Simple Telnet and SSH host setting ------------------------------------------------------------------------- -------------------------------------------------- --- 1. Learn this chapter 2. Remote online program features 3. Telnet server: Telnet server: Activate and close service Telnet client: easy to use online software Telnet security: iptables, tcp_wrappers, pure suggestions 4 SSH Server: Online Encryption Technology Introduction Activation SSH Service SSH Client Online: SSH SFTP PUTTY Detailed Set SSHD Server: / etc / ssh / Sshd_config SSH User User: SSH-KEYGEN Security Settings: SSHD_CONFIG, iptables, TCP_Wrappers ----------------------------------------------- -------------------------------------------------Learn The essential skills of this chapter: Welcome to the "broken cluster time"! In this chapter, we will introduce basic Telnet and SSH's two remote online server software! Just online! Why have two remote online? This is because Telnet is older, and it is quite unsafe online server, so we need to introduce SSH's new and secure server! So in the installation process, we will use some modifications to the setting file, and the downward of the instruction, but you need to know what is super daem, so you can do the least need to know these knowledge: · Know Vi · Know Bash Shell · Understanding Service · Common Network Directive · Understanding Network Security · Simple Firewall Rack Set, Will Before Will Before Hadashi About Linux Foundation and Network Foundation, it will be a good thing!
Back to top
-------------------------------------------------- ---------------------------------------------- Remote online program Function: Ok, in this chapter, first of all, we must first learn, what is "Remote online server"! ? What is the function of this thing? ? I think, you should have already heard, a good network environment, one of the servers open to the Internet, basically, he does not need to display the card, screen, keyboard, mouse, etc. As long as there is a basic motherboard, CPU, RAM, the hard disk plus a good network card, and connect to the Internet! Haha! Then you have to manipulate this host, just through the network, then make any modifications! Hey there! So, this time the host naturally doesn't need interface equipment! Take Vbird as an example. Currently Vbird management of about seven, eight Unix-Like hosts, these hosts are not in the same place, distributed in the South Taiwan! Then when there is a new suite's vulnerability, or when you need some additional settings, is the VBIRD person must go to the scene? Of course, Vbird can do anything as long as Vbird is connected to the host through the network! It's really like a good and happy work in front of the screen! ^ _ ^! This is the remote online server! Of course, not only such a function! For example, when your work needs to use the powerful compilation function of Linux, then you must need Linux right! It is best to be a host, which is a bit, this time you can open the fastest host of your studio, set the remote online server, let your students, or the colleagues in the study room, You can help them research through this machine. At this time, your host can make multiple people to share the function of Linux operations! In the early network world, because only UNIX machines, and when the personal computer is not popular, you want to use large hosts to perform numeric programs (in our engineering, comparison, using the program language of Fortran this class, As for the C language, less ~), you need to apply for the account of the workstation to the school unit, and connect the host with a remote online program to use UNIX resources to perform our numerical mode operation! So, the setting of the remote online server is basically important for the system administrator! Especially for large workstation types of UNIX-Like hosts, because many people need to use his CPU operation core function, or his compiler is compiled, the remote online is more important! • Server Type (SERVER) online program: In a server that is typically open, Internet Services, because the open service may have more important information, and the remote online program is connected to the host, it can work too much ( It is almost like working in front of the host!), So the remote online program of the Internet is usually only open for small part of the system maintainer! Unless necessary, the host of the server type really does not recommend open online service ㄋㄟ ~ • Workstation online program:
As for the workstation, it is not the same as the server! Workstations often only open for several users, usually do not want to connect to the Internet! And the so-called workstation is naturally used to work! For example, the Linux of VBIRD is specifically used to calculate the simulation of large numerical modes! At this time, the remote online server may have to activate many people! Because the powerful computing function of the workstation allows many people to use his computing power together! And eliminates the dilemma of each computer to install Compiler! To know, some engineering Compiler is a proclaimable ~ Main type of remote online server: The most common remote online server mainly has a Telnet server that is clearly transmitted, and transmits the encrypted packet. SSH server! Although Telnet can support a lot of software, but because he is using the coda to transmit information, it is easy to be captured by the heart! So we have called on everyone to use SSH. This is more unsafeful to discard Telnet! At the end, we will talk about these two online servers. Back to top
