�@���s�W Internet �W�����z���ӤH�D���A�̭��n���O����O�H�j���N�O�p�����z�ۤv�i�H�s�u�i�J�ۤv���D���A�åB�i��ҿת��y���ݾޱ��z�F�a�I�]�N�O���A�z�i�H�b����㦳�s�W Internet ���q�����A�H���ݳs�u�n��s�W Internet �A���ǥѱz�D���W�������ݳs�u���A���n�鴣�Ѫ��\��A�����n�J�z���D���Ӷi��ޱ����u�@�I���ɡA�z�N�o�{ Linux ����S�n�����a���o�I�b Unix Like �����������A�X�G������ Telnet �o�ӻ��ݳs�u���A���n��A���L�A Telnet �����O�H�y���X�z�Ӷǰe�z�ާ@����ơA�w���W���O�ȱo�ӫ�ҭn���n�}��o�I�o�ӮɭԴN���ݭn�A�Ѥ@�U�ǰe�L�{���H�[�K�ʧ@�Ӷǰe��ƫʥ]�� SSH �o�ӻ��ݳs�u���A���n��աI�o�ӳ��`�����A�ڭ̷|���� Telnet �P SSH �o��Ӧ��A���A�ȱo�Ѧҳ�I |
[root@test
root]# rpm -qa | grep telnet
telnet-server-krb5-1.2.5-1mdk telnet-client-krb5-1.2.5-1mdk # �W���O Mandrake 9.0 ���d�ҡF�Ω��U�O Red Hat 7.2 ���d�� telnet-0.17-20 telnet-server-0.17-20 |
[root@test
root]# vi /etc/xinetd.d/telnet
# default: on # description: The telnet server serves telnet sessions; it uses \ # unencrypted username/password pairs for authentication. service telnet { disable = yes<==�N�O��o�̡A�N yes �令 no �Y�i�I flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID } |
��k�@�G�Ȥ䴩
Red Hat �� Mandrake �t�ΡG
[root@test root]# service xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] ��k�G�G���Ϊ��Ұʤ覡�G
|
[root@test
root]# netstat -tl
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:telnet *:* LISTEN |
step 1: �ק�@�U
/etc/xinetd.d/telnet �ɮסG
[root@test root]# vi /etc/xinetd.d/telnet # default: on # description: The telnet server serves telnet sessions; it uses \ # unencrypted username/password pairs for authentication. service telnet { disable = no<==�N�O��o�̡A�N no �令 yes �Y�i�I flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID } step 2: ���s�Ұ�
xinet �Y�i�G
|
[root@test
root]# telnet localhost
Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Red Hat Linux release 7.2 (Enigma) Kernel 2.4.18 on an i586 login: test <==��J�b�� Password: <==��J�K�X�Ъ`�N�I�K�X�ä��|�b�ù��W����ܥ��r�� Last login: Thu Oct 3 11:59:29 from test_inside <==���ܤW���n�J����} You have new mail. <==�ۤW���n�J�H�ӡA�O�_�H�c�����s�H��I�H [test@test test]$ <==�o�̴N�i�J�F telnet ���s�u�{�Ƿ����F�I [test@test test]$ exit <==���}�o�� telnet ���n�J�I |
[root@test
root]# vi /etc/xinetd.d/telnet
# This file had been modified by VBird 2002/11/04 # First is about inside the network service telnet { disable = no bind = 192.168.1.2 only_from = 192.168.1.0/24 # �W���o��满���ȴ��Ѥ�������I instance = UNLIMITED nice = 0 flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/telnetd server_args = -a none log_on_failure += USERID } # Second is
about the outside domain's settings
|
[root@test root]# mv /etc/securetty /etc/securetty.bak |
[root @test
/root]# vi /etc/pam.d/login
#%PAM-1.0 #auth required /lib/security/pam_securetty.so # �N�W���o�@��[�W # ���ѱ��I auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so |
/sbin/iptables
-A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 23 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 -s 61.xxx.xxx.xxx --dport 23 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0 --dport 23 -j DROP |
[root@test
root]# vi /etc/hosts.allow
in.telnetd: 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.4, 192.168.0.5: allow [root@test root]#
