How to implement remote access control in Centos 7.4

1. SSH remote management

SSH is a secure channel protocol, which is mainly used to implement remote login, remote copy and other functions of the character interface. The SSH protocol encrypts the data transmitted between the two communicating parties, including the user password entered when the user logs in. Compared with earlier applications such as Telent, RSH, and RCP, the SSH protocol provides better security.

1. Configure OpenSSH server

In Centos 7.4 system, the OpenSSH server is provided by software packages such as openssh and openssh-server (installed by default), and sshd has been added as a standard system service. Execute the "systemctl start sshd" command to start the sshd service. Most users, including root, can log in to the system remotely. The configuration file of the sshd service is located in the /etc/ssh/sshd_config directory by default. Correctly adjusting the relevant configuration items can further improve the security of sshd remote login.

1) Service monitoring options

The default port number used by the sshd service is 22. If necessary, it is recommended to modify this port number and specify the specific IP address of the listening service to improve its concealment in the network. Version V2 is more secure than version V1. Disabling DNS reverse resolution can improve the server's response speed.

[root@centos01 ~]# vim /etc/ssh/sshd_config <!--Edit the sshd main configuration file-->
17 Port 22 <!--The listening port is 22-->
19 ListenAddress 192.168.100.10 <!--The listening address is 192.168.100.10-->
21 Protocol 2 <!--Use SSH V2 protocol-->
118 UseDNS no <!--Disable DNS reverse resolution-->
...... <!--Some content is omitted here-->
[root@centos01 ~]# systemctl restart sshd <!--Restart sshd service-->

2) User login control

The sshd service allows root users to log in by default, but it is very unsafe when used over the Internet. Regarding user login control of the sshd service, the root user or users with empty passwords should generally be prohibited from logging in. In addition, you can limit the login verification time (the default is 2 minutes) and the maximum number of retries. If you still fail to log in after exceeding the limit, the connection will be disconnected.

[root@centos01 ~]# vim /etc/ssh/sshd_config <!--Edit the sshd main configuration file-->
 37 LoginGraceTime 2m <!--Login verification time is 2 minutes-->
 38 PermitRootLogin yes <!--Prohibit root user login-->
 40 MaxAuthTries 6 <!--The maximum number of retries is 6-->
 67 PermitEmptyPasswords no <!--Prohibit users with empty passwords from logging in-->
 ...... <!--Some content is omitted here-->
[root@centos01 ~]# systemctl restart sshd <!--Restart sshd service-->

2. Login verification method

For remote management of servers, in addition to security control of user accounts, the login verification method is also very important. The sshd service supports two authentication methods: password authentication and key pair authentication. You can set it to use only one of them, or enable both.

Password verification: Verify the login name and password of the local system user in the server. This method is the easiest to use, but from the client's perspective, the server being connected may be impersonated; from the server's perspective, the defense capability is relatively weak when encountering a third party who is exhausting the password.

Key pair verification: matching key information is required to pass the verification. Usually, a pair of key files (public key and private key) are created on the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use public and private keys for encryption/decryption association verification, greatly enhancing the security of remote management. This method is not easily impersonated and can be logged in without interactive login. It is widely used in Shell.

When both password authentication and key pair authentication are enabled, the server will give priority to key pair authentication. For servers with higher security requirements, it is recommended to disable the password authentication method and only enable the key pair authentication method; if there are no special requirements, both methods can be enabled.

[root@centos01 ~]# vim /etc/ssh/sshd_config <!--Edit the sshd main configuration file-->
 43 PubkeyAuthentication yes <!--Enable key pair authentication-->
 47 AuthorizedKeysFile .ssh/authorized_keys <!--Specify the public key library file-->
 66 PasswordAuthentication yes <!--Enable password authentication-->
...... <!--Some content is omitted here-->
[root@centos01 ~]# systemctl restart sshd <!--Restart sshd service-->

The public key file is used to save the public key texts uploaded by multiple clients so as to match them with the local private key files of the clients.

2. Using SSH Client Program

In Centos 7.4 system, the OpenSSH client is provided by the openssh-clients package (installed by default), which includes the ssh remote login command, as well as the scp, sftp remote copy and file transfer commands.

1. Command program ssh remote login

The ssh command can be used to remotely log in to the sshd service, providing users with a secure Shell environment to manage and maintain the server. When using it, you should specify the login user and target host address as parameters. Here is an example:

[root@centos02 ~]# ssh [email protected]
[email protected]'s password: 
Last login: Mon Nov 11 19:02:50 2019 from 192.168.100.254
[root@centos01 ~]# 
[root@centos01 ~]# 
[root@centos01 ~]# ssh [email protected]
The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.
ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.
ECDSA key fingerprint is MD5:6d:f7:95:0e:51:1a:d8:9e:7b:b6:3f:58:51:51:4b:3b.
Are you sure you want to continue connecting (yes/no)? yes <!--Accept the key-->
Warning: Permanently added '192.168.100.10' (ECDSA) to the list of known hosts.
[email protected]'s password: <!--Enter password-->
Last login: Mon Nov 11 19:03:08 2019 from 192.168.100.20
[root@centos01 ~]# who <!--Confirm the current user-->
root pts/1 2019-11-11 19:03 (192.168.100.20)
root pts/2 2019-11-11 19:04 (192.168.100.10)

If the sshd server uses a non-default port (such as 2222), you must specify the port number using the "-p" option when logging in. Here is an example:

