5. SSH Remote Service

ssh service

1.ssh Is a remote connection service , Running on the Linux The background of the server , Default listening 22 port , Usually Linux Will start the service .

ssh Client tools :

ssh command （ adopt ssh Protocol connection ssh Server side ）

				ssh [email protected]
				ssh  Login as which user @IP Address 

scp command ( Remote copy command Full copy , Basics ssh Agreed , It means safer .)

				 PUSH ：	scp /tmp/test.txt   [email protected]:/tmp
				 PULL ：scp [email protected]:/tmp/test.txt  /mnt/

				-rp	
				-r recursive copying , Simply put, it's copying directories 
				-p Keep attributes .
				-l Speed limited transmission 
				
				 The speed limit ：scp -rl 20000 /tmp/data  [email protected]:/tmp
                 Limit transmission per second 20000 byte , That is about equal to transmission per second 2M The data of 

linux Connect to the server based on the secret key

		     Secret key based approach 		

			 take 10.0.0.10  As the server logging in to each node 
			 take 10.0.0.20 10.0.0.30   As the logged in node 
			
			 Realization 10.0.0.10  land  20  perhaps  30    Avoid secret landing 

1.10.0.0.10 Generate a pair of secret key pairs （ Public and private keys ） Send the public key to 20 perhaps 30 （ At the beginning, you need to enter 20 or 30 Password ）
ssh-keygen
Will be in /.ssh/ Generate public and private keys under the directory

2. send out 10 Public key to each server

				ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
				ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

3.10 Log in through password free 20 or 30

ssh [email protected]
ssh [email protected]

macOS Generate public key

and Linux It's the same , Issue the public key to the server and Linux The operation is the same , unchanged .

Windows Generate public key

1. stay PowerShell Execute the following instructions in 
ssh-keygen -t rsa
# The key generated by this command is through rsa Generated by algorithm encryption 
# It can also be used. -C Parameters , Specify comments 

2. During the generation process, press enter by default 

3. Generated public key / Private key , Are saved in （C：\Users\xxx/.ssh/） Under the path 
 among id_rsa.pub It's the public key ,id_rsa It's the private key 

4. Copy the public key to the server where you want to log in without secret 
scp C:\Users\xxx\.ssh/id_rsa.pub [email protected]:~/.ssh


 Server side 
5. modify ssh The configuration file "/etc/ssh/sshd_config" The following contents of , Take out the comments below 

RSAAuthentication yes #  Enable  RSA  authentication 
PubkeyAuthentication yes #  Enable public key private key pairing authentication mode 
AuthorizedKeysFile .ssh/authorized_keys #  Public key file path 

6. Add the contents of the public key file just passed to authorized_keys file 
cat id_rsa.pub >> ~/.ssh/authorized_keys

7. Restart the server SSH service 
service sshd restart

8. You don't need to enter a password when connecting again 

		6. be based on SSH Springboard machine , Only the function of so-called springboard connection is supported .
			1. It won't record how many hosts at the back end are exempt from secret .
			2. There is no behavioral audit .
			3. No video playback .
		
			 Self developed springboard machine 、 Open source 、jumpserver、teleport、 Alibaba cloud springboard 
             Premise ： We must first carry out secret free .

ssh Security

Not all machines need to be configured , Only for individual hosts （ Use the public network IP The host ）. All other hosts are intranet , No corresponding operation is required

			1、SSH Server port     Default 22  It is amended as follows   6666		*****
			vim /etc/ssh/sshd_config
			Port 6666

			2 、 prohibit root Direct landing （ After prohibition, you can choose to use ordinary users to log in , then su - Switch to root）
			PermitRootLogin no

			 Remember to restart after the configuration is modified SSH service 
			systemctl restart sshd

			3 、 Use firewalls to limit sources IP******
				 have access to   Firewalld、IPtables、  Alicloud security group 
				 The physical machine ： firewalld、iptables、 Hardware firewall 
				 Virtual machine ： cloud   above   Safety products 
				
			4、 Important services don't use the public network IP
			
			5、 Password authentication is changed to key authentication