Misalai masu amfani , wanda zai ɗauki ƙwarewar ku azaman mai kula da tsarin nesa zuwa sabon matakin. Umarni da tukwici za su taimaka ba kawai don amfani ba SSH, amma kuma kewaya hanyar sadarwar da ƙwarewa.
Sanin 'yan dabaru ssh masu amfani ga kowane mai gudanar da tsarin, injiniyan cibiyar sadarwa ko ƙwararren tsaro.
Misalan SSH na Aiki
Da farko abubuwan yau da kullun
Yin nazarin layin umarni na SSH
Misali mai zuwa yana amfani da sigogi gama gari da ake yawan cin karo dasu yayin haɗawa zuwa uwar garken nesa SSH.
localhost:~$ ssh -v -p 22 -C neo@remoteserver-v: Fitowar cirewa yana da amfani musamman lokacin nazarin matsalolin tantancewa. Ana iya amfani da sau da yawa don nuna ƙarin bayani.- p 22: tashar sadarwa zuwa uwar garken SSH mai nisa. 22 ba dole ba ne a kayyade, saboda wannan shine tsohuwar ƙimar, amma idan ka'idar tana kan wasu tashar jiragen ruwa, to mun ƙayyade ta ta amfani da siga.-p. An ƙayyade tashar tashar sauraron a cikin fayil ɗinsshd_configa tsariPort 2222.-C: Matsi don haɗi. Idan kuna jinkirin haɗi ko duba rubutu da yawa, wannan na iya haɓaka haɗin gwiwa.neo@Layin da ke gaban alamar @ yana nuna sunan mai amfani don tantancewa akan sabar nesa. Idan ba ku fayyace shi ba, zai zama tsohuwa zuwa sunan mai amfani na asusun da kuke ciki a halin yanzu (~$whoami). Hakanan za'a iya ƙayyade mai amfani ta amfani da siga-l.remoteserver: sunan mai watsa shiri don haɗi zuwassh, wannan na iya zama cikakken sunan yanki, adireshin IP, ko kowane mai watsa shiri a cikin fayil ɗin runduna na gida. Don haɗawa da rundunar da ke goyan bayan duka IPv4 da IPv6, zaku iya ƙara siga zuwa layin umarni-4ko-6don ƙudurin da ya dace.
Duk sigogin da ke sama na zaɓi ne sai dai remoteserver.
Yin amfani da fayil ɗin sanyi
Kodayake da yawa sun saba da fayil ɗin sshd_config, akwai kuma fayil ɗin daidaitawar abokin ciniki don umarnin ssh. Ƙimar ta asali ~/.ssh/config, amma ana iya bayyana shi azaman siga don zaɓi -F.
Host *
Port 2222
Host remoteserver
HostName remoteserver.thematrix.io
User neo
Port 2112
IdentityFile /home/test/.ssh/remoteserver.private_keyAkwai shigarwar mai watsa shiri guda biyu a cikin misalin fayil ɗin daidaitawar ssh a sama. Na farko yana nufin duk runduna, duk suna amfani da siginar daidaitawa ta Port 2222. Na biyun ya ce ga mai masaukin baki na'urar nesa Ya kamata a yi amfani da sunan mai amfani daban, tashar jiragen ruwa, FQDN da IdentityFile.
Fayil ɗin daidaitawa na iya adana lokaci mai yawa na bugawa ta hanyar ƙyale saitin ci-gaba don a yi amfani da shi ta atomatik lokacin haɗi zuwa takamaiman runduna.
Kwafi fayiloli akan SSH ta amfani da SCP
Abokin ciniki na SSH ya zo tare da wasu kayan aiki masu amfani guda biyu don kwafin fayiloli rufaffen haɗin ssh. Duba ƙasa don misalin daidaitaccen amfani da umarnin scp da sftp. Lura cewa yawancin zaɓuɓɓukan ssh sun shafi waɗannan umarni kuma.
localhost:~$ scp mypic.png neo@remoteserver:/media/data/mypic_2.pngA cikin wannan misali fayil ɗin labari.png kofe zuwa na'urar nesa zuwa babban fayil /media/data kuma aka sake masa suna zuwa mypic_2.png.