-------------------------------------------------- -------------------------------------------- Telnet server: What is TELNET? what! Isn't it a tool to connect BBS? ! Hey! That's right! He is indeed a server on the hanging of the BBS software! But here we don't play BBS! Because Vbird is currently not intended to play him! Ha ha! Telnet can be said to be a long history of remote online servers! And supporting his software is quite! For example, well-known NetTerm directly supports him! The interface after the online is also beautiful, there is no problem in the Chinese transmission and input in the Client end! Quite good! However, his most troublesome place is ..... more unsafe? Let's talk about how to activate and use the Telnet server! · Telnet server: Activation and closing service still remember "knowing service" that chapter! ? Remember super daemon! ? Yes, our Telnet is a service that hangs under the bottom! That is a famous xinetd! (Note: There is also an inetd in some old version, the way to activate is a bit less than, but the difference is not big! Just understand the basic common sense, then there will be no problem! So you have to look at Linux Basic articles!) The way to activate is (1) open the item inside XineTd about Telnet, then (2) reactivating XINETD is successful! So how do I open the Telnet project? Very simple, there are two ways, 1. Use NTSYSV: Remember this easy to use NTSYSV? By the way, there is such a good set of settings under the Red Hat, you can use the window that appears in NTSYSV, check the Telnet, then press OK to leave! 2. Use the VI to modify /etc/xinetd.d/telnet this profile: So if it is not the Red Hat's Linux system? Basically, NTSYSV is only modified in the directory of /etc/xinetd.d, so we can certainly modify him manually! did you see it! ? Just turn disable (canceled meaning) into NO, that is, do not cancel, is open! After setting, it is natural to be activated. Just mentioned that Telnet is hung under xinetd, so naturally, as long as the XINETD can re-read the settings in Xinetd, so the Telnet just set activated Nature Can be activated! There are two ways to activate, where Service only supports under the Red Hat, so I usually act at the Scripts under /etc/rc.d/init.d to activate the main method! So what do you have to activate? How to see? Actually, is it very simple, remember that we limit the chapter that LINUX PORT? You can use NetStat! see it? That's right,
Telnet is an activated project! (Test a question, which file corresponds to which file is in this file? Archive in every Linux system! Forgot this!? Take a look here, then use vi to see the file The content! ^ _ ^) So how do you turn it off? Ha ha! That's really simple! Just do the steps just again, and change the set value! The steps are as follows! This is turned off! Very simple! · Telnet Client: The easy-to-use online software just mentioned above is set in the server side! So what is the easy-to-use software on the client can connect to Server? The most frequently seen should be NetTerm, the famous online software! I think, just know that the software is probably, I know this software! So here is not mentioned! In addition, almost all operating systems provide Telnet, which can connect directly to TELNET Server directly! For example, you have to connect to your own Telnet server on Linux, you can do this: This will come in! Very simple! So under the environment of Windows? Similarly, it is also possible to use Telnet's program online to Linux Telnet Server! No problem! You can do this: 1. Press "Start" in Windows 2. Select "Execute" 3. Enter "Telnet Your.ip. Hostname" in the window that appears. "You can enter the Linux environment! Very convenient! · Telnet security: iptables, tcp_wrappers, pure suggestions, Telnet This server is convenient, but it is always a uncomfortable online solution, because after all, he is a "clear code" protocol, what is "明 码" ? Simply put, when you use telnet, you will always enter your information on the screen! ? The simplest example is that you always have to log in to the host screen of Telnet! Then you always need to enter an account and password? When the host accepts your information, you can confirm! At this time, your information will be transmitted to the host through the Telnet protocol. This transfer is basically no encrypted, that is, the ASCII code is! In this way, as long as the heart is in a Router point to listen to your package, and the information is encapsulated, and the work is explained, haha! So your account is taken away with the password! So the next time, others can use your account and password ~ Very dangerous to not be, it is very dangerous! In addition, Telnet has written a crack method because many hacker programs have written a crack, so it is actually very dangerous! Therefore, it is not recommended not to enable Telnet to say! Anyway, some friends still like to work with Telnet, then we will mention some basic precautions! O Root can't connect directly to Telnet: Basically, since Telnet is not very safe,
