the private key password is not set, the link will succeed.
Enter passphrase for key '/home/xiaowu/.ssh/id_rsa': #Enter the password to verify successfully to link
There are some rare but very useful commands
Ping wuhash.com through SSH ssh [email protected]
, this command will input the bash command through SSH to the server sehll for execution, and the output result will be returned to the local terminal. The following commands can be adjusted flexibly.
There is often such a scenario in an enterprise. The bandwidth of the enterprise is very expensive and requires a lot of upload bandwidth. At this time, we limit the upload speed so as not to affect the operation of other businesses.
tar -cj local_folder | remote_username@remote_ip 'tar -xj' #Use the pipeline to compress and transfer the catalog at the same time, and decompress it after transfer
sudo apt install cstream pv #Install two tools to achieve speed limitation and real-time updates
tar -cj local_folder | pv | cstream -t 200k | remote_username@remote_ip 'tar -xj' #Same as above
du -hs dirname #Not introduced before, the command to view the directory
Two virtual machines are needed here. I use Kali Linux and Ubuntu Server.
# Execute on kali
ssh -C -f -N -g -L listen_port:DST_Host:DST_port user@Tunnel_Host #Command format,Detailed instructions refer to the link at the end of the article
ssh -fN -L 2000:localhost:23 [email protected] #10.10.10.130 is Ubuntu Server,Telnet service has been started
netstat -pantu |grep 2000 #Check if the port is open
telnet 127.0.0.12000 #Enter the user name and password, and find that I have logged in to Ubntu Server
kill -9 PID #end process
The SSH tunnel is used to map the remote port 23 to the local 2000 port. The local 200 port is equivalent to the remote 23 port
ssh-fN-L listen_port:B_Host:B_Host user@C_Host
, we use the SSH tunnel to access the local port and get the reply from the B port of the B host, and from the B host's perspective, it is the C host accessing it. There are more applications of SSH tunnels in security, so I won't talk about them here.
Just mention here, you can use curl wget telnet ssh
to roughly detect port opening.
The local file mounting was introduced earlier, but SSH can also do it, and it is remote mounting.
sshfs user@hostname:path mout_point
: where user is the username of the remote host, hostname is the IP address of the remote host, path is the directory on the remote host that you want to mount to the local, mount_point is the directory to mount to the local.
umount mout_point #Root user cancels the mount, generally need to add'sudo'
vim /etc/fstab #Write to fstab file, which can be automatically mounted
The above techniques are sufficient for basic SSH sessions. A few SSH sessions can barely be memorized, but what if 10 or 20 SSH sessions? SSH provides an elegant and flexible way to solve this problem, using the SSH user configuration file config (~/.ssh/config, if it does not exist, create a new one) to manage ssh sessions. The format is as follows (you can view the syntax through man ssh_config
)
Host alias
HostName host name
Port port
User username
Path to the IdentityFile key file
IdentitiesOnly only accept SSH key login
PreferredAuthentications Mandatory use of Public Key authentication
Use ssh alias
to link
SSH explosion protection
I don’t know if you have ever seen such a notebook. A notebook with a digital dial can only be opened by turning the gear to the correct number. Have you tried a limited number of numbers to try to crack the password? The same is true for password cracking. As long as you keep trying all the password spaces, the password will eventually be cracked. Suppose I got the username of SSH, depending on the complexity of the password, I can crack it and get the permission. For this, we need some configuration to ensure security. Fail2ban is the recommended way. Fail2ban is not only applicable to SSH, it is also applicable to other services. The principle of fail2ban is very simple. It reads the log of the SSH link, performs statistics, and calls the system's iptables to reject the TCP/IP link.
sudo vim /etc/fail2ban/jail.conf #Configuration file, fail2ban update will overwrite this file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local #jail in fail2ban.local priority is greater than jail.conf
sudo vim /etc/fail2ban/jail.local #Configuration file modification
ignoreip =127.0.0.1/8::1 #Define the trusted IP, which will not be affected by the fail2ban strategy
bantime = 10m #The time to prohibit attempts after exceeding the number of attempts can be set"-1"Permanent ban
findtime =1 #Check log interval
marretry =5 #Number of attempts allowed
# The above parameters can be written in JAILS to define a single service
ACTIONS #The following parameters define some behaviors after the rule is triggered
destemail = root@localhost #Email notification after triggering the maximum number of attempts
banaction = iptables-multiport #Call iptables to disable
JAILS #Define the configuration behavior of a single service, JAILS configuration takes precedence over the global
SSH Servers #There are many configurations, so I won’t post them here. The following are specific SSH protection measures
enabled =true #Open state
filter = sshd #Define keywords in the log
sudo systemctl restart fail2ban.service #Finally, the modification configuration is complete, restart the service to take effect
sudo fail2ban-client status #Check the number and status of jail
sudo fail2ban-client status sshd #You can view more detailed information
sudo iptables -S #View firewall rules
sudo iptables -L -n #View firewall rules
sudo
tail -f /var/log/auth.log #View login authentication log
sudo fail2ban-client set sshd unbanip {IP} #Manually unban IP, the principle behind it is to delete the rules in iptables
sudo iptables -D f2b-sshd -s 10.10.10.1-j REJECT #The command function is to delete the rules in iptables
# In some cases, after the IP ban is lifted, the service restarts and reads when restarting'var/log/auth.log', During the ban time (bantime)IP will be banned again
In the early days of Linux, the learning cost brought by the character interface persuaded many people, and the call for graphics became higher and higher. The ease of use and humanization brought by the graphical interface is very convenient. In addition to the remote management tool with the character interface, Linux also has the remote management tool with the graphical interface. For example, the widest range of applications (Cisco ASA has been contacted, known Raspberry Pi, Win10 can also be configured with VNC Server) VNC (Virtual Network Computing). The premise of graphical remote management is that the server has a graphical environment, and Ubuntu Server does not have a graphical environment installed by default.