[root@centos01 ~]# vim /etc/ssh/sshd_config<!--Modify the ssh main configuration file-->
Port 2222 <!--Change the listening port number to 2222-->
[root@centos01 ~]# systemctl restart sshd <!--Restart sshd service-->
[root@centos02 ~]# ssh -p 2222 [email protected] <!--Client login ssh-->
[email protected]'s password: <!--Enter password-->
Last login: Mon Nov 11 19:20:28 2019 from 192.168.100.10
[root@centos01 ~]# <!--Successful login-->

2. SCP remote copy

The scp command can be used to copy files between remote hosts using SSH secure connection. When using the scp command, in addition to specifying the copy source and target, you should also specify the target host address and login user. After execution, enter the verification password as prompted. Here is an example:

[root@centos02 ~]# scp
[email protected]:/etc/ssh/sshd_config ./ 
     <!--Copy the remote host data to the local data and save it in the current location-->
[email protected]'s password: <!--Enter password-->
sshd_config 100% 3910 3.6MB/s 00:00  
[root@centos02 ~]# scp -r ./sshd_config
[email protected]:/opt   
     <!--Upload local data to opt in the remote host directory-->
[email protected]'s password: <!--Enter password-->
sshd_config 100% 3910 1.2MB/s 00:00  

3. sftp installs FTP

The sftp command can be used to use SSH secure connection to upload and download files to the remote host. It uses a login process and interactive environment similar to FTP, which facilitates directory resource management. Here is an example:

[root@centos01 ~]# cd /opt/ <!--Enter the opt directory-->
[root@centos01 opt]# sftp [email protected] <!--Login to sftp-->
[email protected]'s password: <!--Enter password-->
Connected to 192.168.100.20.
sftp> pwd <!--View the location where the client logs in to sftp. The default location is in the host directory -->
Remote working directory: /root
sftp> put sshd_config <!--Upload data to the remote host-->
Uploading sshd_config to /root/sshd_config
sshd_config 100% 3910 6.4MB/s 00:00  
sftp> get sshd_config <!--Download data to local-->
Fetching /root/sshd_config to sshd_config
/root/sshd_config 100% 3910 3.6MB/s 00:00  
sftp> exit <!--Log out-->

3. Building a key pair-verified SSH system

Key pair authentication can provide better security for remote login. The basic process of building a key pair to authenticate the SSH system in Linux servers and clients. As shown in the figure below, the whole process includes four steps. First, you need to create a key pair as user zhangsan on the SSH client and upload the created public key file to the SSH server. Then, you need to import the public key information into the public key database of the target user lisi on the server. Finally, log in and verify as user lisi on the server.

1. Create a key pair on the client

On the client, use the ssh-keygen tool to create a key pair file for the current user. The available encryption algorithms are ECDSA or DSA (the "-t" option of the ssh-keygen command is used to specify the algorithm type). Here is an example:

[root@centos02 ~]# ssh-keygen -t dsa <!--Create a key pair-->
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): <!--Specify the private key location-->
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): <!--Set private key phrase-->
Enter same passphrase again: <!--Confirm the set phrase-->
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:zv0EdqIuOfwSovN2Dkij08y9wZ0f1+IyhY7LFNKKzkk root@centos02
The key's randomart image is:
+---[DSA 1024]----+
| |
| |
| |
| . |
| o . o S.+ . |
| * *.+.=.+.= |
|o E.*o+==.+ o |
| =o..*Oo++ + |
| ++oo+*+o. . |
+----[SHA256]-----+
[root@centos02 ~]# ls -lh ~/.ssh/id_dsa* <!--Confirm the generated key file-->
-rw------ 1 root root 668 11月12 16:11 /root/.ssh/id_dsa
-rw-r--r-- 1 root root 603 Nov 12 16:11 /root/.ssh/id_dsa.pub

In the newly generated key pair file, id_das is the private key file, and the default permission is 600. The private key file must be kept properly and cannot be disclosed to others; id_dsa.pub is the public key file, which is used to provide to the ssh server.

2. Upload the public key file to the server

Upload the public key file generated in the previous step to the server and deploy it to the public key database of the server-side user. When uploading the public key file, you can choose any method such as SCP, FTP, HTTP or even send it by email.

root@centos02 ~]# ssh-copy-id -i ./.ssh/id_dsa.pub 
[email protected] <!--Upload the public key file to the server and import the public key text-->
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "./.ssh/id_dsa.pub"
The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.
ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.
ECDSA key fingerprint is MD5:6d:f7:95:0e:51:1a:d8:9e:7b:b6:3f:58:51:51:4b:3b.
Are you sure you want to continue connecting (yes/no)? yes <!--Enter yes-->
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: <!--Enter password-->

Number of key(s) added: 1

Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

3. Use key pair authentication on the client

Once the private key file (client) and public key file (server) are deployed, you can test it in the client. First, confirm that the current user on the client is root, and then use the ssh command to remotely log in as the server user root. If the key pair authentication method is configured successfully, the client will be asked to enter a private key phrase so that the private key file can be called for matching (if the private key phrase is not set, the target server will be logged in directly).

[root@centos02 ~]# ssh [email protected] <!--Log in to ssh server-->
Last login: Tue Nov 12 16:03:56 2019 from 192.168.100.254
[root@centos01 ~]# who <!--Log in to the server successfully and check which users there are-->
root pts/0 2019-11-12 17:35 (192.168.100.20)
root pts/2 2019-11-12 16:03 (192.168.100.254)

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.