Kar a manta game da bambancin ma'aunin tashar jiragen ruwa. Wannan shine inda mutane da yawa ke kama lokacin da suka ƙaddamar scp daga layin umarni. Ga ma'aunin tashar jiragen ruwa -P, kuma ba -p, kamar a cikin abokin ciniki ssh! Za ku manta, amma kada ku damu, kowa ya manta.
Ga wadanda suka saba da console ftp, da yawa daga cikin umarnin suna kama a ciki sftp. Kuna iya yi da tura, sa и lskamar yadda zuciya take so.
sftp neo@remoteserverMisalai masu amfani
A yawancin waɗannan misalan, ana iya samun sakamako ta amfani da hanyoyi daban-daban. Kamar yadda yake a dukkan mu da misalai, ana ba da fifiko ga misalai masu amfani waɗanda kawai suke yin aikinsu.
1. SSH socks proxy
Siffar SSH Proxy ita ce lamba 1 don kyakkyawan dalili. Yana da ƙarfi fiye da yadda mutane da yawa suka gane kuma yana ba ku dama ga kowane tsarin da uwar garken nesa ke da damar yin amfani da shi, ta amfani da kusan kowane aikace-aikace. Abokin ciniki na ssh na iya haɗa zirga-zirga ta hanyar wakili na SOCKS tare da umarni ɗaya mai sauƙi. Yana da mahimmanci a fahimci cewa zirga-zirga zuwa tsarin nesa zai fito daga uwar garken nesa, za a nuna wannan a cikin rajistan ayyukan sabar yanar gizo.
localhost:~$ ssh -D 8888 user@remoteserver
localhost:~$ netstat -pan | grep 8888
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN 23880/sshAnan muna gudanar da wakili na safa akan tashar TCP 8888, umarni na biyu yana bincika cewa tashar jiragen ruwa tana aiki a yanayin sauraro. 127.0.0.1 yana nuna cewa sabis ɗin yana gudana akan localhost kawai. Za mu iya amfani da wani ɗan ƙaramin umarni don saurare akan duk musaya, gami da ethernet ko wifi, wannan zai ba da damar sauran aikace-aikace (browser, da sauransu) akan hanyar sadarwar mu don haɗawa da sabis na wakili ta hanyar ssh socks proxy.
localhost:~$ ssh -D 0.0.0.0:8888 user@remoteserverYanzu za mu iya saita mai binciken don haɗawa da wakili na safa. A cikin Firefox, zaɓi Saituna | Basic | Saitunan hanyar sadarwa. Ƙayyade adireshin IP da tashar jiragen ruwa don haɗawa.
Da fatan za a lura da zaɓi a ƙasan fom ɗin don samun buƙatun DNS na burauzar ku ta hanyar wakili na SOCKS. Idan kana amfani da uwar garken wakili don ɓoye zirga-zirgar gidan yanar gizo akan hanyar sadarwar gida, ƙila za ka so ka zaɓi wannan zaɓi domin buƙatun DNS su kasance cikin hanyar haɗin SSH.
Kunna proxy na safa a cikin Chrome
Ƙaddamar da Chrome tare da wasu sigogin layin umarni zai ba da damar wakili na safa, da kuma kunna buƙatun DNS daga mai bincike. Aminta amma duba. Amfani don duba cewa ba a iya ganin tambayoyin DNS.
localhost:~$ google-chrome --proxy-server="socks5://192.168.1.10:8888"Amfani da wasu aikace-aikace tare da wakili
Ka tuna cewa yawancin aikace-aikace na iya amfani da proxies na safa. Mai binciken gidan yanar gizo shine kawai mafi shaharar su duka. Wasu aikace-aikacen suna da zaɓuɓɓukan daidaitawa don kunna uwar garken wakili. Wasu suna buƙatar ɗan taimako tare da shirin taimako. Misali, yana ba ku damar gudu ta hanyar wakili na safa Microsoft RDP, da sauransu.
localhost:~$ proxychains rdesktop $RemoteWindowsServerAn saita sigogin saitin wakili na safa a cikin fayil ɗin saitin proxychains.
Shawara: idan kuna amfani da tebur mai nisa daga Linux akan Windows? Gwada abokin ciniki . Wannan shi ne mafi zamani aiwatar fiye da
rdesktop, tare da gogewa mai laushi.
