Play with Huawei ENSP simulator series | examples of configuring SSH server to support access to other port numbers

Source: Huawei router configuration guide

Organize the test notes while learning and share with you. Infringement is deleted. Thank you for your support!

Attach summary sticker: COCOgsta blog_ CSDN blog - video learning notes, experimental notes, translation bloggers

target

In this example, only legitimate users can establish SSH connection by setting the listening port number of ssh server to other port numbers.

Networking requirements

The standard listening port number of SSH protocol is 22. If an attacker continuously accesses the standard port, the bandwidth and server performance will continue to decline, resulting in other normal users unable to access.

Set the listening port number of the ssh server to other port numbers. The attacker does not know the change of the SSH listening port number and still sends the socket connection with the standard port number 22. The ssh server detects that the requested connection port number is not the listening port number, so the socket connection is not established.

In this way, only legitimate users can establish socket connection by using the non-standard listening port set by ssh server, and carry out the process of SSH protocol version number negotiation, algorithm negotiation, session key generation, authentication, session request, session stage and so on.

Configuration ideas

  • Configure the users client001 and client002 on the SSH server and log in to the SSH server using different authentication methods.
  • The local key pair is generated at the client 002 of the STelnet client and the ssh server respectively, and the RSA public key of the SSH client is bound for the user client 002 to verify the client when the client logs in to the server.
  • SSH server-side STelnet and SFTP services are enabled.
  • Configure the service mode and authorization directory of SSH users.
  • Configure the SSH server listening port number to enable the client to access the server with other port numbers.
  • The users client001 and client002 log in to the SSH server in the ways of STelnet and SFTP respectively.

Operation steps

  1. Generate local key pair on the server side
SSH Server:
sysname SSH Server
rsa local-key-pair create
  1. Configure server-side RSA public key

The client generates the local key pair of the client

client002:
sysname client002
rsa local-key-pair create

View the RSA public key generated on the client.

[~client002] dis rsa local-key-pair public
======================Host Key==========================
Time of Key pair created : 2019-10-23 15:03:29
Key Name : client002_Host
Key Type : RSA Encryption Key
========================================================
Key Code:
3082010A
  02820101
    00E82738 8AE4F3B0 DDB06A28 0FD054FE E1D91B40
    EC99AF7A 7C14B247 52C618C8 8E1825D5 62B2F267
    FAA0D7EE 9CFDA4AA 2B490EA7 A4DCFDDC FE723F99
    3316A3D4 EC822D4E 8D80CD6E 3A6402BB 9432B648
    D24C056E E7547BC1 F596DEBB 09B10F8D 1361B5AD
    1D204870 9D8D4881 68F0B1C7 E73161BE 7BBFF754
    9430B8FA E28B57AA C87A7F7F 5D29E300 F5067FA5
    53783658 A68BAD0A 486CFB7B 37C2BF7A A5F68CE4
    DD488D5E 06A78E80 5836B668 BC8341A0 CDDEFE9A
    228FF048 18E4FD46 8C1A128F 14761DC3 E939B4F1
    2C4FDCD3 B8BEAD7B B2454E8C 39247383 A186F8A8
    AA04AC81 BB12A436 FE07C3B9 85E88677 3A44357C
    3CDDD288 29648FFA F4C963D7 2F622981 83
  0203
    010001
                
