Indlela ukulungisa usebenzise SSH port? Inyathelo ngu step guide

Qinisekisa Shell, okanye zishunqulelwe njengoko Ssh, yenye iiteknoloji yokhuseleko data kakhulu obubalaseleyo ugqithiso. Ukusetyenziswa kolawulo enjalo phezu umzila efanayo ivumela kuphela ekhusini iinkcukacha ngesini, kodwa ukukhawulezisa utshintshiselwano iipakethi. Noko ke, asingabo bonke Uyazi ukuba ukuvula izibuko Ssh, yaye kutheni konke oku kuyimfuneko. Kule meko kuyimfuneko ukuba ukunika ingcaciso eyakhayo.

Port SSH: yintoni yaye kutheni kufuneka nathi?

Ekubeni sithetha ngokhuseleko, kulo mzekelo, phantsi nezibuko ssh ziqondwe channel abazinikeleyo ngohlobo kwitonela, esibonelela encryption data.

Iskim kakhulu abangekaphuhli yale Itonela ukuba an open ssh-izibuko isetyenziswa kokungagqibekanga ikhowudi data kwi umthombo kunye khowudi yasiwa kumbhalo phezu sokugcina. Oku kuchazwa ngale ndlela ilandelayo: uthanda ukuba okanye hayi, idluliselwe izithuthi, ngokungafaniyo IPSec, zombhalo phantsi nangokunyanzelwa kunye imveliso yesiphelo sendlela uthungelwano, kwaye kwicala ukwamkelwa komnyango. Ukungafihli inkcazelo ethunyelwe kulo mzila, i-terminal abafumana isebenzisa isitshixo okhethekileyo. Ngamanye amazwi, ukuba angenelele kukhutshelo okanye esichengeni ukuthembakala data ezosulela ngalo mzuzu umntu akakwazi ngaphandle iqhosha.

lokuvula Ssh-izibuko nje nawuphi na umzila okanye usebenzisa izicwangciso ezifanelekileyo ze umxhasi ezongezelelweyo isebenzisana ngqo ne ssh-server, ikuvumela ukuba usebenzise ngokupheleleyo zonke iimpawu lweenkqubo zokhuseleko womnatha mihla. Silapha ukuba usebenzise indlela ethekwini wabelwa kokungagqibekanga okanye isiko useto. Ezi parameters kwi sicelo ingajongeka nzima, kodwa ngaphandle ukuqonda lombutho uqhagamshelwano olunjalo akwanelanga.

Standard SSH port

Ukuba, eneneni, ezisekelwe phezu Ipharamitha kakubani na umzila kufuneka kuqala ukumisela umyalelo, hlobo luni software iya kusetyenziselwa isebenze eli khonkco. Enyanisweni, i ssh izibuko engagqibekanga kunokuba izicwangciso ezahlukeneyo. Yonke into ixhomekeke koko indlela elisetyenziswe ngalo mzuzu (uqhagamshelwano ngqo kumncedisi, ukufaka ezongezelelweyo ukudlulisa client zibuko njalo njalo. D.).

Umzekelo, ukuba client kusetyenziswa Jabber, kuba uxhulumaniso ezichanekileyo, encryption, kwaye ugqithiselo lweengcombolo port 443 ukuba kusetyenziswa, nangona lwalo bunikwa kwi zibuko standard 22.

Ukuseta ngokutsha umzila ukuba isetyenziswe ekuthengeni izinto zenkqubo ethile okanye ukusebenza iimeko eziyimfuneko kufuneka enze kwizibuko phambili SSH. Yintoni na? Yeyona ngenjongo yokungena ngokukodwa inkqubo eyodwa esebenzisa loxhulumaniso lwe Internet, kungakhathaliseki ukuba ngubani Ukumiswa yangoku protocol kutshintshiselwano lweenkcukacha (IPv4 okanye IPv6).

isizathu technical

Standard port Ssh 22 akusoloko kusetyenziswa njengoko kwakusele ngokucacileyo. Noko ke, nantsi kuyimfuneko kulwabiwo ezinye iimpawu kunye nezicwangciso kusetyenziswa ngexesha nokusetha.