Zaɓin don amfani da SSH ta hanyar wakili na safa
Kuna zaune a cikin cafe ko otal - kuma an tilasta ku yin amfani da WiFi mara aminci. Mun ƙaddamar da wakili na ssh a cikin gida daga kwamfutar tafi-da-gidanka kuma mun shigar da ramin ssh cikin cibiyar sadarwar gida akan Rasberry Pi na gida. Yin amfani da burauza ko wasu aikace-aikacen da aka saita don wakili na safa, za mu iya samun dama ga kowane sabis na hanyar sadarwa akan hanyar sadarwar gida ko shiga Intanet ta hanyar haɗin gidanmu. Duk abin da ke tsakanin kwamfutar tafi-da-gidanka da uwar garken gidanku (ta hanyar Wi-Fi da intanit zuwa gidanku) an rufaffen ɓoye a cikin rami na SSH.
2. SSH rami (ikon tura tashar jiragen ruwa)
A cikin mafi sauƙin tsari, rami na SSH yana buɗe tashar jiragen ruwa kawai akan tsarin gida wanda ke haɗa zuwa wata tashar jiragen ruwa a wancan ƙarshen rami.
localhost:~$ ssh -L 9999:127.0.0.1:80 user@remoteserver
Bari mu kalli siga -L. Ana iya la'akari da shi azaman gefen sauraren gida. Don haka a cikin misalin da ke sama, tashar jiragen ruwa 9999 tana sauraro a gefen localhost kuma ana tura ta ta tashar jiragen ruwa 80 zuwa uwar garken nesa. Lura cewa 127.0.0.1 yana nufin localhost akan sabar mai nisa!
Mu hau mataki. Misali mai zuwa yana sadar da tashoshin sauraro tare da wasu runduna akan hanyar sadarwar gida.
localhost:~$ ssh -L 0.0.0.0:9999:127.0.0.1:80 user@remoteserverA cikin waɗannan misalan muna haɗawa zuwa tashar jiragen ruwa akan sabar gidan yanar gizo, amma wannan na iya zama sabar wakili ko kowane sabis na TCP.
3. Ramin SSH zuwa mai masaukin ɓangare na uku
Za mu iya amfani da sigogi iri ɗaya don haɗa rami daga uwar garken nesa zuwa wani sabis ɗin da ke gudana akan tsari na uku.
localhost:~$ ssh -L 0.0.0.0:9999:10.10.10.10:80 user@remoteserverA cikin wannan misalin, muna tura hanyar rami daga uwar garken nesa zuwa sabar gidan yanar gizo da ke aiki akan 10.10.10.10. Traffic daga nesa zuwa 10.10.10.10 ba a cikin rami na SSH ba. Sabar gidan yanar gizo akan 10.10.10.10 zata ɗauki remote ya zama tushen buƙatun yanar gizo.
4. Juya SSH rami
Anan za mu saita tashar tashar sauraro akan sabar mai nisa wacce za ta haɗa baya zuwa tashar gida a kan localhost (ko wani tsarin).
localhost:~$ ssh -v -R 0.0.0.0:1999:127.0.0.1:902 192.168.1.100 user@remoteserverWannan zaman SSH yana kafa haɗin kai daga tashar jiragen ruwa 1999 akan uwar garken nesa zuwa tashar jiragen ruwa 902 akan abokin cinikinmu na gida.
5. SSH Reverse Proxy
A wannan yanayin, muna saita wakili na safa akan haɗin ssh ɗin mu, amma wakili yana sauraron ƙarshen sabar. Haɗin kai zuwa wannan wakili mai nisa yanzu yana fitowa daga rami azaman zirga-zirga daga mai masaukinmu.
localhost:~$ ssh -v -R 0.0.0.0:1999 192.168.1.100 user@remoteserverMatsalolin warware matsalar tare da ramukan SSH mai nisa
Idan kuna da matsaloli tare da zaɓin SSH mai nisa aiki, duba tare da netstat, menene sauran musaya da tashar sauraron ke haɗa su. Kodayake mun nuna 0.0.0.0 a cikin misalan, amma idan darajar GatewayPorts в sshd_config saita zuwa babu, to, za a ɗaure mai sauraron kawai zuwa localhost (127.0.0.1).
