Izibonelo ezingokoqobo , okuzothatha amakhono akho njengomlawuli wesistimu akude uwayise ezingeni elisha. Imiyalo namathiphu kuzosiza hhayi kuphela ukusebenzisa SSH, kodwa futhi uzulazule kunethiwekhi ngendlela efanele.
Ukwazi amaqhinga ambalwa ssh luwusizo kunoma yimuphi umlawuli wesistimu, unjiniyela wenethiwekhi noma uchwepheshe wezokuphepha.
Izibonelo ze-SSH ezisebenzayo
Okokuqala okuyisisekelo
Ukuhlaziya umugqa womyalo we-SSH
Isibonelo esilandelayo sisebenzisa amapharamitha ajwayelekile okuhlangatshezwana nawo lapho uxhumeka kuseva ekude SSH.
localhost:~$ ssh -v -p 22 -C neo@remoteserver-v: Okukhiphayo kokususa iphutha kubaluleke kakhulu lapho kuhlaziywa izinkinga zokuqinisekisa. Ingasetshenziswa izikhathi eziningi ukuze kuboniswe ulwazi olwengeziwe.- p 22: imbobo yokuxhumana kuseva ye-SSH ekude. 22 akudingeki ukuba icaciswe, ngoba leli inani elizenzakalelayo, kodwa uma umthetho olandelwayo ukwenye imbobo, khona-ke siyicacisa sisebenzisa ipharamitha.-p. Imbobo yokulalela icaciswe efayelinisshd_configngefomethiPort 2222.-C: Ukucindezela ukuxhumana. Uma unoxhumo olunensayo noma ubuka umbhalo omningi, lokhu kungasheshisa ukuxhumeka.neo@: Umugqa ongaphambi kophawu @ ukhombisa igama lomsebenzisi lokuqinisekisa kuseva ekude. Uma ungayicacisi, izozenzakalela egameni lomsebenzisi le-akhawunti ongene kuyo manje (~$whoami). Umsebenzisi angabuye acaciswe kusetshenziswa ipharamitha-l.remoteserver: igama lomsingathi ongaxhuma kuyessh, leli kungaba igama lesizinda elifaneleke ngokugcwele, ikheli le-IP, nanoma yimuphi umsingathi kufayela labasingathi basendaweni. Ukuze uxhume kumsingathi osekela kokubili i-IPv4 ne-IPv6, ungakwazi ukwengeza ipharamitha emugqeni womyalo-4noma-6ukuze uthole isixazululo esifanele.
Wonke amapharamitha angenhla angokuzithandela ngaphandle remoteserver.
Ukusebenzisa ifayela lokumisa
Nakuba abaningi belazi ifayela sshd_config, kukhona nefayela lokumisa leklayenti lomyalo ssh. Inani elizenzakalelayo ~/.ssh/config, kodwa ingachazwa njengepharamitha yenketho -F.
Host *
Port 2222
Host remoteserver
HostName remoteserver.thematrix.io
User neo
Port 2112
IdentityFile /home/test/.ssh/remoteserver.private_keyKukhona okufakiwe okubili kosokhaya kusibonelo sefayela lokucushwa le-ssh ngenhla. Eyokuqala isho bonke abasingathi, bonke basebenzisa ipharamitha yokumisa yePort 2222. Eyesibili ithi kumsingathi iseva ekude igama lomsebenzisi elihlukile, imbobo, i-FQDN kanye ne-IdentityFile kufanele kusetshenziswe.
Ifayela lokulungiselela lingonga isikhathi esiningi sokuthayipha ngokuvumela ukulungiselelwa okuthuthukisiwe ukuthi kusetshenziswe ngokuzenzakalelayo lapho kuxhunywa kubasingathi abathile.
