Contents
1.SSH remote connection
SSH is a service for connecting remotely to a server and is basically running immediately after the OS is installed, but the default settings are somewhat insecure.
Here we will configure the default settings to increase the security of ssh connections.
1.1 SSH service configuration file changes
To change the SSH service settings, modify the configuration file.
The SSH service configuration file is located at "/etc/ssh/sshd_config".
|
1 |
# vi /etc/ssh/sshd_config |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # To modify the system-wide sshd configuration, create a *.conf file under # /etc/ssh/sshd_config.d/ which will be automatically included below Include /etc/ssh/sshd_config.d/*.conf # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 2244 #AddressFamily any ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 |
Line 21 "Port 22" This time change to "Port 2244" and proceed
Delete "#" from line 23 "#ListenAddress 0.0.0.0".
Line 40, "#PermitRootLogin prohibit-password", delete "#".
The root user can log in to the server with administrator privileges if the user name is already known and the password is known, so the settings are set to deny this.
Restart SSH
|
1 |
# systemctl restart sshd.service |
If this is not done, the next time you reboot, you will not be able to connect remotely via SSH. Please free SSH port 2244 in the following firewall settings.。
2.How to set up a firewall (firewalld)
In RockyLinux, the firewall is set to firewalld by default and is enabled during OS installation.
2.1 How to use the "firewall-cmd" command to control "firewalld"
1)How to use the "firewall-cmd" command to control "firewalld"
①Check firewalld operation status
If "firewalld" is running, the message "running" will be displayed; if it is not running, the message "not running" will be displayed
|
1 2 |
# firewall-cmd --state running |
or
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled) Active: active (running) since Sat 2025-11-29 09:56:25 JST; 32min ago Invocation: 92c167eb1c624770a9722dac37b96589 Docs: man:firewalld(1) Main PID: 1148 (firewalld) Tasks: 2 (limit: 16805) Memory: 46.7M (peak: 67.6M) CPU: 706ms CGroup: /system.slice/firewalld.service └─1148 /usr/bin/python3 -sP /usr/sbin/firewalld --nofork --nopid Nov 29 09:56:24 localhost systemd[1]: Starting firewalld.service - firewalld - dynamic firewall daemon... Nov 29 09:56:25 localhost systemd[1]: Started firewalld.service - firewalld - dynamic firewall daemon. |
➁Display default zone settings
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# firewall-cmd --list-all public (default, active) target: default ingress-priority: 0 egress-priority: 0 icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
The above example shows that services such as "cockpit," "dhcpv6-client," and "ssh" are permitted.
③About the "--permanent" Option
To prevent settings from being lost after a server restart or a restart of the "firewalld" service,
you must use the "--permanent" option when configuring settings. Note that when using the "--permanent" option, the settings will not be reflected in "firewalld" immediately. You must run "firewall-cmd --reload" to apply the changes.
For example, to ensure an HTTP service remains available permanently without being reset upon system restart,
|
1 2 |
# firewall-cmd --add-service=http --permanent # firewall-cmd --reload |
④How to start/stop
Since "firewalld" is controlled by "systemd", use the "systemctl" command to start and stop it.
|
1 2 3 4 5 |
Start firewalld # systemctl start firewalld Stop firewalld # systemctl stop firewalld |
2.2 Allow modified SSH port 2244
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# firewall-cmd --add-port=2244/tcp --permanent success # firewall-cmd --reload success # firewall-cmd --list-all public (default, active) target: default ingress-priority: 0 egress-priority: 0 icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: 2244/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
2244 ports have been added
3.Remote connection from Windows
How to connect using Tabby Terminal
Specify the SSH port number changed with the" -p 2244" option.
C:\Users\xxxxx>ssh huong@192.168.11.83 -p 2244
huong@192.168.11.83's password:
Web console: https://Lepard:9090/ or https://192.168.11.83:9090/
Last login: Sat Nov 29 12:38:24 2025 from 192.168.11.6
huong@Lepard:~$
4.NTP Server
Build an NTP server to synchronize the server time with Japan Standard Time
①Chrony Installation and Configuration
|
1 |
# dnf -y install chrony |
|
1 2 3 4 |
# vi /etc/chrony.conf Line 3 : Comment out and add under it #pool 2.almalinux.pool.ntp.org iburst pool ntp.nict.jp iburst |
②Restart chrony and enable chrony after system reboot
|
1 2 |
# systemctl enable chronyd.service # systemctl restart chronyd.service |
③NTP port allowed in firewall
|
1 2 |
# firewall-cmd --add-service=ntp --permanent # firewall-cmd --reload |
④Check chronyd status (behavior)
|
1 2 3 4 5 6 7 |
# chronyc sources MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* ntp-b3.nict.go.jp 1 6 17 23 +664us[ -266us] +/- 5902us ^+ ntp-k1.nict.jp 1 6 17 24 -785us[-1716us] +/- 4741us ^+ ntp-b2.nict.go.jp 1 6 17 23 +1003us[ +72us] +/- 5746us ^+ ntp-a3.nict.go.jp 1 6 17 23 -526us[-1457us] +/- 6987us |
If it is marked with *, it has been synchronized.