Kutheni Encryption data yimfihlo protocol kubandakanya ukusetyenziswa SSH njengoko onombono bangaphandle (yeendwendwe) port umsebenzisi? Kodwa ngenxa yokuba Tunneling umntu balusebenzisa ivumela ukusetyenziswa kwiqokobhe kuthiwa-kude (SSH), ukuba bafumane ulawulo yesiphelo ngokusebenzisa ngemvume kude (slogin), kwaye kusebenza umgaqo-nkqubo ikopi ekude (uMcwangcisi wezeKharityhulam oyiNtloko).

Ukongeza, ssh-izibuko isebenze kwimeko apho umsebenzisi kuyimfuneko ukwenza iincwadi zeempendulo ezisemagqagaleni X Windows, kwimeko elula ukudlulisela ulwazi kwimatshini ukuya kwenye, njengokuba kuthiwe, kunye ngesinyanzelo ufihlo data. Kwiimeko ezinjalo, ezibaluleke aya kusebenzisa esekelwe AES algorithm. Le ufihlo algorithm twatsa, olwanikwa ekuqaleni kubuchwepheshe SSH. Kwaye usebenzise kunokwenzeka oko nje kuphela kodwa kuyimfuneko.

History of the ukuqonda

liyavela iteknoloji ixesha elide. Makhe ushiye bucala umbuzo ukuba ukwenza njani icing ssh port, kwaye zijoliswe kule ngemisebenzi ngayo bonke.

Ngokuqhelekileyo kufikwa phantsi, ukusebenzisa proxy ngenxa zeekawusi okanye sebenzisa VPN Lwe. Kwimeko ethile isicelo software bangasebenza VPN, kungcono ukuba ukhetha olu khetho. Inyaniso yokuba iinkqubo phantse zonke ezaziwayo namhlanje basebenzisa izithuthi Internet, i VPN angasebenza, kodwa uqwalaselo umzila ngokulula ayikho. Oku, njengoko kunjalo abancedisi beproxy, ivumela ukuba ushiye idilesi yangaphandle ye-terminal apho ngoku yenziwa kuthungelwano kwimveliso lwabhalwa. Oko kunjalo idilesi proxy isoloko itshintsha, yaye VPN version ihlala ingatshintshanga kunye ngundaba lommandla othile, ngaphandle kwalowo apho kukho ukuvalwa ukufikelela.

Ubuchwepheshe obufanayo kakhulu unika SSH port, yaphuhliswa ngo-1995 i-University of Technology e Finland (ssh-1). Ngowe-1996, uphuculo ziye zafakwa uhlobo lwe ssh-2 protocol, leyo kakhulu ngokubanzi kwisithuba post-eSoviet, nangona oku, kwakunye kwamanye amazwe eNtshona Yurophu, ngamanye amaxesha kuyimfuneko ukufumana imvume yokusebenzisa le etoneleni, kwaye ukusuka arhente zikarhulumente.

Inzuzo ephambili aphalaze ssh-izibuko, ngokuchaseneyo Telnet okanye rlogin, kukusetyenziswa umsayino wedijithali RSA okanye DSA (ukusetyenziswa ngeembadada evulekileyo kwaye isitshixo bamngcwaba). Ngaphezu koko, kule meko ungasebenzisa ekuthiwa iqhosha Iseshoni esekelwe Diffie-Hellman algorithm, nto leyo ibandakanya ukusetyenziswa imveliso twatsa ufihlo, nangona akukuthinteli ukusetyenziswa ubuchule yezi ufihlo ngexesha ukudluliswa kwedatha yolwamkelo ngomnye matshini.

Aphambili kunye shell

Kwi Windows okanye Linux SSH-izibuko evulekileyo ayikho nzima kangaka. Umbuzo kuphela, yintoni uhlobo izixhobo ukulungiselela le njongo iza kusetyenziswa.

