Source: Huawei router configuration guide
Organize the test notes while learning and share with you. Infringement is deleted. Thank you for your support!
Attach summary sticker: COCOgsta blog_ CSDN blog - video learning notes, experimental notes, translation bloggers
target
In this example, only legitimate users can establish SSH connection by setting the listening port number of ssh server to other port numbers.
Networking requirements
The standard listening port number of SSH protocol is 22. If an attacker continuously accesses the standard port, the bandwidth and server performance will continue to decline, resulting in other normal users unable to access.
Set the listening port number of the ssh server to other port numbers. The attacker does not know the change of the SSH listening port number and still sends the socket connection with the standard port number 22. The ssh server detects that the requested connection port number is not the listening port number, so the socket connection is not established.
In this way, only legitimate users can establish socket connection by using the non-standard listening port set by ssh server, and carry out the process of SSH protocol version number negotiation, algorithm negotiation, session key generation, authentication, session request, session stage and so on.
Configuration ideas
- Configure the users client001 and client002 on the SSH server and log in to the SSH server using different authentication methods.
- The local key pair is generated at the client 002 of the STelnet client and the ssh server respectively, and the RSA public key of the SSH client is bound for the user client 002 to verify the client when the client logs in to the server.
- SSH server-side STelnet and SFTP services are enabled.
- Configure the service mode and authorization directory of SSH users.
- Configure the SSH server listening port number to enable the client to access the server with other port numbers.
- The users client001 and client002 log in to the SSH server in the ways of STelnet and SFTP respectively.
Operation steps
- Generate local key pair on the server side
SSH Server: sysname SSH Server rsa local-key-pair create
- Configure server-side RSA public key
The client generates the local key pair of the client
client002: sysname client002 rsa local-key-pair create
View the RSA public key generated on the client.
[~client002] dis rsa local-key-pair public ======================Host Key========================== Time of Key pair created : 2019-10-23 15:03:29 Key Name : client002_Host Key Type : RSA Encryption Key ======================================================== Key Code: 3082010A 02820101 00E82738 8AE4F3B0 DDB06A28 0FD054FE E1D91B40 EC99AF7A 7C14B247 52C618C8 8E1825D5 62B2F267 FAA0D7EE 9CFDA4AA 2B490EA7 A4DCFDDC FE723F99 3316A3D4 EC822D4E 8D80CD6E 3A6402BB 9432B648 D24C056E E7547BC1 F596DEBB 09B10F8D 1361B5AD 1D204870 9D8D4881 68F0B1C7 E73161BE 7BBFF754 9430B8FA E28B57AA C87A7F7F 5D29E300 F5067FA5 53783658 A68BAD0A 486CFB7B 37C2BF7A A5F68CE4 DD488D5E 06A78E80 5836B668 BC8341A0 CDDEFE9A 228FF048 18E4FD46 8C1A128F 14761DC3 E939B4F1 2C4FDCD3 B8BEAD7B B2454E8C 39247383 A186F8A8 AA04AC81 BB12A436 FE07C3B9 85E88677 3A44357C 3CDDD288 29648FFA F4C963D7 2F622981 83 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAABAQDoJziK5POw3bBqKA/QVP7h2RtA7JmvenwU skdSxhjIjhgl1WKy8mf6oNfunP2kqitJDqek3P3c/nI/mTMWo9Tsgi1OjYDNbjpk AruUMrZI0kwFbudUe8H1lt67CbEPjRNhta0dIEhwnY1IgWjwscfnMWG+e7/3VJQw uPrii1eqyHp/f10p4wD1Bn+lU3g2WKaLrQpIbPt7N8K/eqX2jOTdSI1eBqeOgFg2 