Ikopisha amafayela nge-SSH kusetshenziswa i-SCP
Iklayenti le-SSH liza namanye amathuluzi amabili awusizo kakhulu wokukopisha amafayela ngaphezulu uxhumano lwe-ssh olubethelwe. Bheka ngezansi ukuze uthole isibonelo sokusetshenziswa okujwayelekile kwemiyalo ye-scp neye-sftp. Qaphela ukuthi izinketho eziningi ze-ssh ziyasebenza nakule miyalo.
localhost:~$ scp mypic.png neo@remoteserver:/media/data/mypic_2.pngKulesi sibonelo ifayela mypic.png ikopishelwe ku iseva ekude kufolda /media/data futhi iqanjwe kabusha ngokuthi mypic_2.png.
Ungakhohlwa mayelana nomehluko kupharamitha yembobo. Yilapho abantu abaningi bebanjwa khona lapho beqala scp kusukela kulayini womyalo. Nali ipharamitha yembobo -Pkodwa cha -p, njengakuklayenti le-ssh! Uzokhohlwa, kodwa ungakhathazeki, wonke umuntu uyakhohlwa.
Kulabo abajwayele i-console ftp, imiyalo eminingi iyafana ku sftp. Ungakwenza Phusha, wafaka ΠΈ lsnjengokufisa kwenhliziyo.
sftp neo@remoteserverIzibonelo ezingokoqobo
Eziningi zalezi zibonelo, imiphumela ingafinyelelwa ngokusebenzisa izindlela ezahlukene. Njengakho konke okwethu kanye nezibonelo, ukukhetha kunikezwa izibonelo ezingokoqobo ezenza umsebenzi wazo.
1. Ummeleli wamasokisi e-SSH
Isici sommeleli we-SSH siyinombolo 1 ngesizathu esihle. Inamandla kakhulu kunalokho abaningi abakuqaphelayo futhi ikunikeza ukufinyelela kunoma iyiphi isistimu iseva ekude enokufinyelela kuyo, isebenzisa cishe noma yiluphi uhlelo lokusebenza. Iklayenti le-ssh lingadonsa ithrafikhi ngommeleli we-SOCKS ngomyalo owodwa olula. Kubalulekile ukuqonda ukuthi ithrafikhi eya kumasistimu akude izovela kuseva ekude, lokhu kuzokhonjiswa kumalogi weseva yewebhu.
localhost:~$ ssh -D 8888 user@remoteserver
localhost:~$ netstat -pan | grep 8888
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN 23880/sshLapha sisebenzisa ummeleli wamasokisi ku-TCP port 8888, umyalo wesibili uhlola ukuthi ichweba liyasebenza kumodi yokulalela. I-127.0.0.1 ibonisa ukuthi isevisi isebenza ku-localhost kuphela. Singasebenzisa umyalo ohluke kancane ukulalela kuzo zonke izixhumi ezibonakalayo, okuhlanganisa i-ethernet noma i-wifi, lokhu kuzovumela ezinye izinhlelo zokusebenza (iziphequluli, njll.) kunethiwekhi yethu ukuthi zixhume kusevisi yommeleli ngommeleli we-ssh wamasokisi.
localhost:~$ ssh -D 0.0.0.0:8888 user@remoteserverManje singakwazi ukumisa isiphequluli ukuthi sixhume kummeleli wamasokisi. KuFirefox, khetha Izilungiselelo | Okuyisisekelo | Izilungiselelo zenethiwekhi. Cacisa ikheli le-IP kanye nembobo ozoyixhuma.
Sicela uqaphele inketho ezansi efomini ukuze izicelo ze-DNS zesiphequluli sakho zidlule kummeleli we-SOCKS. Uma usebenzisa iseva elibamba ukuze ubethele ithrafikhi yewebhu kunethiwekhi yangakini, uzofuna ukukhetha le nketho ukuze izicelo ze-DNS zihunyushwe ngoxhumo lwe-SSH.
