Linux system virtual machines may weaken security

In sales strategy, Microsoft seems to never hesitate to competitors ' attacks.

This time, with another agency report, co-author of Microsoft also pointed out that the virtual machine may become a malware host, especially for Linux systems. Of course, once the virtual machine is malware infection, then present a variety of security software is able to detect it. However we can not provide this nervous, because this situation is very difficult to become a reality. According to this report, the attacker can be installed on the target computer to a virtual machine (VM) program. Then the attacker in the virtual machine to install malicious programs, such as keyboard loggers, Trojan horse, to steal the primary operating system information. But this kind of attack, the attacker modifies the system's original kernel, because the original kernel and virtualization software itself, the beginning of the design against a different virtual machine data exchange between systems. Further, hackers need to compromise the operating system kernel, such as a keyboard logger installed before you can access the virtual machine, further damaging activities. But to black out the operating system kernel may not be an easy thing, at least not so easy in our imagination. In the Windows or install the software on a Linux system, you will need to install to have system administrator permissions, and this for normal computer operator is not available. Of course, through Windows system known security holes that hackers may modify system kernel, but this looks some gilding. Since this system is vulnerable to let you go, why then laborious manner by modifying the kernel to install keyboard loggers. In the report of the fourth page that you want to install malicious programs, hacker first need to modify the host operating system's kernel, and then modify the Windows virtual machine monitor software. As we know, the virtual machine memory manager (VMM) is used to manage computer hardware resources, when multiple virtual systems running on the host computer at the same time, he can manage disk, memory and keyboard use. In the report show that VMM for Linux-based, hackers don't need to be changed, but the report also does not specifically stated, why this step in a Linux system can be omitted. In addition, this report looks also deliberately ignored the fact that we are entering a hardware virtualization environment. Whether Intel or AMD processors can be used to identify the hardware running on a variety of virtual machine software. So for the virtual machine's attack probability can small to negligible. Although many of the components, but ordered that the report still has some readability. Which he for virtual machine technology gives a number of constructive comments and applications that can help achieve software troubleshooting and intrusion detection. Also, I don't think anyone can advise IT managers pay attention to data security content, there is a certain value, although some content seems alarmist.

Use SSL to protect VNC application

You want to use more convenient than proprietary solutions and has more security than ssh to access remote desktop? this article will describe a good way, this is we never before introduced a technology.