vi
/etc/hosts.deny
|
[root@test
root]# /etc/rc.d/init.d/sshd start
[root@test root]# service sshd start [root@test root]# netstat -tl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:ssh *:* LISTEN |
[root@test
root]# ssh user@hostname
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 6e:1a:60:d0:ee:d0:7c:91:df:94:de:09:35:7b:08:ba. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:8 RSA host key for hostname has changed and you have requested strict checking. Host key verification failed. |
sftp �@��s�u���ϥΤ覡�G
[root@test root]# sftp test@test.linux.org test@test.linux.org's password: <==�п�J test �o�ӨϥΪ̪��K�X�I sftp> <==���ݱz��J���O�I |
�w�ﻷ��D��(Server)���欰 | |
�ܴ��ؿ��� /etc/test �Ψ�L�ؿ� | cd /etc/test
cd PATH |
�C�X�ثe�Ҧb�ؿ��U���ɮשΥؿ� | ls
dir |
�إߥؿ� | mkdir directory |
�R���ؿ� | rmdir directory |
��ܥثe�Ҧb���ؿ� | pwd |
����ɮשΥؿ��s�� | chgrp groupname PATH |
����ɮשΥؿ��֦��� | chown username PATH |
����ɮשΥؿ����v�� | chmod 644 PATH
�䤤�A644 �P�v�������I�^�h�ݰ�¦�g�I |
�إ߳s���� | ln oldname newname |
�R���ɮשΥؿ� | rm PATH |
����ɮשΥؿ��W�� | rename oldname newname |
���}���ݥD�� | exit
bye |
�w�糧��(Client)���欰(���[�W l, L ���p�g ) | |
�ܴ��ؿ��쥻���� PATH ���� | lcd PATH |
�C�X�ثe�����Ҧb�ؿ��U���ɦW | lls |
�b�����إߥؿ� | lmkdir |
��ܥثe�Ҧb�������ؿ� | lpwd |
�ɮǿ� | |
�N�ɮץѥ����W�Ǩ컷�ݥD�� | put [�����ؿ����ɮ�] [����]
put [�����ؿ����ɮ�] �p�G�O�o�خ榡�A�h�ɮ|��m��ثe���ݥD�����ؿ��U�I |
�N�ɮץѻ��ݥD���U���^�� | get [���ݥD���ؿ����ɮ�] [����]
get [���ݥD���ؿ����ɮ�] �Y�O�o�خ榡�A�h�ɮ|��m�b�ثe�����Ҧb���ؿ������I�i�H�ϥθU�Φr���A�Ҧp�G get * get *.rpm ��O�i�H���榡�I |
psftp: no hostname
specified; use "open host.name" to connect
psftp> |
psftp: no hostname
specified; use "open host.name" to connect
psftp> open test.linux.org login as: test Using username "test". test@test.linux.org's password: Remote working directory is /home/test psftp> |
# 1. ���� SSH
Server ������]�w�A�]�t�ϥΪ� port �աA�H�ΨϥΪ��K�X�t��覡
Port 22�@�@�@�@�@�@�@�@�@�@# SSH �w�]�ϥ� 22 �o�� port�A�z�]�i�H�ϥΦh�� port �I �@�@�@�@�@�@�@�@�@�@�@�@�@ # ��Y���ƨϥ� port �o�ӳ]�w���اY�i�I Protocol 2,1�@�@�@�@�@�@�@ # ��ܪ� SSH ��w�����A�i�H�O 1 �]�i�H�O 2 �A �@�@�@�@�@�@�@�@�@�@�@�@�@ # �p�G�n�P�ɤ䴩��̡A�N�����n�ϥ� 2,1 �o�Ӥ��j�F�I #ListenAddress 0.0.0.0�@�@ # ��ť���D�������d�I�|�ӨҤl�ӻ��A�p�G�z����� IP�A �@�@�@�@�@�@�@�@�@�@�@�@�@ # ���O�O 192.168.0.100 �� 192.168.2.20 �A����u�Q�n �@�@�@�@�@�@�@�@�@�@�@�@�@ # �}�� 192.168.0.100 �ɡA�N�i�H�g�p�P�U�����˦��G ListenAddress 192.168.0.100 # �u��ť�Ӧ� 192.168.0.100 �o�� IP ��SSH�s�u�C �@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@ # �p�G���ϥγ]�w���ܡA�h�w�]�Ҧ����������� SSH PidFile /var/run/sshd.pid�@�@�@�@�@�@# �i�H��m SSHD �o�� PID ���ɮסI���C���w�]�� LoginGraceTime 600�@�@�@�@ # ���ϥΪ̳s�W SSH server ����A�|�X�{��J�K�X���e���A �@�@�@�@�@�@�@�@�@�@�@�@�@ # �b�ӵe�����A�b�h�[�ɶ����S�����\�s�W SSH server �A �@�@�@�@�@�@�@�@�@�@�@�@�@ # �N�_�u�I�ɶ������I Compression yes�@�@�@�@�@�@# �O�_�i�H�ϥ����Y���O�H���M�i�H�o�I �@ # 2. �����D���� Private Key ��m���ɮסA�w�]�ϥΤU�����ɮקY�i�I HostKey /etc/ssh/ssh_host_key�@�@�@�@# SSH version 1 �ϥΪ��p�_ HostKey /etc/ssh/ssh_host_rsa_key�@�@# SSH version 2 �ϥΪ� RSA �p�_ HostKey /etc/ssh/ssh_host_dsa_key�@�@# SSH version 2 �ϥΪ� DSA �p�_ # 2.1 ���� version
