Secure Shell Protocol (SSH) is a security in an insecure network to provide remote login and other secure network services agreement. Secure Shell, but also recorded as SSH, originally a program on UNIX systems, and later rapid expansion to other operating platforms. SSH is a good application, when used properly, it can make up for network vulnerabilities.
SSH has three main components:
Transport layer protocol [SSH-TRANS] provides server authentication, confidentiality and integrity. In addition, it is sometimes also provides compression. SSH-TRANS is usually run on TCP / IP connection may also be used for other reliable data stream. SSH-TRANS provides strong encryption, password authentication and host integrity protection. The host-based authentication protocol and the protocol does not perform user authentication. Higher level of user authentication protocol can be designed in the agreements.
User Authentication Protocol [SSH-USERAUTH] for the client to the server to provide user authentication function. It runs on top of transport protocols SSH-TRANS. When the SSH-USERAUTH began, where it receives from the lower protocol session identifier (from the first key exchange in the exchange hash H). Session identifier uniquely identifies this session and apply tags to prove ownership of the private key. SSH-USERAUTH also need to know whether low-level protocols provide confidentiality protection.
Connection protocol [SSH-CONNECT] will be encrypted tunnel into several logical channels. It runs in the user authentication protocol. It provides interactive login, then road, remote command execution, forwarding TCP / IP connections and forwarding X11 connections.
By using SSH, you can encrypt all data transmitted, such a "middleman" This attack can not be achieved, but also to prevent IP DNS deception and deceit. Use of SSH, there is an additional benefit is that transmission of data is compressed, so it can accelerate the transmission speed. SSH has many functions, It can replace Telnet, and it also can FTP, PoP, even for the PPP to provide a secure "channel."
Many cases provides a Telnet service because the server caused. Indeed, for UNIX systems, if you want to remotely manage it, will want to use a remote terminal, and to use the remote terminals, natural to start the Telnet service on the server. But the Telnet service has a fatal weakness - it is transmitted in clear text user name and password, so it is easy to steal passwords by people with ulterior motives. At present, an effective service to replace Telnet SSH service is a useful tool. SSH client and server-side communications, the user name and password are encrypted, effectively prevent eavesdropping of passwords. The emergence of SSH remote control more secure.
SSH Despite the above advantages, but still would be hackers, and then talk about how to prevent the following SSH attacks:
1, the basic configuration:
There is not authentication, password authentication, the user name and password authentication method III, the proposed user and password based authentication. If you take into account the unity of all network equipment certification, you can use the same radius server for authentication. As follows:
Permission to observe a level of telnet users:
local-user test
password cipher 3M] * QF / H] KL `K & @ YU8 <4)!!!
service-type telnet level 0
In tty 0 4 interface to enable user and password authentication:
user-interface vty 0 4
authentication-mode scheme
2, taking into account security, you can authenticate the user's permission level is set to level 0 to visit. Then use the super command to privilege escalation, considering the user name, password, super password, it can be said for the hacker set up three lines of defense. As follows:
super password level 3 cipher / C] JIDTXNUC8BT :.'_^ U $ A!!
3, can be set in the tty interface, acl, only to allow some ip remote telnet, for the fourth line of defense, as follows:
A ip based sources of acl:
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255
Will be applied to vty 0 4 acl the inbound direction:
user-interface vty 0 4
acl 2000 inbound
4, combined with previous experience, often have ssh attack Network Shebei, may not lead to equipment being invaded, but will take up cpu and memory, such as Zi Yuan, Ke Yi Bu Yunxu in the tty interface to ssh Baowenjinru, is the fifth Road, defense, Ju Ti as follows:
In vty 0 4 telnet interface allows the user access to:
user-interface vty 0 4
protocol inbound telnet
SSH service can really make good use of the remote control to improve safety, prevent password theft.