The idea is to use SSL for embedding in a Web page in a simple VNC Viewer provides security. This means that virtually any can handle Java Web browser can view the remote desktop, and interact with it; for a typical scenario, this is a function of very powerful solution, including telephone collaboration, technical support and supply. The computer where the screen where the computer in a location performs an action that in other parts of the people want to see the results. Meet this description is very much, this feature is almost the same amount. One method is to use a regular single desktop as a use of the HTTPS protocol for the protection of the WebURL address to publish, and those non-software experts who work together, this is especially convenient. Through a connection to the remote desktop of the hyperlink or the browser's address bar, enter the URL for remote access, which "civilians" is very convenient for users. Just take a few minutes, you can build your own remote desktop. This approach is an important feature is its authentication method: it is not based on the logging level of the account number, which is common IPv6 based on ssh, OpenVPN, and most of the proprietary product of remote access mechanism, we will show how to set up for SSL account/password pair. This is a "lightweight" method, and the desktop host for other purposes. At the same time, this approach is widely used on the Web, and is a key technology, most of the developers came to this very familiar. Although only a few steps can be achieved through SSL to access VNC, but the configuration of the core there is a complex issue: JvaVNC client does not connect to those who own the certificate SSL site. Rather, the popular browser with JVM usually needs to be "trusted third parties" certification authority (CA) that signed the certificate. This article on the readers had effectively classification. May be due to management or development of secure Web sites require you to have begun to use SSL, then you can immediately use in VNC-through-SSL project to the same Web server and a signed certificate. If you don't already have the background knowledge using SSL, then this kind of technology is not a very good start. For you, the more traditional ssh tunnel or Hamachi and commercial solutions possible is the way to the remote desktop easy starting point. For more information, please refer to the sidebar of certificates and SSL. Method for the first step is to Setup VNC server and the corresponding tunnel. For this step, you must have a valid key file can be created, including a private key and a public key. The keys are placed in/etc/ssl/certs/stunnel.pem. This example uses the TightVNC server and display: 5. 1. start list TightVNC server and tunnel $ tightvncserver: 5 $ stunnel-d5705-r5905-p/etc/ssl/certs/stunnel.pem although most Linux host is set to allow any user can start vncserver, but you will probably need root privileges to effectively use stunnel. Depending on the host's security model, the best you can do is execute the following command: sudostunnel .... Now, the server should be there to address: 5905 provides an unencrypted connections, and is there: 5705 provides an encrypted connection. Use any convenient VNC Viewer to verify that the connection is not encrypted, redirect to yourhost: 5. To ensure that stunnel has already started and is running, use the following command to search for the system log: list 2. check the stunnel has been successfully # grepstunnel/var/log/syslog | tail-24Aug2118: 58: 17therestunnel [5453]: Using ' 5905 ' astcpwrapperservicenameAug2118: 58: 17therestunnel [5453]: stunnel3.26oni386-pc-linux-gnuPTHREAD + LIBWRAPwithOpenSSL0.9.7e25Oct2004Aug2118: 58: 17therestunnel [5454]: FD_SETSIZE = 1024, fileulimit = 1024-> 500clientsallowed error — the key file is not valid, do not have sufficient permissions, or the port is already in use — to appear in the same log file. For example, if the missing keys, in the journal form: Aug2118: 58: 17therestunnel [5453]:/etc/ssl/certs/stunnel.pem: Nosuchfileordirectory (2) because the server can handle concurrently without encryption and encrypted port, let's go to VNCWeb client. To enable this feature, you need to download the project from x11vnc SSL-enabled JavaVNC Viewer. In the download source tarball file, you can use x11vnc-x.y.z/classes/ssl/VncViewer.jar and x11vnc-x.y.z/classes/ssl/SignedVncViEwer.jar in Java code. Sets a directory to hold the contents of the VNC, VncViewer.jar copy to this directory and creates an HTML source file. The sample HTML file allows SSL connections to there: 5705: HTTP and HTTPS for the applet. Assuming that the HTML and Jar files on port 80 using HTTP, URI, then the address for/vnc will display this http://there/vnc desktop. Remember to have on your Java-enabled browser! also takes note of the HOST and the source address to use the same host name; Javaapplet security model must be required to do so.

