AlmaLinux10.1 : SSH、Firewalld、NTP Server

Contents

1.SSH remote connection
- 1.1 SSH service configuration file changes
2.How to set up a firewall (firewalld)
- 2.1 How to use the "firewall-cmd" command to control "firewalld"
- 2.2 Allow modified SSH port 2244
3.Remote connection from Windows
4.NTP Server

1.SSH remote connection

SSH is a service for connecting remotely to a server and is basically running immediately after the OS is installed, but the default settings are somewhat insecure.
Here we will configure the default settings to increase the security of ssh connections.

1.1 SSH service configuration file changes

To change the SSH service settings, modify the configuration file.
The SSH service configuration file is located at "/etc/ssh/sshd_config".

# vi /etc/ssh/sshd_config

1	# vi /etc/ssh/sshd_config

  1 #       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
  2
  3 # This is the sshd server system-wide configuration file.  See
  4 # sshd_config(5) for more information.
  5
  6 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/    usr/sbin
  7
  8 # The strategy used for options in the default sshd_config shipped with
  9 # OpenSSH is to specify options with their default value where
 10 # possible, but leave them commented.  Uncommented options override the
 11 # default value.
 12
 13 # To modify the system-wide sshd configuration, create a  *.conf  file under
 14 #  /etc/ssh/sshd_config.d/  which will be automatically included below
 15 Include /etc/ssh/sshd_config.d/*.conf
 16
 17 # If you want to change the port on a SELinux system, you have to tell
 18 # SELinux about this change.
 19 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
 20 #
 21 Port 2244
 22 #AddressFamily any
 23 ListenAddress 0.0.0.0
 24 #ListenAddress ::
 25
 26 #HostKey /etc/ssh/ssh_host_rsa_key
 27 #HostKey /etc/ssh/ssh_host_ecdsa_key
 28 #HostKey /etc/ssh/ssh_host_ed25519_key
 29
 30 # Ciphers and keying
 31 #RekeyLimit default none
 32
 33 # Logging
 34 #SyslogFacility AUTH
 35 #LogLevel INFO
 36
 37 # Authentication:
 38
 39 #LoginGraceTime 2m
 40 PermitRootLogin prohibit-password
 41 #StrictModes yes
 42 #MaxAuthTries 6
 43 #MaxSessions 10

1 # $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

3 # This is the sshd server system-wide configuration file. See

4 # sshd_config(5) for more information.

6 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/ usr/sbin

8 # The strategy used for options in the default sshd_config shipped with

9 # OpenSSH is to specify options with their default value where

10 # possible, but leave them commented. Uncommented options override the

11 # default value.

13 # To modify the system-wide sshd configuration, create a *.conf file under

14 # /etc/ssh/sshd_config.d/ which will be automatically included below

15 Include /etc/ssh/sshd_config.d/*.conf

17 # If you want to change the port on a SELinux system, you have to tell

18 # SELinux about this change.

19 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

20 #

21 Port 2244

22 #AddressFamily any

23 ListenAddress 0.0.0.0

24 #ListenAddress ::

26 #HostKey /etc/ssh/ssh_host_rsa_key

27 #HostKey /etc/ssh/ssh_host_ecdsa_key

28 #HostKey /etc/ssh/ssh_host_ed25519_key

30 # Ciphers and keying

31 #RekeyLimit default none

33 # Logging

34 #SyslogFacility AUTH

35 #LogLevel INFO

37 # Authentication:

39 #LoginGraceTime 2m

40 PermitRootLogin prohibit-password

41 #StrictModes yes

42 #MaxAuthTries 6

43 #MaxSessions 10

Line 21 "Port 22" This time change to "Port 2244" and proceed
Delete "#" from line 23 "#ListenAddress 0.0.0.0".
Line 40, "#PermitRootLogin prohibit-password", delete "#".
The root user can log in to the server with administrator privileges if the user name is already known and the password is known, so the settings are set to deny this.

Restart SSH

# systemctl restart sshd.service

1	# systemctl restart sshd.service

If this is not done, the next time you reboot, you will not be able to connect remotely via SSH. Please free SSH port 2244 in the following firewall settings.

2.How to set up a firewall (firewalld)

In AlmaLinux, the firewall is set to firewalld by default and is enabled during OS installation.