Gargadin Tsaro
Lura cewa ta buɗe ramuka da safa proxies, hanyoyin sadarwa na cikin gida na iya samun dama ga cibiyoyin sadarwa marasa amana (kamar Intanet!). Wannan na iya zama babban haɗari na tsaro, don haka tabbatar da fahimtar abin da mai sauraro yake da abin da suke da damar yin amfani da shi.
6. Sanya VPN ta hanyar SSH
Kalmar gama gari tsakanin ƙwararrun hanyoyin kai hari (pentesters, da dai sauransu) shine “cikakkiyar hanyar sadarwa.” Da zarar an kafa haɗin kai akan tsari ɗaya, wannan tsarin ya zama ƙofa don ƙarin shiga hanyar sadarwar. Ƙarfin da ke ba ku damar motsawa cikin faɗin.
Don irin wannan ƙafar za mu iya amfani da wakili na SSH da proxychains, duk da haka akwai wasu iyakoki. Misali, ba zai yiwu a yi aiki kai tsaye tare da kwasfa ba, don haka ba za mu iya bincika tashoshin jiragen ruwa a cikin hanyar sadarwa ta hanyar ba. SYN.
Yin amfani da wannan zaɓi na ci gaba na VPN, haɗin yana rage zuwa daraja 3. Daga nan za mu iya kawai ta hanyar zirga-zirga ta hanyar rami ta hanyar amfani da daidaitattun hanyoyin sadarwa.
Hanyar amfani ssh, iptables, tun interfaces da kuma zirga-zirga.
Da farko kuna buƙatar saita waɗannan sigogi a ciki sshd_config. Tun da muna yin canje-canje ga musaya na duka tsarin nesa da abokin ciniki, mu bukatar tushen hakkoki a bangarorin biyu.
PermitRootLogin yes
PermitTunnel yesSa'an nan za mu kafa haɗin ssh ta amfani da siga wanda ke buƙatar farawa na'urorin tun.
localhost:~# ssh -v -w any root@remoteserver
Ya kamata a yanzu muna da na'urar tun lokacin da ake nuna musaya (# ip a). Mataki na gaba zai ƙara adiresoshin IP zuwa musaya na rami.
SSH abokin ciniki:
localhost:~# ip addr add 10.10.10.2/32 peer 10.10.10.10 dev tun0
localhost:~# ip tun0 upGefen Sabar SSH:
remoteserver:~# ip addr add 10.10.10.10/32 peer 10.10.10.2 dev tun0
remoteserver:~# ip tun0 up
Yanzu muna da hanya kai tsaye zuwa wani mai watsa shiri (route -n и ping 10.10.10.10).
Kuna iya tuntuɓar kowane rukunin yanar gizo ta hanyar mai watsa shiri a wancan gefen.
localhost:~# route add -net 10.10.10.0 netmask 255.255.255.0 dev tun0
A gefen nesa dole ne ka kunna ip_forward и iptables.
remoteserver:~# echo 1 > /proc/sys/net/ipv4/ip_forward
remoteserver:~# iptables -t nat -A POSTROUTING -s 10.10.10.2 -o enp7s0 -j MASQUERADEBoom! VPN akan ramin SSH a Layer 3. Yanzu wannan nasara ce.
Idan wasu matsaloli sun faru, yi amfani и pingdomin sanin dalilin. Tunda muna wasa a Layer 3, fakitinmu na icmp za su bi ta wannan rami.
7. Kwafi maɓallin SSH (ssh-copy-id)
Akwai hanyoyi da yawa don yin wannan, amma wannan umarni yana adana lokaci ta rashin kwafin fayiloli da hannu. Yana kawai kwafi ~/.ssh/id_rsa.pub (ko tsoho maɓalli) daga tsarin ku zuwa ~/.ssh/authorized_keys akan uwar garken nesa.
localhost:~$ ssh-copy-id user@remoteserver
8. Yin aiwatar da umarni mai nisa (ba tare da haɗin kai ba)
tawagar ssh Ana iya haɗa shi da wasu umarni don gama-gari, mai sauƙin amfani. Kawai ƙara umarnin da kake son gudu akan mai watsa shiri mai nisa azaman siga na ƙarshe a cikin ƙididdiga.
localhost:~$ ssh remoteserver "cat /var/log/nginx/access.log" | grep badstuff.php
A cikin wannan misali grep An kashe shi akan tsarin gida bayan an zazzage log ɗin ta tashar ssh. Idan fayil ɗin yana da girma, ya fi dacewa don gudana grep a gefen nesa ta hanyar rufe dukkan umarni a cikin kalmomi biyu.