Linux system Snort IDS tools of light

1. Introduction to Snort snort is designed to fill the expensive, heavy network intrusion detection system left vacant.

Snort is a free, cross-platform package for monitoring small TCP/IP network sniffer, logging, intrusion detectors. It can run on linux/UNIX and Win32 systems, you only need a few minutes to install and you can start using it. Some of the features of Snort:-real-time communication analysis and packet logging-packaging payload check-protocol analysis and content query match-probe buffer overflows, stealth port scans, CGI attacks, SMB probes, operating systems, intrusion attempts-to system logs, specify the file, or through Samba Unixsocket WinPopus real-time alerts Snort has three main models: a packet sniffer, packet logger or sophisticated intrusion detection system. Follow the development/free software's most important practice, Snort supports various plugins, expansion and customization, including a database or XML records, small frame detection and anomaly detection, and other statistics. The packet payload detection is one of the most useful Snort, this means that a lot of additional types of hostile behavior can be detected. Second, install the required packages and install the required packages 1.libcap http://www.mirrors.wiretapped.net/security/packet-capture/libpcap/libpcap-0.8.3.tar.gz 2.snort http://www.snort.org/dl/snort-2.2.0.tar.gz 3.snorttrules http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz 4.openssl http://www.openssl.org/source/openssl-0.9.7d.tar.gz 5.acid Web-based analysis console for intrusion databases http://acidlab.sourceforge.net 6.gd http://www.boutell.com/gd/7.adodb as ACID provides convenient database interface; http://php.weblogs.com/adodb 8.phplotACID relies on graphics library; http://www.phplot.com/9.apace http://www.apache.org 10.mysql http://wwww.mysql.com 11.php (v > 4.2) http://www.php.net begin installation: 1. installation of MySQL, # addgroupmysql # addusermysql and then log in to mysql, execute the following command: $ gzip-d-cmysql-3.23.49.tar.gz | tarxv cdmysql-3.23.49-$ $ $ $ make-/configure makeinstall 2. install the openssl # tarzxvfopenssl * # cdopenssl #./configure # make # maketest # makeinstall 3. installing libpcap # tarzxvflibpcap * # cdlibpcap-0.8.3 #. configure/configure if:: warning: configure: warning: cannotdeterminepacketcaptureinterace (seeINSTALLformoreino) description of the need to compile the system kernel to enable it to support # make # CONFIG_PACKET makeinstall 4. install snort # tarzxvfsnort * # cdsnort-2.2.0 #./configure--enable-flexresp--with-mysql =/usr/local/mysql--with-openssl =/usr/local/ssl support mysql, openssl and more options, you can see the document if the tarball: ERROR! Libpcreheadernotfound, gogetitrom please http://www.pcre.org lib library installed. If the ERROR appears:! Please download and install Libnetheadernotfound. http://www.packetfactory.net/projects/libnet/ If you have already installed, you can use the--with-libnet-* option # make install # makeinstall 5. apace #./configure--prefix =/usr/Local/apache--enable-so # make # makeinstall 6. install gd first installed to generate PHP provide both PNG and JPG image functions in the GD library: # gzip-d-cgd-2.0.28.tar.gz | tarxv-# cdgd-2.0.28 # make install # makeinstall 7. pp # gzip-d-cphp-4.3.2.tar.gz | tarxv-# cdphp-4.3.2 #./configure-with-mysql =/usr/local/mysql\--with-apxs =/usr/local/apache/bin/apxs\--with-gd =/usr/local # make install # makeinstall 8. ACID that part of the installation work including three packages: adodb452.tar.gz, phplot-5.0rc1.tar.gz and acid-0.9.6b23.tar.gz. The installation process is very simple, only need respectively packages extract and expand in the Apache server's document root directory, do as follows: (the server's document directory as/www/ids) # cd/www/ids/# gzip-d-cadodb452.tar.gz | tarxv-# gzip-d-cphplot-5.0rc1.tar.gz | tarxv-# gzip-d-cacid-0.9.6b23.tar.gz | tarxv-and then begin the configuration work, go to ACID acid directory edit the configuration file: acid_conf.php gave the following variable assignment: $ Dblib_path = ".. /adodb"　　$DBtype="mysql"　　$alert_dbname="snort"　　$alert_host="localost"　　$alert_port="3306"　　$alert_user="root"　　$alert_password="123"　　$archive_dbname="snort"　　$archive_host="localost"　　$archive_port="3306"　　$archive_user="root"　　$archive_password="123"　　$ChartLib_path=".. /Phplot "$ Chart_file_format =" png "$ portscan_file ="/var/log/snort/portscan.log "good, to this end, the required software installation is complete, the following entry setting and start of snort, snort settings and start up we can get Snort operation in the chroot environment, the setting is very simple, first of all, you can select a place with enough Log of Snort, if you regularly check and clear the Log, you can put the chroot environment Snort in/home/snort, then required is a snort users, execute the following commands add the Snort users: # groupaddsnort # useradd-g" snort "-d" "-s"/home/snort/nonexists "-c" SnortUser "snort and then to extract the files in the snortrules.tar.gz/home/snort, extract the snortrules package, the name is a rules file/home/snort/appears, this is the use of Snort Ruleset, Ruleset that is used for Snort to detect any network reflects the Foundation. In the rules is the snort.conf ", it is the Snort's profile, you need to modify snort.con the actual situation. In snort.conf, you need to modify several easy you can do the Snort, the following are the possible need to modify:-varHOME_NET network or host IP, for example, only one server, you can just enter the IP address of the server, if a machine with more than two IP, you can use this method: varHOME_NET [192.168.1.1, 192.168.1.2] or varHOME_NET192.168.1.0/24-varSMTP [IP.Address] SMTP service location of the server, if different, HOME_NET just send $ HOME_NET removed and specify SMTP IP of the machine. -VarHTTP_SERVERS HTTP service server, and the same set of SMTP, if a WebServer is not a machine, you can specify HOME_NET to other IP. -VarDNS_SERVERS DNS server's IP address, at the same time need to Uncomment the following line: preprocessorportscan-ignorehosts: $ DNS_SERVERS this prevents because the DNS Lookup of the record of unwanted PortScan。 The last part of the record, the compilation of configure Snort time joined the "MySQL" support, in order to use MySQL records, first established in Snort in MySQL Databases, use the user name and password, perform the following command: # CREATEDATABASEsnort; echo "" | Mysql-uroot-p # grantINSERT, SELECTonsnort. * to snort @ localhost and then in the beginning of source Snort signatures and unable to find the "contrib/create_mysql", then execute the following command to build Tables # mysql-uroot-p The rule header contains a match after the action commands, protocol type, and select the flow of the Quaternion Group (source destination IP and destination port sources). Rules of the option part is made up of one or several options, all the main options is the relationship between and. Options may have some dependencies, options can be divided into four main categories, the first packet is related to a variety of features that describe the options, such as: conte