Natural presets are not allowed to allow roots to log in to Linux hosts in Telnet! However, in fact, Telnet just uses the PAM module to control root's login, so if you make sure your environment is secure enough (for example, your host does not connect to the Internet), and you want to open root to log in to Linux hosts with Telnet Please modify the second line setting of /etc/pam.d/login this file: So, root will be able to enter the Linux host directly! However, it is still not recommended to do it! o Plus firewall iptables: IPTables for Telnet add firewall iptables is a good idea! If you have already referred to the article written before Vbird, you don't have to worry about Telnet using the scripts inside. Basically, he originally opened Telnet internally, and the externally could not connect to your telnet! However, if you set your own firewall mechanism, then you want to open the Telnet for 192.168.0.0.0/24, and 61.xxx.xxx.xxx this Telnet is open? You can increase these lines within your iptables rules (please note: The rules of firewall is very important! So, look back at the simple firewall frame set up!) Among the rules, first, second lines It is a Telnet's protocol to be open to the source IP to open Port 23. The last row is the meaning of all the other sources, I want to connect to the online package of Telnet! How! Very simple! o Plus the firewall /etc/hosts.allow (Deny) mechanism: The more the mechanism of the firewall is, the better! Never too much! You can also use the mechanism of TCP_WrapPers! Just opened 192.168.0.0/24, but if you only want 192.168.0.1 ~ 192.168.0.5 to enter? And other IPs will be recorded as long as they are online, to provide root queries? Can do this: More detailed TCP_WrapPERS usage, please refer to the simple firewall stand! o Recommendation: Really, Telnet is really not very safe! It should be said to be "dangerous" level service, so try not to activate him: 1. When it is necessary, don't activate Telnet, if you really need to activate Telnet, then please turn it off immediately after activation and use it. ! 2. If you are determined to activate Telnet, make sure to make a limited online range, use iptables to set the online restriction area; 3. Plus TCP_WrapPers auxiliary, strengthen the function of the firewall! 4. Pay attention to the login files on login! And don't let root login in the Linux host in telnet! Back to top
-------------------------------------------------- ---------------------------------------------- SSH server: Since Telnet is not very safe, then I need to operate my Linux host with remote online service, so what should I do! ? The best way is of course to solve the online problem with a more secure online mechanism! So how do you solve such a problem? It is not difficult to use SSH. So what is SSH? What special features do he have? Simply, SSH is short of Secure Shell Protocol, and he can pass the technology to the technology, and therefore, the information is of course safe! This SSH can be used to replace the Unsafe Finger, R shell (RCP, RLogin, RSH or other instructions such as the Internet, Talk and Telnet. At the end, we will first introduce the online mode of SSH, which will make SSH will be safe! Special attention: This SSH protocol, in the preset state, it provides two server features: 1. One is similar to Telnet's remote online use shell server, is commonly known as SSH; 2. The other is similar to FTP Serving sftp-server! Provide a safer FTP service. · Online encryption technology: Basically, encrypted technology is usually encrypted and decrypted by the so-called "public key and private key", "public and private keys" is called "public and private keys"! As shown in the figure below, after the SSH activates the service, a public key is generated, as a personal computer, when performing the online connection with Server, can provide the online use of Server, You can also connect directly to the private key provided by Server! This is related to the encrypted version selected when you are online, this will then mention it! In the above icon, we can know that when the data is transferred to the Client side by the Server end, the data will be encrypted by "public key, public key", so, these materials themselves during transmission It is encrypted, so even if these materials are intercepted during the way, to crack these encrypted information, it is necessary to spend a long time. So after these public key encrypted data is transferred to the Client end, the decrypted action can be made by the so-called "private key," Private Key ".