1 ���@�dz]�w�I
# 3. ����n���ɪ��T����Ʃ�m�P
daemon ���W�١I
# 4. �w���]�w���ءI�����n�I
# 4.5 �n�J�᪺���ءG
# 4.6 ����ϥΪ̩�ת��]�w���ءG
# 5. ���� SFTP
�A�Ȫ��]�w���ءI
|
[test2@test2
test2]$ ssh-keygen -t rsa <==�o�ӨB�J�b����
Keys
Generating public/private rsa key pair. Enter file in which to save the key (/home/test2/.ssh/id_rsa): Enter passphrase (empty for no passphrase): <==�o�̫� Enter Enter same passphrase again: <==�A���@�� Enter Your identification has been saved in /home/test2/.ssh/id_rsa. <==�o�O�p�_ Your public key has been saved in /home/test2/.ssh/id_rsa.pub.<==�o�O���_ The key fingerprint is: c4:ae:d9:02:d1:ba:06:5d:07:e6:92:e6:6a:c8:14:ba test2@test2.linux.org �`�N�G -t �����O�y�ϥΦ�رK�X�t��覡�H�z�ѩ�ڭ̨ϥ� RSA �A �ҥH������J -t rsa �Y�i�إߨ�� Keys �I ���~�A�إߪ���� Keys ����m�b�a�ؿ��U�� .ssh �o�ӥؿ����I ��ݤ@�U�o��� Keys �a�I [test2 @test2
test2]$ ll ~/.ssh
|
1. ���b Client
�ݥH sftp �N���_��� test �W���h�I
[test2@test2 test2]$ cd ~/.ssh <==�����ؿ� [test2@test2 .ssh]$ sftp test@test.linux.org<==�s��D���W�� Connecting to test.linux.org... test@test.linux.org's password: <==��J test ���K�X sftp> put id_rsa.pub <==�N���_��� Server �W���h�I Uploading id_rsa.pub to /home/test/id_rsa.pub sftp> exit 2. �� Server
�W���A�N���_��s�� authorized_keys �ɮפ��I
|
[test2@test2 test2]$ ssh test@test.linux.org |
�o�T�譱�ӵۤ�i��I���U�ڭ̴N���@���a�I
- /etc/ssh/sshd_config
�@��Ө��A�o���ɮת��w�]���شN�w�g�ܧ��ƤF�I�ҥH�A�ƹ�W�O���ӻݭn��ʥL���I���O�A�p�G�z���ǨϥΪ̤譱���U�{�A����i�H�o�˭ץ��@�ǰ��D�O�I
- �T�� root ���n�J�G����ɭԡA���\ root �H���ݳs�u���覡�n�J�A���|�O�@�Ӧn�D�N�I�ҥH�o���Z��ij�j�a�����N root ���n�J�v�������a�I�ҥH�A�i�H�ק� /etc/ssh/sshd_config �o���ɮת����e���G
�p���@�ӡA�H�� root �N����H ssh �n�J�o�I�o���٬O����n���աI ^_^
[root@test root]# vi /etc/ssh/sshd_config
PermitRootLogin no <==�N�L�令 no �աI
[root@test root]# /etc/rc.d/init.d/sshd restart
�@- ���\�Y�Ӹs�յn�J�G���ǯS�����p���A�ڭ̷Q�n���ϥΪ̥u��ϥ� sendmail, pop3, ftp ���A���O���Ʊ�L�i�H���ݳs�u�i�ӡA����z�i�H�o�˰��G
1. �N�o�ǨϥΪ̳��k�Ǧb�Y�@�ӯS���s�դ��U�A�Ҧp nossh �o�Ӹs�զn�F�F
2. �b /etc/ssh/sshd_config �����[�J�o�@��G�yDenyGroups nossh�z
3. ���s�Ұ� sshd �G /etc/rc.d/init.d/sshd restart
�o�˴NOK�աI
�@- ���\�Y�ӨϥΪ̵n�J�G�� DenyGroups �����A�ϥ� DenyUsers �Y�i�I�Ѧ� sshd_config ���]�w��I
- /etc/hosts.allow �� /etc/hosts.deny �G
�o�F��]�O��²�檺�աI�����ѦҡG ²��������[�] �@���o�I���M�A²�檺��k�N�O�G�@
[root@test /root]# vi /etc/hosts.allow
sshd: 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.4, 192.168.0.5: allow[root@test /root]# vi /etc/hosts.deny
sshd : ALL : spawn (/bin/echo Security notice from host `/bin/hostname`; \
/bin/echo; /usr/sbin/safe_finger @%h ) | \
/bin/mail -s "%d -%h security" root@localhost & \
: twist ( /bin/echo -e "\n\nWARNING connectin not allowed. Your attempt has been logged. \n\n\nĵ�i�z�|�����\�n�J�A�z���s�u�N�|�Q�����A�åB�@���H�᪺�Ѧ�\n\n ". )- iptables
�h�X�h�O�@�]�ܦn���I�ҥH�]�i�H�ϥ� iptables ��I�ѦҡG²��������[�] �@���o�I
�W�A SSH ���Z�w�����A�u�n���� root ���n�J�v���A������D���ӴN�|����p�@�I�աI�ҥH�A���M�i�H���γ]�w iptables �A���O��ij�w��X�Ӻ���]�w�@�U /etc/hosts.allow �P /etc/hosts.deny �I�[�o�o�I