Wani misali yana aiki iri ɗaya da ssh-copy-id daga misalin 7.
localhost:~$ cat ~/.ssh/id_rsa.pub | ssh remoteserver 'cat >> .ssh/authorized_keys'
9. Kama fakiti mai nisa da dubawa a cikin Wireshark
Na dauki daya daga cikin namu . Yi amfani da shi don ɗaukar fakiti na nesa da nuna sakamakon kai tsaye a cikin GUI na gida na Wireshark.
:~$ ssh root@remoteserver 'tcpdump -c 1000 -nn -w - not port 22' | wireshark -k -i -
10. Kwafi babban fayil na gida zuwa uwar garken nesa ta hanyar SSH
Kyakkyawan dabarar da ke danne babban fayil ta amfani da shi bzip2 (wannan shine zaɓi -j a cikin umarnin tar), sannan ya dawo da rafi bzip2 a gefe guda, ƙirƙirar babban fayil ɗin kwafi akan sabar nesa.
localhost:~$ tar -cvj /datafolder | ssh remoteserver "tar -xj -C /datafolder"
11. Aikace-aikacen GUI mai nisa tare da turawa SSH X11
Idan an shigar da X akan abokin ciniki da uwar garken nesa, to zaku iya aiwatar da umarnin GUI daga nesa tare da taga akan tebur na gida. Wannan yanayin ya daɗe da yawa, amma har yanzu yana da amfani sosai. Kaddamar da mai binciken gidan yanar gizo mai nisa ko ma VMWawre Workstation console kamar yadda nake yi a wannan misalin.
localhost:~$ ssh -X remoteserver vmware
Kirtani da ake buƙata X11Forwarding yes cikin fayil sshd_config.
12. Kwafin fayil mai nisa ta amfani da rsync da SSH
rsync yafi dacewa scp, idan kuna buƙatar madogara na lokaci-lokaci na kundin adireshi, babban adadin fayiloli, ko manyan fayiloli. Akwai aiki don murmurewa daga gazawar canja wuri da kwafin fayilolin da aka canza kawai, wanda ke adana zirga-zirga da lokaci.
Wannan misali yana amfani da matsawa gzip (-z) da yanayin adanawa (-a), wanda ke ba da damar kwafi akai-akai.
:~$ rsync -az /home/testuser/data remoteserver:backup/
13. SSH akan hanyar sadarwar Tor
Cibiyar sadarwar Tor da ba a san sunanta ba za ta iya tuntuɓar zirga-zirgar SSH ta amfani da umarnin torsocks. Umarni mai zuwa zai wuce ssh proxy ta Tor.
localhost:~$ torsocks ssh myuntracableuser@remoteserverzai yi amfani da tashar jiragen ruwa 9050 akan localhost don wakili. Kamar koyaushe, lokacin amfani da Tor kuna buƙatar bincika da gaske menene hanyoyin zirga-zirgar ababen hawa da sauran batutuwan tsaro na aiki (opsec). Ina tambayoyin DNS ɗin ku ke tafiya?
14. SSH zuwa EC2 misali
Don haɗawa da misalin EC2, kuna buƙatar maɓallin keɓaɓɓen maɓalli. Zazzage shi (.pem tsawo) daga kwamitin kula da Amazon EC2 kuma canza izini (chmod 400 my-ec2-ssh-key.pem). Ajiye maɓallin a wuri mai aminci ko sanya shi cikin babban fayil ɗin ku ~/.ssh/.
localhost:~$ ssh -i ~/.ssh/my-ec2-key.pem ubuntu@my-ec2-public
Alamar -i kawai gaya wa abokin ciniki ssh ya yi amfani da wannan maɓallin. Fayil ~/.ssh/config Mafi dacewa don daidaita amfani da maɓalli ta atomatik lokacin haɗawa zuwa mai masaukin ec2.
