Bazat e SSH-së

Fillestar 13 min Siguria e Rrjetit

Hyrje

SSH (Secure Shell) is the standard protocol for secure remote login and command execution on Unix-like systems.

Teoria

SSH provides a single encrypted channel that carries terminal sessions, file transfers (SCP, SFTP) and port forwards. Each server has a long-lived host key (typically Ed25519 or RSA) that the client verifies against its known_hosts file on first connect. After the host key check, the client authenticates itself using either a password or — strongly recommended — a public key stored in the server's authorized_keys file. Public-key authentication has two major advantages over passwords: it is immune to credential-stuffing and brute-force attacks, and it integrates cleanly with SSH agents, hardware tokens and certificate authorities. The best practice in 2024 is to generate an Ed25519 keypair (ssh-keygen -t ed25519), keep the private key on a YubiKey or in ssh-agent with a passphrase, and disable password authentication server-side via PasswordAuthentication no in sshd_config. Advanced SSH features include ProxyJump for multi-hop bastion workflows, ControlMaster for connection reuse, and SSH certificates (signed by a CA) for managing access to fleets of servers without copying keys to each machine. Learning the full power of SSH is one of the highest-leverage skills in cybersecurity.

Mjetet

Mjetet kryesore:

  • openssh-client, openssh-server — implementimi standard.
  • ssh-keygen, ssh-copy-id, ssh-agent.
  • Fail2ban — bllokon IP-të që provojnë brute-force.
  • Teleport, Boundary — zero-trust SSH proxy.

Praktika

Konfigurim i sigurt i serverit SSH në /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers edon admin
Protocol 2
ClientAliveInterval 300
MaxAuthTries 3

Gjenerim i çelësit ed25519 dhe kopjim:

ssh-keygen -t ed25519 -a 100 -C "edon@lab"
ssh-copy-id -i ~/.ssh/id_ed25519.pub edon@10.0.0.5

Ushtrime

  1. Çaktivizo plotësisht password authentication dhe verifiko se kyçja me çelës funksionon.
  2. Konfiguro Fail2ban për të bllokuar IP pas 3 provash të dështuara.

Burime

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re