RockyLinux10.2 : SSH、Firewalld、NTP Server

Contents

1.SSH remote connection

SSH is a service for connecting remotely to a server and is basically running immediately after the OS is installed, but the default settings are somewhat insecure.
Here we will configure the default settings to increase the security of ssh connections.

1.1 SSH service configuration file changes

To change the SSH service settings, modify the configuration file.
The SSH service configuration file is located at "/etc/ssh/sshd_config".

# vi /etc/ssh/sshd_config

Line 21 "Port 22" This time change to "Port 2244" and proceed
Port 2244

Delete "#" from line 23 "#ListenAddress 0.0.0.0".
ListenAddress 0.0.0.0

Line 40, "#PermitRootLogin prohibit-password", delete "#".
The root user can log in to the server with administrator privileges if the user name is already known and the password is known, so the settings are set to deny this.
PermitRootLogin prohibit-password

Restart SSH

# systemctl restart sshd.service

If this is not done, the next time you reboot, you will not be able to connect remotely via SSH. Please free SSH port 2244 in the following firewall settings.。

2.How to set up a firewall (firewalld)

In RockyLinux, the firewall is set to firewalld by default and is enabled during OS installation.

2.1 How to use the "firewall-cmd" command to control "firewalld"

1)Commands for checking the status and settings of "fierwalld"
①Check firewalld operation status
If "firewalld" is running, the message "running" will be displayed; if it is not running, the message "not running" will be displayed

# firewall-cmd --state
running

➁Display default zone settings

# firewall-cmd --list-all

public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

The above example shows that services such as "cockpit," "dhcpv6-client," and "ssh" are permitted.

③About the "--permanent" Option
To prevent settings from being lost after a server restart or a restart of the "firewalld" service,
you must use the "--permanent" option when configuring settings. Note that when using the "--permanent" option, the settings will not be reflected in "firewalld" immediately. You must run "firewall-cmd --reload" to apply the changes.
For example, to ensure an HTTP service remains available permanently without being reset upon system restart,

# firewall-cmd --add-service=http --permanent
# firewall-cmd --reload

④How to start/stop
Since "firewalld" is controlled by "systemd", use the "systemctl" command to start and stop it.

Start firewalld
# systemctl start firewalld

Stop firewalld
# systemctl stop firewalld

2.2 Allow modified SSH port 2244

# firewall-cmd --add-port=2244/tcp --permanent
success
# firewall-cmd --reload
success

# firewall-cmd --list-all
public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: cockpit dhcpv6-client http ssh
  ports: 2244/tcp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

2244 ports have been added

3.Remote connection from Windows

How to connect using Tabby Terminal
Specify the SSH port number changed with the" -p 2244" option.

C:\Users\xxxxx>ssh huong@192.168.11.83 -p 2244
huong@192.168.11.83's password: 
Web console: https://localhost:9090/ or https://192.168.11.45:9090/

Last login: Tue Jun  2 10:02:48 2026 from 192.168.11.6

4.NTP Server

Build an NTP server to synchronize the server time with Japan Standard Time

①Chrony Installation and Configuration

# dnf -y install chrony

# vi /etc/chrony.conf

Line 3　: Comment out and add under it
#pool 2.rocky.pool.ntp.org iburst
pool ntp.nict.jp iburst

②Restart chrony and enable chrony after system reboot

# systemctl enable chronyd.service
# systemctl restart chronyd.service

③NTP port allowed in firewall

# firewall-cmd --add-service=ntp --permanent
# firewall-cmd --reload

④Check chronyd status (behavior)

# chronyc sources

MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^- ntp-k1.nict.jp                1   6    17    56    -98us[  -98us] +/- 3821us
^* ntp-a2.nict.go.jp             1   6    17    56    -58us[ +307us] +/- 6157us
^- ntp-b3.nict.go.jp             1   6    17    56   +941us[ +941us] +/- 6065us
^- ntp-b2.nict.go.jp             1   6    17    56   +268us[ +268us] +/- 6158us

If it is marked with *, it has been synchronized.

Go to top