Ivula ummeleli wamasokisi ku-Chrome
Ukwethula i-Chrome ngamapharamitha womugqa womyalo kuzovumela ummeleli wamasokisi, kanye nokushunela izicelo ze-DNS esipheqululini. Themba kodwa hlola. Sebenzisa ukuhlola ukuthi imibuzo ye-DNS ayisabonakali.
localhost:~$ google-chrome --proxy-server="socks5://192.168.1.10:8888"Ukusebenzisa ezinye izinhlelo zokusebenza ngommeleli
Khumbula ukuthi ezinye izinhlelo zokusebenza eziningi zingasebenzisa ama-proxies amasokisi. Isiphequluli sewebhu simane sidume kakhulu kuzo zonke. Ezinye izinhlelo zokusebenza zinezinketho zokumisa ukunika amandla iseva elibamba. Abanye badinga usizo oluncane ngohlelo lomsizi. Ngokwesibonelo, ikuvumela ukuthi usebenzise ummeleli wamasokisi we-Microsoft RDP, njll.
localhost:~$ proxychains rdesktop $RemoteWindowsServerImingcele yokucushwa kommeleli wamasokisi isethwe kufayela lokucushwa lama-proxychains.
Ukusikisela: uma usebenzisa ideskithophu ekude evela ku-Linux ku-Windows? Zama iklayenti . Lokhu ukuqaliswa kwesimanje ukwedlula
rdesktop, ngesipiliyoni esishelelayo.
Inketho yokusebenzisa i-SSH ngommeleli wamasokisi
Uhlezi ekhefi noma ehhotela - futhi uphoqeleka ukuthi usebenzise i-WiFi engathembekile. Sethula ummeleli we-ssh endaweni kusuka kukhompuyutha ephathekayo bese sifaka umhubhe we-ssh kunethiwekhi yasekhaya ku-Rasberry Pi yendawo. Sisebenzisa isiphequluli noma ezinye izinhlelo zokusebenza ezihlelelwe ummeleli wamasokisi, singafinyelela noma yiziphi izinsiza zenethiwekhi kunethiwekhi yethu yasekhaya noma sifinyelele i-inthanethi ngoxhumano lwethu lwasekhaya. Yonke into ephakathi kwekhompyutha yakho ephathekayo neseva yakho yasekhaya (nge-Wi-Fi ne-inthanethi eya ekhaya lakho) ibethelwa emhubheni we-SSH.
2. Umhubhe we-SSH (ukudlulisela imbobo)
Ngendlela yayo elula, umhubhe we-SSH umane uvule imbobo kusistimu yakho yasendaweni exhuma kwesinye imbobo ngakolunye uhlangothi lomhubhe.
localhost:~$ ssh -L 9999:127.0.0.1:80 user@remoteserver
Ake sibheke ipharamitha -L. Kungacatshangwa njengohlangothi lwendawo lokulalela. Ngakho-ke esibonelweni esingenhla, i-port 9999 ilalele ohlangothini lwe-localhost futhi idluliselwe nge-port 80 ku-remoteserver. Sicela uqaphele ukuthi u-127.0.0.1 ubhekisela ku-hosthost kuseva ekude!
Masikhuphuke isitebhisi. Isibonelo esilandelayo sixhumana nezimbobo zokulalela nabanye abasingathi kunethiwekhi yendawo.
localhost:~$ ssh -L 0.0.0.0:9999:127.0.0.1:80 user@remoteserverKulezi zibonelo sixhuma embobeni kuseva yewebhu, kodwa lokhu kungaba iseva elibamba noma enye insiza ye-TCP.
3. Umhubhe we-SSH kumsingathi wenkampani yangaphandle
Singasebenzisa amapharamitha afanayo ukuxhuma umhubhe usuka kuseva ekude uye kwenye isevisi esebenza ohlelweni lwesithathu.
localhost:~$ ssh -L 0.0.0.0:9999:10.10.10.10:80 user@remoteserverKulesi sibonelo, siqondisa kabusha umhubhe usuka ku-remoteserver uya kuseva yewebhu esebenza ngo-10.10.10.10. Ithrafikhi esuka ku-remoteserver ukuya ku-10.10.10.10 ayisekho emhubheni we-SSH. Iseva yewebhu ku-10.10.10.10 izobheka i-remoteserver njengomthombo wezicelo zewebhu.