Ngale ndlela ke kuyimfuneko ukuba banikele ingqalelo umba yokosulela ulwazi ungqinisiso. Okokuqala, lo protocol ngokwayo ngokwaneleyo ikhuselwe ekuthiwa isezele, nto leyo i "wiretapping" eyona njengesiqhelo kwezithuthi. Ssh-1 kwaba sengozini kuhlaselo. Ungenelelo kwinkqubo yokunikezela data ngohlobo yenkqubo 'komntu embindini "saba neziphumo zayo. Nkcazelo komisa ngokulula kwaye ukuwuqonda kakhulu sabaqalayo. Kodwa version yesibini (ssh-2) iye banawo lo hlobo luni na longenelelo ngoncedo, olwaziwa ngokuba session imoto, ngenxa yintoni na kakhulu ethandwa.

uvala ukhuseleko

Yona ke ukhuseleko ngokunxulumene data zisasazwe kwaye zifunyanwe, umbutho lonxibelelwano esekwe kunye nokusetyenziswa kobugcisa enjalo kuvumela siphephe iingxaki zilandelayo:

• iqhosha lokwazisa kwi nginginya kwi inyathelo transmission, xa "okhawulezayo» fingerprint;
• Inkxaso for Windows kunye neenkqubo UNIX-ezifana;
• endaweni ye IP kunye needilesi DNS (spoofing);
• intercepting lokugqitha evulekileyo kunye ufikelelo ngokwasemzimbeni isiteshi data.

Eneneni, umbutho lonke nkqubo yakhelwe umgaqo "uhanjiselo-server", oko kukuthi, kuqala kwiinto zonke ikhompyutha lomsebenzisi ngokusebenzisa inkqubo ekhethekileyo okanye iminxeba add-in kumncedisi, nto leyo yenza ukuqondisa ahambelanayo.

Lwe

Ayisafuni nakucaciswa yona into yokuba ukuphunyezwa uqhagamshelwano ngale ndlela e umqhubi ekhethekileyo kufuneka sifakwe kwisixokelelwano.

Ngokuqhelekileyo, kwiinkqubo-based Windows yakhiwe singene umqhubi inkqubo iqokobhe Microsoft Teredo, nto leyo uhlobo virtual we AT ulinganiso esebenzisa IPv6 e networks axhasayo IPv4 kuphela. iadaptha itonela Ngokungagqibekanga iyasebenza. Xa kuthe ukusilela ezinxulumene nayo, ungenza nje inkqubo qala okanye enze ngokucima ze uqale kwakhona imiyalelo evela umyalelo console. Ukuyekisa imigca ezinjalo asetyenziswa:

• netsh;
• interface teredo iseti karhulumente ukhubaze;
• interface isatap ebekwe zikarhulumente zikhubaziwe.

Emva kokungena umyalelo kufuneka uqale. Ukuze kwakhona ukuba zombini kwaye ukhangele ubume bakhubazeke endaweni imvume iirejista yenziwe, emva koko, kwakhona, kufuneka uqale inkqubo iphela.

SSH-server

Ngoku makhe sibone indlela uthotho ssh lisetyenziswa undoqo, ukuqala kwiskim "uhanjiselo-server '. Ukungagqibeki sidla isicelo 22 imizuzu port, kodwa, njengoko kukhankanyiwe ngasentla, ingasetyenziswa kunye 443rd. Umbuzo kuphela akukhethayo umncedisi ngokwayo.

I-Ssh-abancedisi kakhulu eqhelekileyo kuthathwa ukuba iya kuba yile ilandelayo:

• for Windows: Tectia SSH Server, OpenSSH kunye Cygwin, MobaSSH, KpyM Telnet / Umncedisi Ssh, WinSSHD, copssh, freeSSHd;
• ngokuba FreeBSD: OpenSSH;
• Linux: Tectia SSH Umncedisi, ssh, openssh-server, lsh-server, dropbear.

