Contents
1.Remote connection by SSH
SSH is a service for connecting remotely to a server, basically running immediately after OS installation, but the default settings are somewhat insecure.
Configure the default settings to increase the security of ssh connections.
1.1 SSH service configuration file changes
The SSH service configuration file is "/etc/ssh/sshd_config".
Open the configuration file in a vi editor.
|
1 |
# vi /etc/ssh/sshd_config |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
#Port 22 Port 2244 ←Port change #AddressFamily any ListenAddress 0.0.0.0 ←Uncomment #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin prohibit-password ←Uncomment |
sshd.service restart
|
1 |
# systemctl restart sshd.service |
If this is not done, the next time you reboot, you will not be able to connect remotely via SSH. Please free SSH port 2244 in the following firewall settings.
2.How to set up a firewall (firewalld)
In Fedora, firewalld is set as the default and is enabled during OS installation.
1)How to use the "firewall-cmd" command to control "firewalld
①Command to check the status and settings of "firewalld
|
1 2 3 |
# firewall-cmd --state running If "firewalld" is running, the message "running" will be displayed; if it is not running, the message "not running" will be displayed. |
➁View default zone settings
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ntp ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
In the above example, we can see that the services "cockpit", "dhcpv6-client", "ntp", "ssh" are allowed, etc.
③About the "--permanent" option
To prevent the settings from disappearing when the server is restarted or the "firewalld" service is restarted, the
The "--permanent" option must be used to configure the settings.
If the "--permanent" option is specified, it is necessary to use "fiewall-cmd --reload" to reflect the settings, as they are not reflected in "firewalld" as they are.
Permanent use of HTTP service without initialization after system reboot
|
1 2 3 4 |
# firewall-cmd --add-service=http --permanent success # firewall-cmd --reload success |
④How to start/stop
Since "firewalld" is controlled by "systemd", use the "systemctl" command to start and stop it.
|
1 2 3 4 |
Start firewalld # systemctl start firewalld Stop firewalld # systemctl stop firewalld |
2.2 Release modified SSH port 2244
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# firewall-cmd --add-port=2244/tcp --permanent # firewall-cmd --reload # firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client http ntp ssh ports: 2244/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
2244 ports have been added
3.Remote connection from Windows
Settings Windows
The terminal emulator is "Tera Term".
Start Tera Term, cancel the startup screen, and then select "New Connection" from "File" in the Tera Term menu.
Enter your own settings in the "Server IP address" and "TCP port number" fields.
Finally, click "OK
After clicking "OK," click "Continue" on the security confirmation screen.
Enter "User name" "Passphrasee" and click "OK".
If the information is correct, you should be able to log in normally as shown below.