4. Hlehlisa umhubhe we-SSH
Lapha sizomisa imbobo yokulalela kuseva ekude ezoxhumeka ibuyele embobeni yendawo kuhostitha wethu wasendaweni (noma olunye uhlelo).
localhost:~$ ssh -v -R 0.0.0.0:1999:127.0.0.1:902 192.168.1.100 user@remoteserverLe seshini ye-SSH isungula ukuxhumana kusuka ku-port 1999 ku-remoteserver kuya echwebeni 902 kuklayenti lethu lendawo.
5. Ummeleli we-SSH Reverse
Kulokhu, sisetha ummeleli wamasokisi ekuxhumekeni kwethu kwe-ssh, kodwa ummeleli ulalele ekugcineni kweseva. Ukuxhuma kulo mmeleli okude manje kuvela emhubheni njengethrafikhi evela kumsingathi wethu wasendaweni.
localhost:~$ ssh -v -R 0.0.0.0:1999 192.168.1.100 user@remoteserverUkuxazulula izinkinga ngemihubhe ye-SSH ekude
Uma unezinkinga ngezinketho ezikude ze-SSH ezisebenzayo, hlola nokuthi netstat, yiziphi ezinye izixhumanisi imbobo yokulalela exhunywe kukho. Nakuba sibonise u-0.0.0.0 ezibonelweni, kodwa uma inani I-GatewayPorts Π² sshd_config setha ku cha, khona-ke umlaleli uzoboshwa kuphela kumsingathi wendawo (127.0.0.1).
Isexwayiso Sokuphepha
Sicela uqaphele ukuthi ngokuvula amathaneli nama-proxies amasokisi, izinsiza zenethiwekhi zangaphakathi zingafinyeleleka kumanethiwekhi angathembekile (njenge-inthanethi!). Lokhu kungaba yingozi enkulu yezokuvikela, ngakho qiniseka ukuthi uyaqonda ukuthi umlaleli uyini nokuthi angafinyelela ini.
6. Ukufaka i-VPN nge-SSH
Igama elivamile phakathi kochwepheshe bezindlela zokuhlasela (ama-pentesters, njll.) "i-fulcrum kunethiwekhi." Uma uxhumano selusungulwe ohlelweni olulodwa, lolo hlelo luba isango lokufinyelela okwengeziwe kunethiwekhi. I-fulcrum evumela ukuthi uhambe ngobubanzi.
Ukuze uthole indawo enjalo singasebenzisa ummeleli we-SSH futhi ama-proxychains, nokho kukhona ukulinganiselwa okuthile. Isibonelo, ngeke kwenzeke ukusebenza ngokuqondile namasokhethi, ngakho-ke ngeke sikwazi ukuskena izimbobo ngaphakathi kwenethiwekhi ngokusebenzisa SYN.
Ngokusebenzisa le nketho ye-VPN ethuthuke kakhulu, ukuxhumana kwehliselwa ku izinga 3. Khona-ke singavele sihambise ithrafikhi emhubheni sisebenzisa umzila wenethiwekhi ojwayelekile.
Indlela isetshenziswa ssh, iptables, tun interfaces kanye nomzila.
Okokuqala udinga ukusetha le mingcele sshd_config. Njengoba senza izinguquko ekuxhumaneni kwakho kokubili amasistimu akude namaklayenti, thina badinga amalungelo ezimpande nhlangothi zombili.