Use SSL to protect VNC application

More how to use standard components and protocols one advantage is that they can be very simple to replace.

For example, our development are mostly adopted the Xvnc server, there are some ways you can replace the above method of TightVNC. Note that the workarounds using command line parameters may be slightly different; however, in all cases, the principle is the same. Almost all Linux distributions have provides according to the release of the standard package, some open source VNC server, VNC project even very easy to install from source code. Any VNC Server installed in the most difficult part is to require a specific default font. However, even in this case, at least provide a clear remedies. In the browser enabled SSL VNC Viewer at least a little risk. It in all major browsers can use, including the MozillaFirefox, InternetExplorer and Opera, but all browsers need to use Javaruntime1.4 or later. When a user uses the old version of MicrosoftWindows operating systems will have problems, older systems still rely on MicrosoftJVM1.1. In this case, the VNC Viewer cannot run in InternetExplorer, and send the report indicates that VncViewer class not found. The only solution is for the VNC Server provides a non-SSL connection and suggested that any Java upgrade to the latest Java Runtime. By default, most of the VNC server will not share your desktop; that is, any connection will close the connection before. Want to collaborate, technical support, and similar applications, use a command line argument-alwaysshared or similar method to start the server, follow the document specification. This allows multiple users to connect to the same desktop. Focus? although you may have used VNC, Web services, Java, SSL, browser and so on, but you may never be used together. Now you just won? certificate and SSL we mentioned earlier, if you are using SSL, then you only need to reuse the certificate, if you do not use SSL, it only takes a few hours you can start using it, strictly speaking is not so. From the developer's point of view SSH at least plays two roles: to VNC traffic encryption and authentication to your remote desktop in a hostile Internet world can possess the basic security. Opening a normal SSL browser usability. If the browser cannot find a trusted certificate used for SSL communication, you (or, more seriously, anyone remotely using a Web browser to access the desktop of other people) will see a lot of warning dialog boxes — even more unbearable. In this article, we recommend that you have to purchase and use of the certificate resolves this problem. The answer that big is too big, too small, said small. For example, Sun Company j2re1.4JVM requested not only by a certificate authority sign certificate and this certificate must be requested from high-end CA, including Verisign and Thawte. Using the JVM's browser will be those from the not-so-famous CA's signing certificate is self-signed certificates. On the other hand, the paper highlighted the use of self-signed certificates to use VNC over SSL is not possible. If you can tolerate continual pop-up browser warning, at least you can use your own certificates do the experiment. The create a self-signed certificate for the tutorial and unexpected, they are committed to the entire process becomes "very simple". At a certain level, they have done is to execute the following command line: list 4. create a self-signed certificate opensslgenrsa-des3-outserver.key1024opensslrsa-inserver.key-outserver.pemopensslreq-new-keyserver.key-outserver.csropensslx509-req-days3560-inserver. csr\-signkeyserver.key-outserver.crtcatserver.pemserver.crt > combined.pem some steps require the command line with interaction. The most critical issue is the third line in the "CommonName"; this value is to use the shared desktop is located the host's fully qualified domain name. Typically, this value is the hostname would would. How to obtain a certificate is used by SSL VNC process in the most difficult part; the use of the certificate currently available, you can simply complete all the other steps. In fact, you now get a lot of things. First of all, this is a very similar to GUI screen; that is, you can start the GUI session while you work, and use a combination of all of you with features and performance that left the session and adoption of any one with Java functionality in a Web browser, reconnect to the same session. This is a very powerful tool. However, you also gain more. VNC is very convenient for the teleconference. For example, we use it to for non-technical users to set up a complex graphic applications. In principle, a remote X server can also perform the same function, but VNC offers many advantages: security, more manageability. Compared with X, VNC is often more easily through the firewall. VNC Viewer than the X server easier installation — especially those from the installation of a browser-based Viewer. Easily through VNC as multiple Viewer provides a desktop. VNC is generally less affected by the impact of network latency. X authentication (and ssh tunnel)-passOften are based on the level of account/etc/passwd, and Web-based access using the HTTP (S) certification. Create and maintain this account requires a lot of experience, even for casual use (such as conference call presentation). Compared with the X server, VNC Viewer requires less memory and related hardware. VNC server is typically a read-only access provides very useful configuration. Another example of using this technology, a key point is the roughest encryption calculation load is determined by the "local" code non-Java run time to execute. Despite the assumption that the network delay is to determine the performance of the first factor is very safe, but the encryption and decryption in a price too high, you cannot use the other alternative technologies (unless used with very high performance computer). VNC via SSL using a pleasant advantages is that old hardware or even very simple hardware using standard software can quickly produce acceptable response. You might also have different needs and resources. You need to determine the VNC and Citrix, WindowsTerminalservices, WebEx, Hamachi, and other "remote" solutions provide commercial software what is compared. However, we have seen over SSL using VNC has solved many problems. In subsequent articles, we will show how to integrate VNC and other virtualization technologies together for powerful resource sharing technology. But at the end of this article, there are important issues that need to be reminded readers: VNC exist a very serious security problem. Because the VNC uses only one session password protection, if the standard VNC service for hours or days of brute force attack, is likely to be cracked. On VNC interested "bad guys" is increasing rapidly; the number, make sure you use a VNC is very strong passwords that have at least 8 characters, preferably of numbers, letters and other symbols. SSL provides a lot of protection mechanisms, if per-session time to last a few hours, you should consider using these protection mechanisms. In subsequent articles we will learn more about security issues. The above method uses several powerful open source example, but it almost does not implement the original programming. Actually no one written document to combine these components, but this combination is very convenient, this is really amazing. About VNC, SSL, and other content for more details please see the references section. Concluding remarks in the next article, we will detail the two via SSL using VNC to plan specific workplaces, and how your environment with this technology, including how to collaborate with firewalls and proxies. We will also cover the use of the "local" VNC Viewer and mentioned in this article the hosting browser, the client work together to become one of the advantages and when. This would especially like to thank MattKennel, he and we do worry about security issues and on how to use the actual application through SSL VNC technology and we discussed. Original link: http://www.ibm.com/developerworks/cn/linux/l-sslvnc.tml