tmi8g0Ggzd7+miKP8EgY5P1GjBoSjxR2HcPpObTxLE/c07i+rXuyRU6MOSRzg6GG +KiqBKyBuxKkNv4Hw7mF6IZ3OkQ1fDzd0ogpZI/69Mlj1y9iKYGD ---- END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoJziK5POw3bBqKA/QVP7h2RtA7JmvenwUskdSxhjIjhgl1WKy8mf6oNfunP2kqitJDqek3P3c/nI/mTMWo9Tsgi1OjYDNbjpkAruUMrZI0kwFbudUe8H1lt67CbEPjRNhta0dIEhwnY1IgWjwscfnMWG+e7/3VJQwuPrii1eqyHp/f10p4wD1Bn+lU3g2WKaLrQpIbPt7N8K/eqX2jOTdSI1eBqeOgFg2tmi8g0Ggzd7+miKP8EgY5P1GjBoSjxR2HcPpObTxLE/c07i+rXuyRU6MOSRzg6GG+KiqBKyBuxKkNv4Hw7mF6IZ3OkQ1fDzd0ogpZI/69Mlj1y9iKYGD rsa-key Host public key for SSH1 format code: 2048 65537 29306627283638245027301637315280770431415530389244244975230531145561759626104057970787610929852299674051395034571703345660143794244307882155154183686531050878005010504329393633643469936953292070720937043694787072356480898127877140144815696800882401273992857152377313067297762846394698713180419093593469245126220992027251595773791728199966720913069181242916745109496146151516479321425637311898828414799574285972911331742416528185408208809863571790947427202191938582337262508462023617308198414038686321260976602728478298553565503910030065605290194687201091479154797244037233152226680632686743021553740244651535856402819 ======================Server Key======================== Time of Key pair created : 2019-10-23 15:03:29 Key Name : client002_Server Key Type : RSA Encryption Key ======================================================== Key Code: 3081B9 0281B1 009BA1EB 31436F37 BC8D0209 5B316C22 468A2C5F B7354FF4 2EF2BD23 7F60D6C1 9F731BA9 004F77E7 6713AD7D A9367413 E308FA7A 86B3379F 6CEF8D99 5CA7873F 023E806B 0FA6234D 80DC8C07 4069C284 C37E66BE 16B58A3F 6A0A74C8 BA3C0995 7FDF76C7 9D09A126 F1CD89B6 EBFD6EE3 521DC175 5FEC0163 E13D7D5A 84A41C6E 3DEC9FFB D338CEC1 0A8FEE6E 7FAF56BA 66EF7F3A 2580DC1E 2B752B44 0BD94C15 BED635E3 501074E2 070F970A 4D1D5332 75 0203 010001 [~client002]
Transfer the RSA public key generated on the client to the server.
SSH Server: rsa peer-public-key rsakey001 public-key-code begin 3082010A 02820101 00E82738 8AE4F3B0 DDB06A28 0FD054FE E1D91B40 EC99AF7A 7C14B247 52C618C8 8E1825D5 62B2F267 FAA0D7EE 9CFDA4AA 2B490EA7 A4DCFDDC FE723F99 3316A3D4 EC822D4E 8D80CD6E 3A6402BB 9432B648 D24C056E E7547BC1 F596DEBB 09B10F8D 1361B5AD 1D204870 9D8D4881 68F0B1C7 E73161BE 7BBFF754 9430B8FA E28B57AA C87A7F7F 5D29E300 F5067FA5 53783658 A68BAD0A 486CFB7B 37C2BF7A A5F68CE4 DD488D5E 06A78E80 5836B668 BC8341A0 CDDEFE9A 228FF048 18E4FD46 8C1A128F 14761DC3 E939B4F1 2C4FDCD3 B8BEAD7B B2454E8C 39247383 A186F8A8 AA04AC81 BB12A436 FE07C3B9 85E88677 3A44357C 3CDDD288 29648FFA F4C963D7 2F622981 83 0203 010001 public-key-code end peer-public-key end
- Create SSH user on server side
Configure VTY user interface.
SSH Server: user-interface vty 0 4 authentication-mode aaa protocol inbound ssh
Create SSH user Client001.
Create a new SSH user with the user name Client001 and the authentication method is password.
SSH Server: ssh user client001 ssh user client001 authentication-type password
Configure the password for SSH user Client001 as hello Huawei 123.
SSH Server: aaa local-user client001 password irreversible-cipher $1c$TYH4FuMpqC$E_FcCVX\`<<l=l/_.X1BNE"8ESc(w5.Px2<7AC"N$ local-user client001 service-type ssh
Configure the service mode of Client001 as STelnet.
SSH Server: ssh user client001 service-type stelnet
Create SSH user Client002.
Create a new SSH user with the user name Client002 and the authentication method is RSA, and bind the RSA public key of the SSH client.