PermitRootLogin yes
PermitTunnel yesBese sizosungula uxhumano lwe-ssh sisebenzisa ipharamitha ecela ukuqaliswa kwamadivayisi we-tun.
localhost:~# ssh -v -w any root@remoteserver
Manje kufanele sibe nedivayisi ye-tun lapho sibonisa izixhumi ezibonakalayo (# ip a). Isinyathelo esilandelayo sizokwengeza amakheli e-IP kuzixhumi ezibonakalayo zomhubhe.
Uhlangothi lweklayenti le-SSH:
localhost:~# ip addr add 10.10.10.2/32 peer 10.10.10.10 dev tun0
localhost:~# ip tun0 upUhlangothi Lweseva ye-SSH:
remoteserver:~# ip addr add 10.10.10.10/32 peer 10.10.10.2 dev tun0
remoteserver:~# ip tun0 up
Manje sesinomzila oqondile oya komunye umsingathi (route -n ΠΈ ping 10.10.10.10).
Ungahambisa noma iyiphi i-subnet ngokusebenzisa umsingathi ngakolunye uhlangothi.
localhost:~# route add -net 10.10.10.0 netmask 255.255.255.0 dev tun0
Ohlangothini olukude kufanele uvule ip_forward ΠΈ iptables.
remoteserver:~# echo 1 > /proc/sys/net/ipv4/ip_forward
remoteserver:~# iptables -t nat -A POSTROUTING -s 10.10.10.2 -o enp7s0 -j MASQUERADEBoom! I-VPN phezu komhubhe we-SSH kusendlalelo senethiwekhi 3. Manje lokho kungukunqoba.
Uma kukhona izinkinga, sebenzisa ΠΈ pingukucacisa imbangela. Njengoba sidlala ku-layer 3, amaphakethe ethu e-icmp azodlula kulo mhubhe.
7. Kopisha ukhiye we-SSH (ssh-copy-id)
Kunezindlela eziningana zokwenza lokhu, kodwa lo myalo wonga isikhathi ngokungakopishi amafayela ngesandla. Imane ikopishe ~/.ssh/id_rsa.pub (noma ukhiye omisiwe) isuka kusistimu yakho iye ~/.ssh/authorized_keys kuseva ekude.
localhost:~$ ssh-copy-id user@remoteserver
8. Ukwenziwa komyalo wesilawuli kude (okungahlangani)
iqembu ssh Ingaxhunywa kweminye imiyalo ukuze kusetshenziswe isixhumi esibonakalayo esivamile, esisebenziseka kalula. Vele wengeze umyalo ofuna ukuwusebenzisa kumsingathi wesilawuli kude njengepharamitha yokugcina kumakhwothi.
localhost:~$ ssh remoteserver "cat /var/log/nginx/access.log" | grep badstuff.php
Kulesi sibonelo grep ikhishwe ohlelweni lwendawo ngemuva kokuthi ilogi selilandiwe ngesiteshi se-ssh. Uma ifayela likhulu, kulula kakhulu ukulisebenzisa grep ohlangothini olukude ngokuvele uvale yomibili imiyalo ngezingcaphuno ezimbili.
Esinye isibonelo senza umsebenzi ofanayo nowe ssh-copy-id isibonelo 7.
localhost:~$ cat ~/.ssh/id_rsa.pub | ssh remoteserver 'cat >> .ssh/authorized_keys'
9. Ukuthwebula nokubukwa kwephakethe lesilawuli kude ku-Wireshark
Ngithathe omunye wethu . Yisebenzise ukuze uthwebule amaphakethe ukude futhi ubonise imiphumela ngokuqondile ku-Wireshark GUI yendawo.