Linux system service startup and the prohibition and the corresponding port number

/Etc/services view system default services and ports corresponding to the individual DAEMONS (services) of startup and shutdown scripts are placed in/etc/init.d/, but REDHAT system is put into the/etc/rc.d/init.d inside, as regards the control parameter file superdaemon is placed in/etc/xinetd.d inside.

Standalone (independent startup) and superdaemon (super service) standalone as the name implies, standalone is directly perform the service scan line stalls and let the executable directly loaded into memory, operation, this way to start this service can be made with a quick response. Generally speaking, this kind of services launch scrip will place the/etc/init.d/directory underneath this, so you can often use: [/etc/init.d/sshdrestart] like to start this service; With a super service superdaemon as mains, to manage some network services in the use of the inside CENTOS4.3 is xinetd this superdaemon, this way start network services while in response speed be slow, however, can provide some additional through superdaemon control, for example control when to start, when you can be online, the IP can even come in, whether to allow simultaneous online and so on. Usually profile in/etc/xinetd.d/, but needs to be set is finished to [/etc/init.d/xinetdrestart] to start again. If you want the system to switch off the PORT25, above the simplest approach is to first identify the PORT25 's startup process. # Netstat-tnlp TCP00127.0.0.1: 6310.0.0.0: * listen1171/cupsd//22, the port is opened by the program cupsd. If the program is not visible, use the CUPSD nmaplocalhost to view native ports, will show port and the corresponding procedures. # Whichcupsd/usr/sbin/cupsd//identify cupsd program location. If not found, WHICH is used to LOCATE with the formal notation to find this directive. # Locatecupsd | grep '/cupsd $ '/usr/sbin/ssd use RPM to treatment: # rpm-qf/usr/sbin/cupsd cups-1.1.17-13//identify the program name # rpm-qccups | grepinit/etc/rc.d/init.d/cups//identify program startup. #/Etc/rc.d/init.d/cupsstop//stop program.