It should be noted that these public keys are different from the private key on each computer, so you are very difficult to crack with all of Server's online. So how do these public keys are generated with the private key? At the end, let's talk about the two versions of the current SSH! o SSH Protocol Version 1: Each host can use RSA encryption mode to generate a 1024-bit RSA Key, this RSA's encryption method is mainly used to generate a public key and private key. The entire online encryption step of this Version 1 can be simply seen: 1. When SSH Daemon (SSHD) is activated, a 768-bit public key (or a Server key) is stored in Server. When the demand transmission of the Client end, the server will pass this public key to the client, and the client confirms this public key by being aligned with the RSA encryption of itself; 3. Accept this in Client After the Server Key, 768-bit, Client will randomly generate a 256-bit private key (Host Key), and integrate Server Key with Host Key into a complete key with encrypted ways, and will this Also transferred to Server; 4. After the Server and Client, in this online connection, the transfer of information in this 1024-bit KEY! Of course, because the client ends 256-bit keys are random, so you will not be the same as the next online key! o SSH Protocol version 2: Different from Version 1, the server key will no longer generate in Version 2, so when the Client is connected to the Server terminal, the two will be generated by Diffie-Hellman Key. A shared key, after which two will be synchronized by synchronous decryption by similar Blowfish! Each SSHD provides these two versions of online, and determines the two mode online, it is necessary to select the online mode when the Client end is connected to confirm. In the current preset, the online mode of Version 2 will be automatically used! Due to our online information, after the encryption of this public and Private Key, decrypt the action, so in the middle of the transfer process, of course, more secure! Back to top
-------------------------------------------------- ---------------------------------------------- Activate SSH services: In fact, among the Linux systems we use, the preset already contains all the needs of SSH! This contains the OpenSSL kit and the OpenSSH kit that can generate a password and other protocols. So, to activate SSH really too simple! It's just to activate him! In addition, in the current Linux Distributions, it is a preset activation SSH, so it will not be in trouble, because he will have been activated! Wow! It's really refreshing ~ anyway, we still have to say this activation method! Direct activation is activated by SSH Daemon, referred to as SSHD, so manual can activate this: the above two methods can be manually activated to activate SSHD service! Then use NetStat-TL to see if you can see the SSH service is listening! ? If there is a yellow font above, you said that your SSH has been activated! It's too simple! Yes, but he is so simple ~ So how do I activate this SSHD when boot? If it is the system of the Red Hat, you can use NTSYSV this program, while Mandrake can use the ChkConfig! As for OpenLinux, you can go to / etc / sysconfig / daemons! This method is only suitable for Linux Distributions already have OpenSSH, if he doesn't preset SSH if he is re-hat 6.x as an example. Don't worry, you can refer to the page written before this bird brother, there is a detailed note to use the TARBALL installation step! Using Tarbal Installing SSH and upgrading SSH may encounter problems that you need to pay attention to, SSH not only provides us to us, but also the main purpose of SSH Protocol, but also provides a more secure FTP Server, which is also Is SSH-FTP Server to use us as FTP! So, this SSHD can provide Shell and FTP at the same time! And are all architectures on the port 22! So, we will mention it, so how do you connect to the Server end of the Client? At the same time, how do I connect the Server and use FTP? Back to top
-------------------------------------------------- -------------------------------------------- · SSH client Online: SSH, PUTTY Since Linux is different from the client's client online software, we are divided into two parts: o Linux client: In Linux client, we mainly connect with SSH, And the SFTP uses the use of FTP! The separate introduction is as follows: This is not particularly pleased. If you connect to the hostname of the Hostname directly, you will be the user account in the environment you are here! Take the above as an example, because I am executing with root, so if I execute "ssh host.domain.name", then the other party host.domain.name This host will make me with root Login action confirmed by password! Therefore, in order to avoid this trouble, I usually log in to the remote host in a simple e-mail, such as "SSH user @ hostname", I mean to log in to Hostname this host with user account. .