:~$ ssh root@remoteserver 'tcpdump -c 1000 -nn -w - not port 22' | wireshark -k -i -
10. Ukukopisha ifolda yendawo kuseva ekude nge-SSH
Iqhinga elihle elicindezela ifolda usebenzisa bzip2 (lena -j inketho kumyalo tar), bese ikhipha umfudlana bzip2 ngakolunye uhlangothi, ukudala ifolda eyimpinda kuseva ekude.
localhost:~$ tar -cvj /datafolder | ssh remoteserver "tar -xj -C /datafolder"
11. Izinhlelo zokusebenza ze-GUI ekude ezinokudlulisela phambili kwe-SSH X11
Uma u-X efakwe kuklayenti nakuseva ekude, ungakhipha umyalo we-GUI ukude ngefasitela kudeskithophu yangakini. Lesi sici sesinesikhathi eside sikhona, kodwa sisasebenziseka kakhulu. Yethula isiphequluli sewebhu esikude noma ikhonsoli ye-VMWawre Workstation njengoba ngenza kulesi sibonelo.
localhost:~$ ssh -X remoteserver vmware
Iyunithi yezinhlamvu edingekayo X11Forwarding yes kufayela sshd_config.
12. Ukukopisha ifayela elikude kusetshenziswa i-rsync ne-SSH
rsync elula kakhulu scp, uma udinga izipele ngezikhathi ezithile zohlu lwemibhalo, inombolo enkulu yamafayela, noma amafayela amakhulu kakhulu. Kunomsebenzi wokuthola kabusha ekuhlulekeni kokudlulisa nokukopisha amafayela ashintshiwe kuphela, okusindisa ithrafikhi nesikhathi.
Lesi sibonelo sisebenzisa ukucindezela gzip (-z) kanye nemodi yokufaka kungobo yomlando (-a), evumela ukukopisha okuphindaphindayo.
:~$ rsync -az /home/testuser/data remoteserver:backup/
13. I-SSH ngenethiwekhi ye-Tor
Inethiwekhi ye-Tor engaziwa ingadonsa ithrafikhi ye-SSH isebenzisa umyalo torsocks. Umyalo olandelayo uzodlula ummeleli we-ssh ngeTor.
localhost:~$ torsocks ssh myuntracableuser@remoteserverizosebenzisa i-port 9050 ku-localhost kummeleli. Njengenjwayelo, lapho usebenzisa i-Tor udinga ukubheka ngokucophelela ukuthi iyiphi ithrafikhi eyenziwayo kanye nezinye izindaba zokuphepha zokusebenza (i-opsec). Ingena kuphi imibuzo yakho ye-DNS?
14. Isibonelo se-SSH kuya ku-EC2
Ukuze uxhume kusenzakalo se-EC2, udinga ukhiye oyimfihlo. Yilande (.pem extension) kuphaneli yokulawula ye-Amazon EC2 bese ushintsha izimvume (chmod 400 my-ec2-ssh-key.pem). Gcina ukhiye endaweni ephephile noma uwubeke kufolda yakho ~/.ssh/.
localhost:~$ ssh -i ~/.ssh/my-ec2-key.pem ubuntu@my-ec2-public
Ipharamitha -i imane itshele iklayenti le-ssh ukuthi lisebenzise lo khiye. Ifayela ~/.ssh/config Ilungele ukumisa ngokuzenzakalelayo ukusetshenziswa kokhiye lapho uxhuma kumsingathi we-ec2.
Host my-ec2-public
Hostname ec2???.compute-1.amazonaws.com
User ubuntu
IdentityFile ~/.ssh/my-ec2-key.pem
15. Ukuhlela amafayela ombhalo usebenzisa i-VIM nge-ssh/scp
Kubo bonke abathandanayo vim Leli thiphu lizokonga isikhathi. Ngokusebenzisa vim amafayela ahlelwa nge-scp ngomyalo owodwa. Le ndlela imane idale ifayela endaweni /tmpbese sikukopisha futhi uma sesiyigcinile kuyo vim.
localhost:~$ vim scp://user@remoteserver//etc/hosts
Qaphela: ifomethi ihluke kancane kwejwayelekile scp. Ngemuva komphathi sinezimbili //. Lesi ireferensi yendlela ephelele. I-slash eyodwa izokhombisa indlela ehlobene nefolda yakho yasekhaya users.
