Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

Debian10.13 ; SSH , Firewall

1. SSH Service Security Settings

The SSH service allows the root user to log in by default, and since the root user already knows the user name and can log in to the server with administrative privileges once the password is known, we will deny this setting.

1.1 Creating a General User

If you have created a general user when installing Debian, this procedure is not necessary.
If you have already created a user at the time of OS installation, this procedure is not necessary. If you have already created a user during the OS installation, this procedure is not necessary.
Users can be created with the "useradd" command. The "-m" option creates a home directory and the "-p" option specifies the password.
For example, to set "debianuser" as the user account name and "123456" as the password, execute the following

1.2 SSH service configuration file changes

Modify the configuration file to change the SSH service settings, which is located in "/etc/ssh/sshd_config".
This time, we will proceed by changing the default SSH port from 22 to 2244.

#Add ssh connection port 2244 on line 14
# port 22
Port 2244

#Line 16
#ListenAddress 0.0.0.0 Uncomment

#Change the "PermitRootLogin prohibit-password" parameter, which is found near line 33.
The parameter "inhibit-password" implies that password authentication is disabled for root.
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
↓ Uncomment
PermitRootLogin prohibit-password

Restart SSH service

2. Firewall Settings

Since Debian often uses software called "ufw" to configure the firewall, we will configure the firewall settings using ufw.
Since ufw is not installed when the OS is installed, install the ufw package before configuring the settings. The following is a procedure to configure minimal filter settings after installation.
Filter rules to be set in ufw
• All packets forwarded to the server are rejected
• All packets sent from the server to the outside are allowed
• The first port to allow is the port for SSH
• Limit packets coming into the server

2.1 Installing the ufw package

Confirmation after installation of ufw package

The installed "ufw package" is now displayed
Run the "systemctl status" command to check the status of ufw

It can be confirmed that the ufw service is stopped by displaying "Active: inactive (dead)".

Enable ufw.

You can see that ufw is running(active (exited))

2.2 Basic firewall rule configuration

When ufw is enabled, default firewall rules are applied. If enabled as is, communication with the server may not be possible, so basic rules should be set before enabling ufw.

2.2.1 Incoming packets Default rule settings

First, set the rules for incoming packets. The general rule is to deny all incoming packets except for specific communications. Execute "ufw default deny incoming" to basically deny all incoming packets.

2.2.2 Outgoing packets Default rule settings

The general rule is to allow all outgoing packets. Execute "ufw default allow outgoing" to basically allow outgoing packets.

2.3 SSH Port Permissions

Enable automatic startup of ufw. but set SSH connection permissions first, as you may not be able to connect SSH remotely. The default SSH port is 22. Set permissions with the following command

If you have set your own 2244 port (e.g.)

2.4 Confirmation of ufw settings

Check the rules configured in the firewall after enabling." ufw status verbose".

2.5 Permission to limit packets coming into the server

If you want to "allow communication coming to port number ◯◯" in ufw settings, use the following command
# ufw allow [port number]
On the other hand, if you want to "disallow communication coming to port number ◯◯", use the following command
# ufw deny port number]

2.5.1 Do not allow connections from IP addresses that access continuously

They will try to gain access to port 2244 by typing in the appropriate password and attempting to match it by chance so that they can log in. This is also called a brute force attack.
As a countermeasure for this, set "Do not allow connections from IP addresses that access continuously". Type the following command

This will set the "do not allow IP addresses with more than 6 connection attempts in a 30 second period" rule.
Check the settings.

2.5.2 Only allow ssh connections from specific networks

Even with the above settings, the ssh port is open to the external Internet, so even if you set a limit on the number of connections, the password could be guessed in some way and a connection could be made, or a vulnerability could be exploited to gain access.
Therefore, you should only allow ssh connections to the network from the inside, and set all external ssh connections to be disallowed.
There is a host in the local area network with an IP address of "192.168.11.10". Allow ssh connections only from this host.Or to allow ssh connections only from this network (192.168.11.0/24), type the following command。

Check the settings

Delete the rule with LIMIT. View the rule number and confirm the setting.

Delete rule 1 by specifying its number.

2.5.3 Permission for web and other services

You can also specify a port number to allow connections, or specify an application.
You can see a list of applications with the following command.

For example, to enable http and https for web services

2.5.4 Disable ipv6 ufw

Restart the firewall after all work

Copied title and URL