Of course, you can also use -l username to write! After logging in to the other party, all other executive behaviors are not two in the Linux host ~ So, it is really simple! ^ _ ^ This will reach the purpose of the remote control host! In addition, in the preset case, SSH is "Allow you to log in as root"! Ha ha! It's more cool! In addition, please pay attention to it, when you want to connect to the other party host, if it is the first connection, then Server will ask you, your online key has not been established, do you want to accept the key from Server, and build What about online? Ha ha! This time, please enter Yes instead of Y or Y, this program will accept it! So how do you use SSH FTP? It is also very easy! That is to use SFTP this program! The way the login is the same as SSH, which is written directly with sftp -l username hostname or directly in SFTP User @ hosname! After the execution, there will be a look: After entering the SFTP, then the method of operating in general ftp mode is not two! Let's talk about it, use the instructions under this interface! For the whole, SFTP is under Linux, if you don't consider the graphical interface, he can already replace FTP! Because all features are covered! Therefore, when the FTP software that does not take into account the graphical interface, you can directly turn off the FTP service, and the FTP service is provided with SFTP-Server! ^ _ ^ o Windows client: There is already SSH under Linux, then if it is in Windows? What should I do? Ha ha! This type of online software can be used directly, he is also a free software! The way you have made can refer to the website under the bottom: http://www.chiark.greenend.org.uk/~sgtatham/putty/, then what kind of program is to get? In fact, as long as PUTTY.EXE and PSFTP.exe are enough! Use to log in to Shell and FTP, respectively! o PuTTY: Directly in Windows, the executed icon is a bit like this: At this time, please pay attention, because we prefer the IP record of the fixed number of hosts, so we need some basic settings first. Row! In the above figure, we need to fill in: (1) Hostname (or ip address) that item, and (2) Saved sessions take a good name, (3) and select SSH option! Taking the network in my area as an example, I can write this way: Please don't remember, after filling, you must press the "SAVE" button on the right so that your setting will be recorded! Then, we have to set up the recorded items every time you log in, so you can press "Logging" on the left on the left and then "Always Append to the End of It",
In this way, when you log in every time you log in, you have to ask you once, you need to record! Then, we can also adjust the screen size of the entire PUTTY! Take the following picture, I set my login screen for 40 lines and 100 characters! Such a picture is much larger than the traditional 24 * 80, it looks more comfortable ~ then that 1000 means that my scroll bar has a record of 1000 lines, it can be convenient for me to inquire! After adjusting the size of the screen, then this is the most important: "Do you want to enter with the first SSH Version? ! "I said before, we preset it in Version2, so we can adjust to 2 items! This way, each login will log in to the host in Version 2! Ok, it is already set, and it will be to record it again! So please return to the settings of "session", then press "Save", this time the big frame in the middle will appear the record name you entered, then, when you want to log in to the SSH host, you will give him a point directly. Two down Test.Linux.org The one (that is, you just set the record name), you can enter the host you want to choose! The whole PUTTY is roughly projected! As a result, you can log in to the remote Linux host with SSH protocol on Windows! It is convenient to powder! ^ _ ^! If you still have other settings, then directly modify the two items of Saved Sessions and Hostname, and give him Save again! There is another set value! And it is still the same as just the set value! It's easy to set! o Psftp: The focus of this procedure is to serve on the SFTP. Online way can you directly select this file, let him activate it directly, then the following pattern appears: This time you can connect the host name you want to connect, for example, the network Test.Linux.org in my area: Ha ha! This will log in to the host! Very simple! The other use method is then like the SFTP mentioned above! Come on the use! Back to top
-------------------------------------------------- ---------------------------------------------- Detailed SSHD The server basically, all SSH related settings are placed in / etc / ssh / sshd_config! However, each Linux Distribution is not too similar, so we need to know why the meaning of the entire set value is good! Basically, in your system, "Do not change the set value of / etc / ssh / sshd_config! "Because of the preset, it is usually the most strict SSH protection, so you can do it more! The above instruction is only to let everyone know some of the basic contents of each detail! It is necessary to pay attention to the last item. If you don't want to open SFTP, you can check it out! In addition, if you modified the above file (/ etc / ssh / sshd_config), then you must reactivate the sshd of SSHD! That is: /etc/rc.d/init.d/sshd restart Back to top