**warning** (netrw) cannot determine method (format: protocol://[user@]hostname[:port]/[path])Uma ubona leli phutha, hlola kabili ifomethi yomyalo. Lokhu ngokuvamile kusho iphutha le-syntax.
16. Ukukhweza i-SSH ekude njengefolda yendawo ene-SSHFS
Ngosizo luka sshfs - iklayenti lesistimu yefayela ssh - singakwazi ukuxhuma uhla lwemibhalo lwendawo endaweni ekude nakho konke ukuxhumana kwefayela kuseshini ebethelwe ssh.
localhost:~$ apt install sshfs
Faka iphakheji ku-Ubuntu naku-Debian sshfs, bese uvele ukhweze indawo ekude kusistimu yethu.
localhost:~$ sshfs user@remoteserver:/media/data ~/data/
17. I-SSH Multiplexing nge-ControlPath
Ngokuzenzakalelayo, uma kukhona uxhumano olukhona olusebenzisa iseva eyirimothi ssh uxhumano lwesibili usebenzisa ssh noma scp isungula iseshini entsha enokuqinisekisa okwengeziwe. Inketho ControlPath ivumela iseshini ekhona ukuthi isetshenziselwe konke ukuxhumana okulandelayo. Lokhu kuzosheshisa kakhulu inqubo: umphumela ubonakala ngisho nakunethiwekhi yendawo, futhi nakakhulu uma uxhuma kwizinsiza ezikude.
Host remoteserver
HostName remoteserver.example.org
ControlMaster auto
ControlPath ~/.ssh/control/%r@%h:%p
ControlPersist 10m
I-ControlPath icacisa isokhethi ukuhlola ukuxhumana okusha ukuze ubone ukuthi ikhona yini iseshini esebenzayo ssh. Inketho yokugcina isho ukuthi noma usuphumile kukhonsoli, iseshini ekhona izohlala ivulekile imizuzu eyi-10, ngakho-ke ngalesi sikhathi ungaphinda uxhume kusokhethi esikhona. Ukuze uthole ulwazi olwengeziwe, bona usizo. ssh_config man.
18. Sakaza ividiyo nge-SSH usebenzisa i-VLC ne-SFTP
Ngisho nabasebenzisi besikhathi eside ssh ΠΈ vlc (I-Video Lan Client) abahlale bazi ngale nketho elula uma udinga ngempela ukubuka ividiyo ngenethiwekhi. Kuzilungiselelo Ifayela | Vula Ukusakaza Kwenethiwekhi uhlelo vlc ungafaka indawo njenge sftp://. Uma iphasiwedi idingeka, kuzovela ukwaziswa.
sftp://remoteserver//media/uploads/myvideo.mkv
19. Ukuqinisekiswa kwezinto ezimbili
Ukuqinisekisa okufanayo kwezinto ezimbili njenge-akhawunti yakho yasebhange noma i-akhawunti ye-Google kusebenza kusevisi ye-SSH.
Yiqiniso, ssh ekuqaleni inomsebenzi wokuqinisekisa wezinto ezimbili, okusho ukuthi iphasiwedi kanye nokhiye we-SSH. Inzuzo yethokheni yehadiwe noma uhlelo lokusebenza lwe-Google Authenticator ukuthi ngokuvamile idivayisi ebonakalayo ehlukile.
Bheka umhlahlandlela wethu wemizuzu engu-8 ukuze .