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQDoJziK5POw3bBqKA/QVP7h2RtA7JmvenwU
skdSxhjIjhgl1WKy8mf6oNfunP2kqitJDqek3P3c/nI/mTMWo9Tsgi1OjYDNbjpk
AruUMrZI0kwFbudUe8H1lt67CbEPjRNhta0dIEhwnY1IgWjwscfnMWG+e7/3VJQw
uPrii1eqyHp/f10p4wD1Bn+lU3g2WKaLrQpIbPt7N8K/eqX2jOTdSI1eBqeOgFg2
tmi8g0Ggzd7+miKP8EgY5P1GjBoSjxR2HcPpObTxLE/c07i+rXuyRU6MOSRzg6GG
+KiqBKyBuxKkNv4Hw7mF6IZ3OkQ1fDzd0ogpZI/69Mlj1y9iKYGD
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoJziK5POw3bBqKA/QVP7h2RtA7JmvenwUskdSxhjIjhgl1WKy8mf6oNfunP2kqitJDqek3P3c/nI/mTMWo9Tsgi1OjYDNbjpkAruUMrZI0kwFbudUe8H1lt67CbEPjRNhta0dIEhwnY1IgWjwscfnMWG+e7/3VJQwuPrii1eqyHp/f10p4wD1Bn+lU3g2WKaLrQpIbPt7N8K/eqX2jOTdSI1eBqeOgFg2tmi8g0Ggzd7+miKP8EgY5P1GjBoSjxR2HcPpObTxLE/c07i+rXuyRU6MOSRzg6GG+KiqBKyBuxKkNv4Hw7mF6IZ3OkQ1fDzd0ogpZI/69Mlj1y9iKYGD rsa-key
Host public key for SSH1 format code:
2048 65537 29306627283638245027301637315280770431415530389244244975230531145561759626104057970787610929852299674051395034571703345660143794244307882155154183686531050878005010504329393633643469936953292070720937043694787072356480898127877140144815696800882401273992857152377313067297762846394698713180419093593469245126220992027251595773791728199966720913069181242916745109496146151516479321425637311898828414799574285972911331742416528185408208809863571790947427202191938582337262508462023617308198414038686321260976602728478298553565503910030065605290194687201091479154797244037233152226680632686743021553740244651535856402819
======================Server Key========================
Time of Key pair created : 2019-10-23 15:03:29
Key Name : client002_Server
Key Type : RSA Encryption Key
========================================================
Key Code:
3081B9          
  0281B1
    009BA1EB 31436F37 BC8D0209 5B316C22 468A2C5F
    B7354FF4 2EF2BD23 7F60D6C1 9F731BA9 004F77E7
    6713AD7D A9367413 E308FA7A 86B3379F 6CEF8D99
    5CA7873F 023E806B 0FA6234D 80DC8C07 4069C284
    C37E66BE 16B58A3F 6A0A74C8 BA3C0995 7FDF76C7
    9D09A126 F1CD89B6 EBFD6EE3 521DC175 5FEC0163
    E13D7D5A 84A41C6E 3DEC9FFB D338CEC1 0A8FEE6E
    7FAF56BA 66EF7F3A 2580DC1E 2B752B44 0BD94C15
    BED635E3 501074E2 070F970A 4D1D5332 75
  0203
    010001
[~client002]  

Transfer the RSA public key generated on the client to the server.

SSH Server:
rsa peer-public-key rsakey001
 public-key-code begin
 3082010A
  02820101
    00E82738 8AE4F3B0 DDB06A28 0FD054FE E1D91B40 EC99AF7A 7C14B247 52C618C8
    8E1825D5 62B2F267 FAA0D7EE 9CFDA4AA 2B490EA7 A4DCFDDC FE723F99 3316A3D4
    EC822D4E 8D80CD6E 3A6402BB 9432B648 D24C056E E7547BC1 F596DEBB 09B10F8D
    1361B5AD 1D204870 9D8D4881 68F0B1C7 E73161BE 7BBFF754 9430B8FA E28B57AA
    C87A7F7F 5D29E300 F5067FA5 53783658 A68BAD0A 486CFB7B 37C2BF7A A5F68CE4
    DD488D5E 06A78E80 5836B668 BC8341A0 CDDEFE9A 228FF048 18E4FD46 8C1A128F
    14761DC3 E939B4F1 2C4FDCD3 B8BEAD7B B2454E8C 39247383 A186F8A8 AA04AC81
    BB12A436 FE07C3B9 85E88677 3A44357C 3CDDD288 29648FFA F4C963D7 2F622981
    83
  0203
    010001
 public-key-code end
 peer-public-key end
  1. Create SSH user on server side

Configure VTY user interface.

SSH Server:
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh

Create SSH user Client001.

Create a new SSH user with the user name Client001 and the authentication method is password.

SSH Server:
ssh user client001
ssh user client001 authentication-type password

Configure the password for SSH user Client001 as hello Huawei 123.

SSH Server:
aaa
 local-user client001 password irreversible-cipher $1c$TYH4FuMpqC$E_FcCVX\`<<l=l/_.X1BNE"8ESc(w5.Px2<7AC"N$
 local-user client001 service-type ssh

Configure the service mode of Client001 as STelnet.

SSH Server:
ssh user client001 service-type stelnet

Create SSH user Client002.

Create a new SSH user with the user name Client002 and the authentication method is RSA, and bind the RSA public key of the SSH client.

SSH Server:
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key rsakey001

Configure the service mode of Client002 as SFTP and configure the authorization directory for it.