2.1 How to use the "firewall-cmd" command to control "firewalld"

1)How to use the "firewall-cmd" command to control "firewalld"

①Check firewalld operation status
If "firewalld" is running, the message "running" will be displayed; if it is not running, the message "not running" will be displayed

# firewall-cmd --state
running

1 2	# firewall-cmd --state running

or
Active: active (running) is displayed

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
     Active: active (running) since Tue 2025-11-25 14:48:10 JST; 1h 9min ago
 Invocation: d743725f85714620b43c18114555fdad
       Docs: man:firewalld(1)
   Main PID: 1081 (firewalld)
      Tasks: 2 (limit: 16792)
     Memory: 46.3M (peak: 67.5M)
        CPU: 683ms
     CGroup: /system.slice/firewalld.service
             └─1081 /usr/bin/python3 -sP /usr/sbin/firewalld --nofork --nopid

Nov 25 14:48:09 localhost systemd[1]: Starting firewalld.service - firewalld - dynamic firewall daemon...
Nov 25 14:48:10 localhost systemd[1]: Started firewalld.service - firewalld - dynamic firewall daemon.

# systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon

Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)

Active: active (running) since Tue 2025-11-25 14:48:10 JST; 1h 9min ago

Invocation: d743725f85714620b43c18114555fdad

Docs: man:firewalld(1)

Main PID: 1081 (firewalld)

Tasks: 2 (limit: 16792)

Memory: 46.3M (peak: 67.5M)

CPU: 683ms

CGroup: /system.slice/firewalld.service

└─1081 /usr/bin/python3 -sP /usr/sbin/firewalld --nofork --nopid

Nov 25 14:48:09 localhost systemd[1]: Starting firewalld.service - firewalld - dynamic firewall daemon...

Nov 25 14:48:10 localhost systemd[1]: Started firewalld.service - firewalld - dynamic firewall daemon.

➁About the "--permanent" option
To prevent the settings from disappearing when the server is restarted or the "firewalld" service is restarted, the
The "--permanent" option must be used to configure the settings.
If the "--permanent" option is specified, the setting is not reflected in "firewalld" as it is, so it is necessary to use "fiewall-cmd --reload" to reflect the setting.

To use the HTTP service permanently without initialization even if the system is rebooted

# firewall-cmd --add-service=http --permanent
# firewall-cmd --reload

1 2	# firewall-cmd --add-service=http --permanent # firewall-cmd --reload

➂How to start/stop

Since "firewalld" is controlled by "systemd", use the "systemctl" command to start and stop it.

Start firewalld
# systemctl start firewalld
 
Stop firewalld
# systemctl stop firewalld

Start firewalld

# systemctl start firewalld

Stop firewalld

# systemctl stop firewalld

2.2 Allow modified SSH port 2244

# firewall-cmd --add-port=2244/tcp --permanent
# firewall-cmd --reload
# firewall-cmd --list-all
public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 2244/tcp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# firewall-cmd --add-port=2244/tcp --permanent

# firewall-cmd --reload

# firewall-cmd --list-all

public (default, active)

target: default

ingress-priority: 0

egress-priority: 0

icmp-block-inversion: no

interfaces: ens160

sources:

services: cockpit dhcpv6-client ssh

ports: 2244/tcp

protocols:

forward: yes

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

2244 ports have been added

3.Remote connection from Windows

How to connect using Tabby Terminal
Specify the SSH port number changed with the" -p 2244" option.

C:\Users\xxxxx>ssh huong@192.168.11.83 -p 2244

huong@192.168.11.83's password:
Web console: https://localhost:9090/ or https://192.168.11.83:9090/

Last login: Tue Nov 25 14:58:04 2025 from 192.168.11.6
huong@Lepard:~$

4.NTP Server

Build an NTP server to synchronize the server time with Japan Standard Time

①Chrony Installation and Configuration

# dnf -y install chrony

1	# dnf -y install chrony

# vi /etc/chrony.conf
Line 3　: Comment out and add under it
#pool 2.almalinux.pool.ntp.org iburst
pool ntp.nict.jp iburst

# vi /etc/chrony.conf

Line 3　: Comment out and add under it

#pool 2.almalinux.pool.ntp.org iburst

pool ntp.nict.jp iburst

➁Restart chrony and enable chrony after system reboot

# systemctl enable chronyd.service
# systemctl restart chronyd.service

1 2	# systemctl enable chronyd.service # systemctl restart chronyd.service

③NTP port allowed in firewall

# firewall-cmd --add-service=ntp --permanent
# firewall-cmd --reload

1 2	# firewall-cmd --add-service=ntp --permanent # firewall-cmd --reload

④Check chronyd status (behavior)

# chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^- ntp-a3.nict.go.jp             1   6    17    26   -142us[ -142us] +/- 5781us
^- ntp-k1.nict.jp                1   6    17    26   -201us[ -201us] +/- 3087us
^- ntp-b2.nict.go.jp             1   6    17    26  -1626us[-1626us] +/- 7216us
^* ntp-a2.nict.go.jp             1   6    17    27    +63us[+1222us] +/- 5540us

# chronyc sources

MS Name/IP address Stratum Poll Reach LastRx Last sample