Zonke iiseva akhululekile. Kodwa ke, ungakwazi ukufumana ize ihlawulwe ngeenkonzo ezibonelela amanqanaba nakakhulu wokhuseleko, apho kungenxa kubalulekile ukuba lombutho yothungelwano kunye nokhuseleko ulwazi kumashishini. Iindleko zeenkonzo akwenziwanga kuxoxwe. Kodwa ngokubanzi sinokuthi ukuba ayibizi, nkqu kuthelekiswa ukufakelwa software eyodwa okanye "iintsimbi" firewall.

SSH-client

Tshintsha SSH port zingenziwa kwi ngokwesiseko inkqubo client okanye izicwangciso ezifanelekileyo xa kwizibuko ukudlulisela kumzila wakho.

Noko ke, ukuba umchukumise iqokobhe umxhasi, iimveliso software ilandelayo ingasetyenziselwa kwiinkqubo ezahlukeneyo:

• Windows - SecureCRT, PuTTY \ Kitty, Axessh, ShellGuard, SSHWindows, ZOC, XShell, ProSSHD etc;..
• Mac OS X: iTerm2, vSSH, NiftyTelnet SSH;
• Linux BSD: lsh-client, kdessh, openssh-client, Vinagre, putty.

Ububhali isekelwe isitshixo sikawonke, kwaye utshintshe i zibuko

Ngoku amagama ambalwa malunga nendlela ukuqinisekisa ucwangcisa umncedisi. Kwimeko kwecacileyo, kufuneka usebenzise yoqwalaselo lwefayile (sshd_config). Noko ke, unako ukwenza ngaphandle, umzekelo, kwimeko iinkqubo ezifana PuTTY. Tshintsha SSH port ukusuka ixabiso elisisiseko (22) kuwo nawuphi na omnye nto iyevakala ngokupheleleyo.

Eyona nto ibalulekileyo - ukuvula inani lezibuko ayidluli ixabiso kwe65535 (amazibuko eziphezulu nje azikho kwindalo). Ukongeza, kufuneka sinikele ingqalelo kwezinye amazibuko avulekileyo eyenziwe ngokungagqibekange, nabanako osebenziswe ngabaxhasi ezifana I SQL yam okanye FTPD zolwazi. Ukuba awukhankanyi nabo ssh uqwalaselo, Kakade ke, ukuba uyeke nje ukusebenza.

Kubangel 'umdla ukwazi ukuba Jabber umxhasi efanayo kufuneka yayibaleka imvelo efanayo lokusebenaisa i ssh-server, umzekelo, kwi kumatshini onesiqhamo. Kwaye localhost kakhulu umncedisi kuya kufuneka ukuba zinyule ixabiso 4430 (endaweni 443, njengoko kuchaziwe apha ngasentla). Le uqwalaselo ingasetyenziswa xa ufikelelo kwi jabber.example.com engundoqo ifayile ivalwe firewall.

Kwelinye icala, amazibuko transfer kuba phezu umzila usebenzisa uqwalaselo zojongano yayo kunye nokudalwa ukuxolelwa imithetho. Xa imifanekiso ezininzi igalelo ngokusebenzisa iidilesi igalelo eqala nge 192,168 neyongezelelwe 0.1 okanye 1.1, kodwa imizila yokudibanisa ubunakho ADSL-imodem ezifana Mikrotik, idilesi isiphelo kubandakanya ukusetyenziswa 88,1.

Kulo mzekelo, ukwenza umthetho omtsha, ngoko wabeka parameters kuyimfuneko, umzekelo, ukufaka uqhagamshelwano lwangaphandle DST-mimoya, kwakunye bengengabo amazibuko ngesandla emiselweyo phantsi useto jikelele kwaye kwicandelo zokulwa ozikhethayo (Action). kakhulu Akukho okunzima apha. Eyona nto ibalulekileyo - ukucacisa imilinganiselo efunekayo ye izicwangciso ze ukucwangcisa izibuko echanekileyo. Ngokunga gqibekanga, ungasebenzisa kwizibuko 22, kodwa ukuba umthengi usebenzisa okhethekileyo (ezinye i ngasentla kwiinkqubo ezahlukeneyo), ixabiso zingatshintshwa nakanjani na, kodwa kuphela ukuba le parameter ayidluli ixabiso wathi, ngasentla apho amanani ezibuko nje ayifumaneki.