Host my-ec2-public
Hostname ec2???.compute-1.amazonaws.com
User ubuntu
IdentityFile ~/.ssh/my-ec2-key.pem
15. Gyara fayilolin rubutu ta amfani da VIM ta ssh/scp
Ga dukkan masoya vim Wannan tip ɗin zai adana ɗan lokaci. Ta amfani vim ana gyara fayiloli ta hanyar scp tare da umarni ɗaya. Wannan hanyar tana ƙirƙirar fayil ɗin a cikin gida kawai /tmpsa'an nan kuma kofe shi da zarar mun ajiye shi daga vim.
localhost:~$ vim scp://user@remoteserver//etc/hosts
Lura: Tsarin ya ɗan bambanta da na yau da kullun scp. Bayan mai gida muna da ninki biyu //. Wannan cikakkiyar magana ce. Slash ɗaya zai nuna hanya mai alaƙa da babban fayil ɗin gidan ku users.
**warning** (netrw) cannot determine method (format: protocol://[user@]hostname[:port]/[path])Idan kun ga wannan kuskuren, sau biyu duba tsarin umarni. Wannan yawanci yana nufin kuskuren daidaitawa.
16. Sanya SSH mai nisa azaman babban fayil na gida tare da SSHFS
Tare da taimakon sshfs - abokin ciniki tsarin fayil ssh - za mu iya haɗa jagorar gida zuwa wuri mai nisa tare da duk mu'amalar fayil a cikin zaman rufaffiyar ssh.
localhost:~$ apt install sshfs
Sanya kunshin akan Ubuntu da Debian sshfs, sa'an nan kuma kawai hawa wurin nesa zuwa tsarin mu.
localhost:~$ sshfs user@remoteserver:/media/data ~/data/
17. SSH Multiplexing tare da ControlPath
Ta hanyar tsoho, idan akwai haɗin da ke gudana zuwa uwar garken nesa ta amfani da shi ssh haɗin na biyu ta amfani da ssh ko scp ya kafa sabon zama tare da ƙarin tabbaci. Zabin ControlPath yana ba da damar amfani da zaman da ake da shi don duk haɗin da ke gaba. Wannan zai hanzarta aiwatar da aiwatarwa sosai: ana iya lura da tasirin har ma akan hanyar sadarwar gida, har ma fiye da haka lokacin haɗawa zuwa albarkatun nesa.
Host remoteserver
HostName remoteserver.example.org
ControlMaster auto
ControlPath ~/.ssh/control/%r@%h:%p
ControlPersist 10m
ControlPath yana ƙayyadadden soket don bincika sabbin haɗi don ganin ko akwai zama mai aiki ssh. Zaɓin na ƙarshe yana nufin cewa ko da bayan kun fita na'ura wasan bidiyo, zaman da ake yi zai kasance a buɗe na tsawon mintuna 10, don haka a wannan lokacin zaku iya sake haɗawa a kan soket ɗin da ke akwai. Don ƙarin bayani, duba taimako. ssh_config man.
18. Yawo bidiyo akan SSH ta amfani da VLC da SFTP
Hatta masu amfani da dogon lokaci ssh и vlc (Video Lan Client) ba koyaushe suna sane da wannan zaɓi mai dacewa lokacin da gaske kuna buƙatar kallon bidiyo akan hanyar sadarwa ba. A cikin saituna Fayil | Buɗe Rafi na hanyar sadarwa shirye-shirye vlc za ka iya shigar da wurin kamar yadda sftp://. Idan ana buƙatar kalmar sirri, faɗakarwa zata bayyana.
sftp://remoteserver//media/uploads/myvideo.mkv
19. Tabbatar da abubuwa biyu
Tabbacin abubuwa guda biyu iri ɗaya kamar asusun banki ko asusun Google ya shafi sabis ɗin SSH.
Hakika, ssh da farko yana da aikin tantance abubuwa biyu, wanda ke nufin kalmar sirri da maɓallin SSH. Amfanin alamar kayan masarufi ko ƙa'idar Google Authenticator shine cewa yawanci wata na'urar jiki ce ta daban.
Duba jagorarmu na mintuna 8 zuwa .