-------------------------------------------------- --------------------------------------------- · Make no password SSH users who can log in immediately: 咦! Since SSH can use Key to compare the information, and provide the encryption function of the user's information, it is impossible to provide the user to enter the host, without entering a password? Ha ha! good idea! We can copy the key generated by the client to the server, so when the client logs into Server, since both the signal passes on the SSH, it has been compared to Key, so it can immediately enter the data transfer interface. In, don't enter your password again! In the actual steps can be: 1. First, first create public key with private keys on the client, using the instructions for SSH-Keygen; 2. Come, put the private key on the client Home Catalog, that is, $ home / .ssh /, and modify the permissions to only the USER readable status; 3. Finally, put the public key in any of the server you want to log in the host server. User's home directory. Ssh / inside the authentication file to complete the entire program. It is really difficult to say that it is really simple, and the steps are really simple. We will do it in order! Assumption Premise: a. Server section is Test.Linux.org This 192.168.0.2 host, the user wants to use this account; b. Client part is Test2.linux.org this 192.168.0.100 pc Test2 this account He wants to log in to Test this account of 192.168.0.2 this host. In other words, I was Test2 in the machine of 192.168.0.100, but I would like to log in to the 192.168.0.2 of Test, and I hope not to use the password! Do you understand the big premise? Ok, let's take a step by step! 1. Establish a public and private key: Establishing method in the Client side is really simple! Directly in 192.168.0.100, with Test2 account, use SSH-KEYGEN's instruction to make KEY production! However, it should be noted that Version 1 is different from the password calculation method used by Version 2, in addition, Version 2 provides two password calculations, and we only describe the RSA's calculation method for Version 2! Please pay attention to the above, my identity is Test2, so when I execute ssh-keygen, I will generate the two keys you need under my home directory. Ssh / this directory, which is the private key (ID_RSA) With the public key (ID_RSA.PUB).
Another thing to pay special is that the file authority of the ID_RSA! If he must be -rw ----- is good! Otherwise, the content is known, then your Keys is not possible to leak? So please pay special attention to his permissions! Then the ID_rsa.pub is "public key! "This file must be placed to the Server end! 2. Place the private key in the client side: In the preset condition, our private key must be placed under the .ssh under the home directory, then if it is the RSA algorithm of Version 2, you need to be placed in $ HOME / .SSH / ID_RSA! what! Just using ssh-keygen is already generated in this directory, so it will naturally do not need to adjust him! Looking at my test2.linux.org, then my file will be placed in /Home/test2/.ssh/id_rsa file is a private key! 3. Place the public key to log in in the server side: Since we want Test2 to log in Test.Linux.org this host, then this host needs to keep Test2 Public Key! correct! So we will need to copy the id_rsa.pub file created by the Client side to the Test.Linux.org's Test this Test this user's home directory! So if you remember the settings of the SSHD_CONFIG above, then you should remember the "AuthorizedKeysfile" setting! Yes it is! On a certain account of the host being logged in, the file name preset on his public key is preset is recorded in this project! And his preset file is the name of Authorized_Keys! So what should I do? Please pay attention to the machine above! Since Authorized_Keys can save considerable public key content, you can use >> to add the public key of the Client to the file! Ha ha! After completing this step, you can do it directly in Test2.Linux.org in the future. But please note that Test cannot log in Test2.Linux.org in Test2! Very simple step! In this way, you can do your password! Anyway, what you have to remember is that SERVER needs to be public keys, and the client is private keys! In the future, when you want to log in to other hosts, as long as you want your public key (that is, id_rsa.pub file) to your Copy to other hosts, and add this file to a account .ssh / authorized_keys file in! Haha! success! Back to top