Xa ufaka i uxhulumaniso Kwakhona kufuneka sinikele ingqalelo parameters zenkqubo client. Kusenokuba kakuhle ukuba izigcwangciso zayo kufuneka ukhankanye ubude Ubuncinane isitshixo (512), nangona kungagqibekanga idla ukubeka 768. Kwakhona enqwenelekayo ukucwangcisa lexesha ukuba ungene kwi-kwinqanaba imizuzwana 600 kunye imvume ufikelelo olusisiseko kunye namalungelo ingcambu. Emva ekusebenziseni ezi zicwangciso, kufuneka kwakhona avumele ukusetyenziswa onke amalungelo ungqinisiso, ngaphandle kwezo zisekelwe ekusetyenzisweni .rhost (kodwa kuyimfuneko kuphela abalawuli system).

Phakathi kwezinye izinto, ukuba igama lomsebenzisi obhalisiweyo kule nkqubo, hayi enye yaqaliswa ngalo mzuzu, kufuneka lingakhankanywa ngokukwekwa usebenzisa i umsebenzisi umyalelo ssh inkosi kunye nokuqaliswa ezongeziweyo iparameters (abo ukuqonda ukuba yintoni na busengozini).

Iqela ~ / .ssh / id_dsa zingasetyenziswa lokutshintsha isitshixo kunye indlela ufihlo (okanye RSA). Ukudala umntu onesitshixo sakhe sikawonke esetyenziswa yi ukuguquka ngokusebenzisa umgca ~ / .ssh / identity.pub (kodwa akunyanzelekanga). Kodwa ke, njengokuba kusenziwa imiboniso, indlela elula yokusebenzisa imiyalelo efana ssh-keygen. Apha umongo umba lifinyele kuphela Eneneni, ukongeza isitshixo izixhobo uqinisekiso ekhoyo (~ / .ssh / authorized_keys).

Kodwa siye sagabadela kakhulu. Ukuba ubuyele kumba izicwangciso yezibuko Ssh, njengokuba kuye kwacaca utshintsho ssh izibuko akunzima. Noko ke, kwezinye iimeko, bathi, kuya kufuneka ukubila, kuba kufuneka athathe ingqalelo onke amaxabiso key iparameters. Ezinye umba loqwalaselo amathumba phantsi ekungeneni nayiphi iseva okanye iklayenti inkqubo (ukuba kubonelelwa ekuqaleni), okanye ukuba usebenzise isibuko ukudlulisela kwi umzila. Kodwa xa kukho inguqu uyezibuko 22, kungagqibekanga, ukuya 443rd efanayo, kufuneka iqondwe ngokucacileyo ukuba ulungiselelo olo alusoloko lusebenza, kodwa kuphela xa kwimeko kokufaka wokongeza i-in efanayo Jabber (nezinye analogs ungayenza naphi kunye namazibuko zabo, yohluka ukusuka standard). Ukongeza, ingqalelo ekhethekileyo kufuneka banikwe parameter sentlalo SSH-client, nto leyo eya kusebenza ngqo ne ssh-server, ukuba bekumele ngokwenene ukusebenzisa udibaniso yangoku.

Ke bona abanye, ukuba phambili zibuko unganikezelwanga ekuqaleni (nangona kuyanqweneleka ukwenza iintshukumo ezifana), izicwangciso kunye ukufikelela nge SSH iinketho, awukwazi ukutshintsha. Apho naziphi na iingxaki xa kudalwa uqhagamshelwano, kunye nokusetyenziswa kwayo ngakumbi, ngokubanzi, kungalindelekanga (ngaphandle kokuba, kakade, ayiyi kusetyenziswa ngesandla ungaqwalasela server-based loqwalaselo kunye client). Le Niyazi ukuba indalo lwemithetho kwi zendlela iqhelekileyo ikuvumela ukuba alungise naziphi na iingxaki okanye ukuziphepha.