sudo apt install gnome-core xfce4 xfce4-goodies #Install the graphical environment, the graphical environment will appear after restart
sudo apt install tightvncserver #Install VNC server
vncserver #You are asked to enter a password, this password is your connection password, you can also choose to set a password that can only be viewed, and generate an xstartup file
netstat -pantu | grep 590 #After the input is completed, the port with 5901 as the starting point is found
vncserver kill :1 #The number after the port is the same as the instance number
mv ~/.vnc/xstartup ~/.vnc/xstartup.bak
vim ~/.vnc/xstartup
#! /bin/bash
xrdp $HOME/.Sresources
startxfce4 &
chmod +x ~/.vnc/xstartup
vncserver #Execution can see the return example
netstat -pantu | grep 590 #Check port
# I use VNC Viewer to test successfully, use VNC client, enter the IP address+Port, enter the password for authentication, then the connection is successful.
# If you want multiple users, it is recommended to create multiple users, use"su user"Switch to the newly created user home directory to edit the configuration file and start the instance
# Although VNC itself has an encryption mechanism, it is not recommended to open it for a long time. You can improve security through the previous SSH tunnel
Puppet is an IP infrastructure automation management tool that can help system administrators manage the entire life cycle of the infrastructure: provisioning, configuration, orchestration, and reporting. Based on puppet, it can automate repetitive tasks, quickly deploy critical applications, actively manage changes locally or in the cloud, and quickly expand the scale of the architecture. Follow the GPL agreement (2.7.0-), based on the
ruby
language development. ——Keer acridine
To set up you have 100 servers that need to deploy the same service. So far, there is no script introduced. Even if you have a script, it is impossible to run it manually. PUPPET does not go deep here, just understand it. Prepare two Ubuntu server virtual machines (linked clones of VMs are very useful).
sudo hostnamectl set-hostname puppet #Restart to take effect
sudo hostnamectl set-hostname client
sudo apt install puppetmaster
sudo apt install puppet
sudo vim /etc/hosts #Manually point to the IP on the client and server, the next chapter introduces DNS records
10.10.10.131 puppet.lab.com puppet
10.10.10.130 client.lab.com client
sudo mkdir -p /modules/apache2/manifests/ #Server
sudo vim /etc/apache2/manifests/init.pp
classapache2{package{'apache2':
ensure => installed,}
service {'apache2':
ensure =>true,
enable =>true,
require => Package['apache2'],}}
sudo vim /etc/puppet/manifests/site.pp #Server
node 'clent.lab.com'{
include apache2
}
sudo vim /etc/default/puppet #Client
START=yes
systemctl start puppet.service
The client and server of PUPPT use certificates to encrypt communication.
sudo puppet agent--fingerprint #Client certificate signing request test
sudo puppet agent--test
sudo puppet cert list #The server requests to view the signature
sudo puppet cert sign clent.lab.com
sudo systemctrl statys puppet.service #Check service status
cat /var/log/syslog #View log status information
There is more about PUTTEN. Due to the time and energy of Mr. Yuan, I will not introduce too much. PUTTEN has many advanced usages, which is enough to learn as a course. It is conceivable that automated operation and maintenance tools must be the trend of future development.
Mr. Yu can't get in the car
Reference link
Linux scp command
Xshell configuration ssh password-free login-public key (Public key)
Linux asks every question: how to check the version of SSH on Linux
Detailed sshd_config configuration
Graphical SSH principle
Introduction and difference between symmetric encryption and asymmetric encryption
How to explain asymmetric encryption in easy-to-understand terms?
SSH tunnel and port forwarding and intranet penetration
The magical effect of ssh tunnel
Use ssh user configuration file config to manage ssh sessions
Automated operation and maintenance tools-puppet detailed (1)
Recommended Posts