20. Tsalle runduna tare da ssh da -J
Idan yanki na cibiyar sadarwa yana nufin dole ne ku yi tsalle ta hanyar runduna ssh da yawa don isa cibiyar sadarwar makoma ta ƙarshe, gajeriyar hanyar -J zata cece ku lokaci.
localhost:~$ ssh -J host1,host2,host3 [email protected]
Babban abin da za a fahimta a nan shi ne cewa wannan ba daidai yake da umarnin ba ssh host1to, user@host1:~$ ssh host2 da sauransu. Zaɓin -J da wayo yana amfani da turawa don tilasta localhost don kafa zama tare da mai masaukin baki na gaba a cikin sarkar. Don haka a cikin misalin da ke sama, localhost ɗinmu an inganta shi zuwa host4. Wato, ana amfani da maɓallan localhost ɗin mu, kuma zaman daga localhost zuwa host4 an rufaffen ɓoye gaba ɗaya.
Don irin wannan yiwuwar a ssh_config saka zaɓin sanyi ProxyJump. Idan akai-akai dole ne ku shiga ta hanyar runduna da yawa, to sarrafa kansa ta hanyar daidaitawa zai adana lokaci mai yawa.
21. Toshe SSH brute force yunkurin yin amfani da iptables
Duk wanda ya gudanar da sabis na SSH kuma ya kalli rajistan ayyukan ya san adadin yunƙurin ƙoƙarce-ƙoƙarce da ke faruwa kowace awa na kowace rana. Hanya mai sauri don rage hayaniya a cikin rajistan ayyukan ita ce matsar da SSH zuwa tashar jiragen ruwa mara inganci. Yi canje-canje ga fayil ɗin sshd_config via sanyi siga Port##.
Tare da taimakon iptables Hakanan zaka iya toshe yunƙurin haɗawa da tashar jiragen ruwa cikin sauƙi a lokacin da aka kai wani ƙira. Hanya mai sauƙi don yin wannan ita ce amfani , saboda ba wai kawai yana toshe SSH ba, amma yana yin tarin wasu matakan gano kutse na tushen sunan mai masauki (HIDS).
22. Gudun SSH don canza isar da tashar jiragen ruwa
Kuma misalin mu na ƙarshe ssh an tsara shi don canza isar da tashar tashar jiragen ruwa akan tashi a cikin zaman da ake da shi ssh. Ka yi tunanin wannan yanayin. Kuna da zurfi a cikin hanyar sadarwa; watakila ya mamaye sama da rabin dozin runduna kuma yana buƙatar tashar jiragen ruwa na gida akan wurin aiki wanda aka tura zuwa Microsoft SMB na tsohuwar tsarin Windows 2003 (kowa ya tuna ms08-67?).
Dannawa enter, gwada shiga cikin na'ura wasan bidiyo ~C. Wannan jerin sarrafa zaman ne wanda ke ba da damar yin canje-canje zuwa haɗin da ke akwai.
localhost:~$ ~C
ssh> -h
Commands:
-L[bind_address:]port:host:hostport Request local forward
-R[bind_address:]port:host:hostport Request remote forward
-D[bind_address:]port Request dynamic forward
-KL[bind_address:]port Cancel local forward
-KR[bind_address:]port Cancel remote forward
-KD[bind_address:]port Cancel dynamic forward
ssh> -L 1445:remote-win2k3:445
Forwarding port.
Anan za ku ga cewa mun tura tashar tasharmu ta gida 1445 zuwa mai watsa shiri na Windows 2003 wanda muka samo akan hanyar sadarwa ta ciki. Yanzu gudu kawai msfconsole, kuma za ku iya ci gaba (zaton kuna shirin yin amfani da wannan masaukin).
Ƙarshe
Waɗannan misalai, nasihu da umarni ssh yakamata ya ba da wurin farawa; Ana samun ƙarin bayani game da kowane umarni da iyawa akan shafukan mutum (man ssh, man ssh_config, man sshd_config).
Koyaushe na sha sha'awar iya shiga tsarin da aiwatar da umarni a ko'ina cikin duniya. Ta hanyar haɓaka ƙwarewar ku da kayan aiki kamar ssh za ku zama mafi tasiri a kowane wasa da kuke yi.
source: www.habr.com