20. Abasingathi abagxumayo ngo-ssh no-J
Uma ukuhlukaniswa kwenethiwekhi kusho ukuthi kufanele weqe kubasingathi be-ssh abaningi ukuze ufike kunethiwekhi yokugcina oya kuyo, isinqamuleli -J sizokongela isikhathi.
localhost:~$ ssh -J host1,host2,host3 [email protected]
Into esemqoka okufanele uyiqonde lapha ukuthi lokhu akufani nomyalo ssh host1ke user@host1:~$ ssh host2 njll. Inketho -J isebenzisa ukudlulisela phambili ngobuhlakani ukuphoqelela umsingathi wasendaweni ukusungula iseshini nomsingathi olandelayo kuchungechunge. Ngakho-ke kulesi sibonelo esingenhla, i-localhost yethu igunyaziwe ku-host4. Okusho ukuthi, okhiye bethu be-localhost bayasetshenziswa, futhi iseshini ukusuka ku-hosthost kuya ku-host4 ibethelwe ngokuphelele.
Ukuze kube nokwenzeka okunjalo ku ssh_config cacisa inketho yokumisa I-ProxyJump. Uma kufanele udlule njalo kubasingathi abaningana, khona-ke ukuzenzekelayo ngokulungiselelwa kuzokonga isikhathi esiningi.
21. Vimba imizamo ye-SSH brute force usebenzisa ama-iptables
Noma ubani ophethe isevisi ye-SSH futhi wabheka izingodo uyazi mayelana nenani lemizamo ye-brute force eyenzeka njalo ngehora lansuku zonke. Indlela esheshayo yokunciphisa umsindo kulogi ukuhambisa i-SSH embobeni engajwayelekile. Yenza izinguquko kufayela sshd_config ngepharamitha yokumisa Imbobo##.
Ngosizo luka iptables Ungakwazi futhi ukuvimba kalula imizamo yokuxhuma embobeni lapho ufinyelela umkhawulo othile. Indlela elula yokwenza lokhu ukusebenzisa , ngoba ayivimbeli i-SSH kuphela, kodwa yenza inqwaba yezinye izindlela zokutholwa kokungenwa kwegama lomethuleli (HIDS).
22. I-SSH Escape ukuze ushintshe ukudluliselwa kwembobo
Nesibonelo sethu sokugcina ssh yakhelwe ukushintsha ukudluliselwa kwembobo ngokuhamba kwesikhathi phakathi neseshini ekhona ssh. Cabanga ngalesi simo. Ujulile kunethiwekhi; mhlawumbe igxume ngaphezu kwengxenye yeshumi nambili yabasingathi futhi idinga imbobo yendawo endaweni yokusebenza ethunyelwa ku-Microsoft SMB yohlelo oludala lwe-Windows 2003 (noma ubani okhumbula i-ms08-67?).
Ukuchofoza enter, zama ukungena kukhonsoli ~C. Lokhu ukulandelana kokulawula iseshini evumela ukuthi izinguquko zenziwe kuxhumo olukhona.
localhost:~$ ~C
ssh> -h
Commands:
-L[bind_address:]port:host:hostport Request local forward
-R[bind_address:]port:host:hostport Request remote forward
-D[bind_address:]port Request dynamic forward
-KL[bind_address:]port Cancel local forward
-KR[bind_address:]port Cancel remote forward
-KD[bind_address:]port Cancel dynamic forward
ssh> -L 1445:remote-win2k3:445
Forwarding port.
Lapha ungabona ukuthi sithumele ichweba lethu lendawo i-1445 kumsingathi we-Windows 2003 esimthole kunethiwekhi yangaphakathi. Manje vele ugijime msfconsole, futhi ungaqhubeka (kucatshangwa ukuthi uhlela ukusebenzisa lo msingathi).
Ukuqedela
Lezi zibonelo, amathiphu kanye nemiyalo ssh kufanele inikeze iphuzu lokuqala; Ulwazi olwengeziwe mayelana nomyalo ngamunye namandla luyatholakala emakhasini wesilisa (man ssh, man ssh_config, man sshd_config).
Bengihlala ngilithanda ikhono lokufinyelela amasistimu nokwenza imiyalo noma kuphi emhlabeni. Ngokuthuthukisa amakhono akho ngamathuluzi afana ssh uzosebenza ngempumelelo kunoma yimuphi umdlalo owudlalayo.
Source: www.habr.com