Use SSH implementation under Linux safe data transfer (pictures)

Currently in use on the Internet, such as FTP, Telnet, POP etc in essence are not secure, they are in use on the network in clear text password and data transmitted, the hacker is very easy to intercept these passwords and data, thus undermining the integrity and confidentiality of the data.

This article describes how to use the SSH software under Linux is not a secure network environment through password mechanism to guarantee the security of data transmission. The English name is SSH SecureSHell. Through the use of SSH, you can put all transferred data is encrypted, so even if the network hackers to hijack the data transmitted by the user, if you cannot decrypt it, nor on data transfer constitutes a real threat. In addition, the transmission of data is compressed, so you can speed up the transmission speed. SSH has many features, it can replace Telnet and FTP, POP provides a security "transmission channel". In non-secure network communication environments, it provides strong authentication (authentication) and very secure communications environment. SSH is determined by the client and service side of software, there are two incompatible versions 1.x and 2.x is:. The client program used SSH2.x is unable to connect to the service looks SSH1.x. OpenSSH2.x while supporting SSH1.x and 2.x. SSH provides two levels of security validation: a is for security authentication based on passwords. As long as the user knows the password, account number and can log on to the remote host. All transferred data is encrypted, but cannot guarantee that users are connecting to the server that the user wants to connect to the server. You may have other servers in the impersonate the real server, there is a potential threat. The second is based on the key security validation. Need to rely on the key, the user must create a public key/private key pair, and the public key is placed in the need to access the server. If you need to connect to a SSH server and client software will make a request to the server, the request uses the user's keys for security verification. After the server receives the request, the first server on the user's home directory to find the user's public key, and then take it and users of public keys sent for comparison. If the two keys match, the server uses the public key encryption, "question" and have it sent to the client software. Client software after you receive the "question" can be used to decrypt the user's private key and send it to the server. Install and start the SS in RedHatLinux7 and its release is included in the packages associated with OpenSSH, if not, you can download from the home page of OpenSSH RPM package installed, OpenSSH is the home page address is: www.openssh.com. Main install the following packages: openssh-3.5p1-6, 6, openssh-server-3.5p1-openssh-askpass-gnome-3.5p1-6, 6, openssh-clients-3.5p1-openssh-askpass-3.5p1-6. Use the following command to install: first query system is installed on the above packages. # Rpm-qa | grepopenss if you have not installed then do the following command. # Rpm-ivhopenssh-3.5p1-6 # rpm-ivhopenssh-server-3.5p1-6 # rpm-ivhopenssh-askpass-gnome-3.5p1-6 # rpm-ivhopenssh-clients-3.5p1-6 # rpm-ivhopenssh-askpass-3.5p1-6 after the installation has completed, you can use the following two commands for a start. # Servicesshdstart #/etc/rc.d/initd/sshdstart also, if you want the system to automatically run when you start the service, you will need to use the Setup command, in network service configuration options, select the sshd daemon. After you finish the installation start the OpenSSH, use the following command to test it out. Ssh-l [username] [addressoftheremoteost] if the OpenSSH is working correctly, you will see the following message: Theauthenticityofhost [hostname] can'tbeestablised. Keyfingerprintis10245f:a0:0b:65:d3:82:df:ab:44:62:6d:98:9c:fe:e9:52. Areyousureyouwanttocontinueconnecting(yes/no)? At the first login, OpenSSH will prompt the user does not know the login host, simply type "yes", you will get the login identification tag of the "host" to "~/.ssh/know_hosts" file. Second visit to this host when they no longer show this message again. Then SSH prompt the user for a user account on the remote host's password. In this way, an SSH connection is established, then you can use telnet as easily use SS. SSH key management (1) it is necessary to generate your own key pair using the following command to generate a public/private key pair: ssh-keygent type. If the remote host using SSH2.x will use this command: ssh-keygend. In the sameHost both SSH1 and SSH2 key is no problem, because the key is present in different files. Ssh-keygen command to run after it displays the following information: # ssh-keygen-trsa Generatingpublic/privatersakeypair. Enterfileinwhichtosavethekey(/home/.username/ssh/id_rsa):　　Enterpassphrase(emptyfornopassphrase):　　Entersamepassphraseagain:　　