SSH Server:
ssh user client002 service-type sftp
ssh user client002 sftp-directory cfcard:
  1. SSH server-side Stelent and SFTP service enable
SSH Server:
stelnet server enable
sftp server enable
  1. Configure the new listening port number of SSH server
SSH Server:
ssh ipv4 server port 1025
ssh ipv6 server port 1025

SSH client connects to ssh server

For the first login, you need to enable the first authentication function of SSH client.

Enable the first authentication function of client Client001.

clien001:
sysname client001
ssh client first-time enable

Enable client Client002 first authentication function

client002:
ssh client first-time enable

The STelnet client connects to the SSH server with the new port number.

[~client001]stelnet 1.1.1.1 1025
Trying 1.1.1.1 ...
Press CTRL + K to abort
Connected to 1.1.1.1 ...
Please input the username: client001
Enter password: 
Warning: The initial password poses security risks.
The password needs to be changed. Change now? [Y/N]:n
Info: The max number of VTY users is 5, the number of current VTY users online i
s 1, and total number of terminal users online is 2.
      The current login time is 2019-10-23 15:15:23.
      First login successfully.
<SSH Server>

The SFTP Client connects to the SSH server with the new port number.

[~client002]sftp 1.1.1.1 1025
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
Please input the username: client002
sftp-client>
  1. Check configuration results

The attacker cannot successfully access the SSH server with the original port number 22.

[~client002]sftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Error: Failed to connect to the remote host.
[~client002]

After the configuration is completed, execute the display ssh server status command and display ssh server session command on the SSH server side to view the current listening port number of the SSH server side, and the STelnet client or SFTP Client has successfully connected to the SSH server.

View SSH status information.

[~SSH Server]dis ssh server status
SSH Version                                : 2.0
SSH authentication timeout (Seconds)       : 60
SSH authentication retries (Times)         : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility              : Disable
SSH server keepalive                       : Enable
SFTP IPv4 server                           : Enable
SFTP IPv6 server                           : Enable
STELNET IPv4 server                        : Enable
STELNET IPv6 server                        : Enable
SNETCONF IPv4 server                       : Disable
SNETCONF IPv6 server                       : Disable
SNETCONF IPv4 server port(830)             : Disable
SNETCONF IPv6 server port(830)             : Disable
SCP IPv4 server                            : Disable
SCP IPv6 server                            : Disable
SSH server DES                             : Disable
SSH IPv4 server port                       : 1025
SSH IPv6 server port                       : 1025
SSH server source address                  : 0.0.0.0
SSH ipv6 server source address             : 0::0
SSH ipv6 server source vpnName             : 
ACL name                                   : 
ACL number                                 : 
ACL6 name                                  : 
ACL6 number                                : 
SSH server ip-block                        : Enable

View the connection information of SSH server.

[~SSH Server]  dis ssh server session
--------------------------------------------------------------------------------
Session                                 : 1
Conn                                    : VTY 0
Version                                 : 2.0
State                                   : Started
Username                                : client001
Retry                                   : 1
CTOS Cipher                             : aes256-ctr
STOC Cipher                             : aes256-ctr
CTOS Hmac                               : hmac-sha2-256
STOC Hmac                               : hmac-sha2-256
CTOS Compress                           : none
STOC Compress                           : none
Kex                                     : diffie-hellman-group14-sha1
Public Key                              : ECC
Service Type                            : stelnet
Authentication Type                     : password
Connection Port Number                  : 1025
Idle Time                               : 00:01:49
Total Packet Number                     : 30
Packet Number after Rekey               : 30
Total Data(MB)                          : 0
Data after Rekey(MB)                    : 0
Time after Session Established(Minute)  : 2
Time after Rekey(Minute)                : 2
Session                                 : 2
Conn                                    : SFTP 0
Version                                 : 2.0
State                                   : Started
Username                                : client002
Retry                                   : 1
CTOS Cipher                             : aes256-ctr
STOC Cipher                             : aes256-ctr
CTOS Hmac                               : hmac-sha2-256
STOC Hmac                               : hmac-sha2-256
CTOS Compress                           : none
STOC Compress                           : none
Kex                                     : diffie-hellman-group14-sha1
Public Key                              : ECC
Service Type                            : sftp
Authentication Type                     : rsa
Connection Port Number                  : 1025
Idle Time                               : 00:00:38
Total Packet Number                     : 16
Packet Number after Rekey               : 16
Total Data(MB)                          : 0
Data after Rekey(MB)                    : 0
Time after Session Established(Minute)  : 0
Time after Rekey(Minute)                : 0
--------------------------------------------------------------------------------
[~SSH Server] 

 

Tags: ssh server

Posted by Plakhotnik on Sat, 21 May 2022 03:47:33 +0300