SSH Server: ssh user client002 ssh user client002 authentication-type rsa ssh user client002 assign rsa-key rsakey001
Configure the service mode of Client002 as SFTP and configure the authorization directory for it.
SSH Server: ssh user client002 service-type sftp ssh user client002 sftp-directory cfcard:
- SSH server-side Stelent and SFTP service enable
SSH Server: stelnet server enable sftp server enable
- Configure the new listening port number of SSH server
SSH Server: ssh ipv4 server port 1025 ssh ipv6 server port 1025
SSH client connects to ssh server
For the first login, you need to enable the first authentication function of SSH client.
Enable the first authentication function of client Client001.
clien001: sysname client001 ssh client first-time enable
Enable client Client002 first authentication function
client002: ssh client first-time enable
The STelnet client connects to the SSH server with the new port number.
[~client001]stelnet 1.1.1.1 1025 Trying 1.1.1.1 ... Press CTRL + K to abort Connected to 1.1.1.1 ... Please input the username: client001 Enter password: Warning: The initial password poses security risks. The password needs to be changed. Change now? [Y/N]:n Info: The max number of VTY users is 5, the number of current VTY users online i s 1, and total number of terminal users online is 2. The current login time is 2019-10-23 15:15:23. First login successfully. <SSH Server>
The SFTP Client connects to the SSH server with the new port number.
[~client002]sftp 1.1.1.1 1025 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1 ... Please input the username: client002 sftp-client>
- Check configuration results
The attacker cannot successfully access the SSH server with the original port number 22.
[~client002]sftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL+K to abort Error: Failed to connect to the remote host. [~client002]
After the configuration is completed, execute the display ssh server status command and display ssh server session command on the SSH server side to view the current listening port number of the SSH server side, and the STelnet client or SFTP Client has successfully connected to the SSH server.
View SSH status information.
[~SSH Server]dis ssh server status SSH Version : 2.0 SSH authentication timeout (Seconds) : 60 SSH authentication retries (Times) : 3 SSH server key generating interval (Hours) : 0 SSH version 1.x compatibility : Disable SSH server keepalive : Enable SFTP IPv4 server : Enable SFTP IPv6 server : Enable STELNET IPv4 server : Enable STELNET IPv6 server : Enable SNETCONF IPv4 server : Disable SNETCONF IPv6 server : Disable SNETCONF IPv4 server port(830) : Disable SNETCONF IPv6 server port(830) : Disable SCP IPv4 server : Disable SCP IPv6 server : Disable SSH server DES : Disable SSH IPv4 server port : 1025 SSH IPv6 server port : 1025 SSH server source address : 0.0.0.0 SSH ipv6 server source address : 0::0 SSH ipv6 server source vpnName : ACL name : ACL number : ACL6 name : ACL6 number : SSH server ip-block : Enable
View the connection information of SSH server.
[~SSH Server] dis ssh server session -------------------------------------------------------------------------------- Session : 1 Conn : VTY 0 Version : 2.0 State : Started Username : client001 Retry : 1 CTOS Cipher : aes256-ctr STOC Cipher : aes256-ctr CTOS Hmac : hmac-sha2-256 STOC Hmac : hmac-sha2-256 CTOS Compress : none STOC Compress : none Kex : diffie-hellman-group14-sha1 Public Key : ECC Service Type : stelnet Authentication Type : password Connection Port Number : 1025 Idle Time : 00:01:49 Total Packet Number : 30 Packet Number after Rekey : 30 Total Data(MB) : 0 Data after Rekey(MB) : 0 Time after Session Established(Minute) : 2 Time after Rekey(Minute) : 2 Session : 2 Conn : SFTP 0 Version : 2.0 State : Started Username : client002 Retry : 1 CTOS Cipher : aes256-ctr STOC Cipher : aes256-ctr CTOS Hmac : hmac-sha2-256 STOC Hmac : hmac-sha2-256 CTOS Compress : none STOC Compress : none Kex : diffie-hellman-group14-sha1 Public Key : ECC Service Type : sftp Authentication Type : rsa Connection Port Number : 1025 Idle Time : 00:00:38 Total Packet Number : 16 Packet Number after Rekey : 16 Total Data(MB) : 0 Data after Rekey(MB) : 0 Time after Session Established(Minute) : 0 Time after Rekey(Minute) : 0 -------------------------------------------------------------------------------- [~SSH Server]