Youridentificationhasbeensavedin/home/.username/.ssh/id_rsa. Yourpublickeyhasbeensavedin/home/.username/.ssh/id_rsa.pub. Thekeyfingerprintis:　　38:25:c1:4d:5d:d3:89:bb:46:67:bf:52:af:c3:17:0c username@localhost 　　GeneratingRSAkeys:　　Keygenerationcomplete. "Ssh-keygen-d" command to do the same work, but it's a pair of keys for the save path by default as:/home/[user]/.ssh/id_dsa (private key) and/home/[user]/.ssh/id_dsa.pub (public key). Now the user has a pair of keys: a public key to distribute to all users want to use SSH to log in to the remote host looks; private keys to take custody of preventing other people know. Use the "ls-l ~/.ssh/identity" or "ls-l ~/.ssh/id_dsa" command displays the file access permission must be "-rw-------". If you suspect that your key has been known to others, you should immediately generate a new key. Of course, doing so will also need to redistribute a public key, for normal use. 2. distribute the public keys for each user needs to use SSH connection on a remote server, all in their own home directory create a ".ssh" subdirectory, the user's public key "identity.pub" copied to this directory and rename it to "authorized_keys". And then execute the command: chmod644.ssh/authorized_keys this step is essential. Because, if a user other than the others on the "authorized_keys" file has write permissions, if subjected to unlawful destruction, SSH will not work properly. If the user wants to log on from a different computer to a remote host, the "keys" authorized_ files can have multiple public keys. In this case, you must restart the new computer to generate a pair of keys, and then put the generated "identify.pub" file copy and paste to the remote host "authorized_keys" file. Of course, on the new computer users must have an account, but the key is password protected. It is important that when a user cancels out of this account, you have to remember to delete the key. Configuring the SSH client on the Linux client to use SSH, advantage is more convenient to operate, without additional software. But the disadvantage is not very intuitive. Users only need to use the system-provided default profile "/etc/ssh/ssh_config" and use the following simple command to log://user test for the remote server www.test.com # ssh-ltestwww.test.com following this section mainly introduces the configuration to use Windows environment of the putty tools to log in to the SSH server. The tools being used fairly common, and can be downloaded free from the Internet. Currently the latest version of the Internet to: putty0.58, the version installed, do the following steps to configure: 1. open the software, enter the configuration interface and software initial Session window opens automatically. 2. in the interface right half area 【 HostName (orIPaddress) 】 edit box, enter the log on to the remote server address, here set to: 192.168.10.1, port edit box, enter the default port number 22, and then click 【 Save 】 button to save the input configuration, as shown in Figure 1. Figure 1 Configuring IP address and port number 3. click 【 Open 】 button, the software to connect to the server, display the connection as a result, users can make the appropriate remote management operations. Configure automatic login SSH in SSH's described above, each time the user logs on the server will need to enter the password for the user, is in some trouble. Since SSH key mechanisms used in full, then you must configure the system, to achieve a configuration that do not have to enter your password for easy logon to the end, the following Windows client, for example, shows how to auto login to SSH in. In Windows, use the previously described putty client software also allows you to easily implement an automatic logon, mainly using the putty tool kit comes with puttygen tool to generate a public/private key pair, the same principles and under Linux, the following describes the configuration details. 1. open puttygenTools to generate a public/private key pair, as shown in Figure 2, select the type of key generated SSH2RSA. Figure 2 main interface 2PuttygenGenerator. click 【 Generate 】 button, enter the public/private key pair generation interface, users need to keep the interface space, move the mouse to ensure that key generated random performance. 3. successful public/private key pair is generated, the system prompts the user to save the public key/private key pair. Click the button and 【 Savepublickey 】 【 Saveprivatekey 】 button, specify the path to save the public key and private key. 4. use putty connections on the server, copy the contents of the public key file to the server in the main directory, use your own account to log on to a remote system, and then execute the following command. Then use Notepad to open the file, select all id_rsa1.pub, press CTRL + C to copy to the Clipboard, and then in the Putty window, press SHIFT + Ins paste, and then press Ctrl + D keys, complete file creation. This is the process of completing public key distribution.

Linux system service startup and the prohibition and the corresponding port number

/Etc/services view system default services and ports corresponding to the individual DAEMONS (services) of startup and shutdown scripts are placed in/etc/init.d/, but REDHAT system is put into the/etc/rc.d/init.d inside, as regards the control parameter file superdaemon is placed in/etc/xinetd.d inside.

Standalone (independent startup) and superdaemon (super service) standalone as the name implies, standalone is directly perform the service scan line stalls and let the executable directly loaded into memory, operation, this way to start this service can be made with a quick response. Generally speaking, this kind of services launch scrip will place the/etc/init.d/directory underneath this, so you can often use: [/etc/init.d/sshdrestart] like to start this service; the service with a super superdaemon as mains, to manage some network services in the use of the inside CENTOS4.3 is xinetd this superdaemon, this way start network services while in response speed be slow, however, can provide some additional through superdaemon control, for example control when to start, when you can be online, the IP can even come in, whether to allow simultaneous online and so on. Usually profile in/etc/xinetd.d/, but needs to be set is finished to [/etc/init.d/xinetdrestart] to start again. If you want the system to switch off the PORT25, above the simplest approach is to first identify the PORT25 's startup process. # Netstat-tnlpTCP00127.0.0.1: 6310.0.0.0: * listen1171/cupsd//22, the port is opened by the program cupsd. If the program is not visible, use the CUPSD nmaplocalhost to view native ports, will show port and the corresponding procedures. # Whichcupsd/usr/sbin/cupsd//identify the cupsd program location. If not found, WHICH is used to LOCATE with the formal notation to find this directive. # Locatecupsd | grep '/cupsd $ '/usr/sbin/ss use RPM to treatment: # rpm-qf/usr/sbin/cupsdcups-1.1.17-13//identify the program name # rpm-qccups | grepinit/etc/rc.d/init.d/cups//identify the program startup. #/Etc/rc.d/init.d/cupsstop//stop program. 1. to start the telnet, first of all you must have installed the telnet Server, so rpm query first to see if there are any installation telnet-server. [/Rpm-qa | greptelnet-server] If you did not install, download or find CD, installation [yuminstalltelnet-server] installation. 2, as is the management, the first superdaemon editable/etc/xinetd.d/telnet this file, the [disable = yes] into [disable = no] to [/etc/init.d/xinetdrestart] restart superdaemon.3, use netstat-tnlp check start PORT23. 4, start-up data placed in/etc/rc.d/rc [0-6] .d/inside, you can use ntsysv and chkconfig command to control, whether or not to post to start the service. For example: 1. To do a lookup on portmap this program will execute? 2. If you post it, how to change it to a post without boot? 3. How to immediately close the PORTMAP service? through [chkconfig--list | grepportmap] and [runlevel] to confirm your environment and PORTMAP is started. (The runlevel can view the current boot interface. Chkconfig can view program startup or not. OFF not started. NO boot. ) If you have started, available [chkconfig--level35portmapoff] to set the boot-time do not start; (3 to 5 for the text interface, graphical interface. ) Can be used [/etc/init.d/portmapstop] to immediately shut down the service. Normal program services need to be started. Acpid-new version of power NASA science module, it is generally recommended, however, some notebook computers may not support this service, it would have to shut down. Atd-------in the management of a single appointment command execution services, should you want to start. Crond-----in the management of the scheduling of critical services, be sure to start. Iptables--Linux built-in firewall software, it can also be started. Keytables-if your keyboard informal format, this service starts may help you. Network---this is important, to network should he, network services. Sshd------this is the system preset starts, you can remote login in textual form. Syslog-system login file records, very important, be sure to start. Xinetd--the superdaemOn, so you want to start. Xfs-------used to manage glyph data service XWindow, if you need this service XWindow to start. Other service programs, and then set startup when needed.