Contents
1. Setting up SSH remote connection
SSH is a service for connecting remotely to a server and is basically running immediately after the OS is installed, but the default settings are somewhat insecure.
Here we will configure the default settings to increase the security of ssh connections.
1.1 SSH service configuration file changes
Modify the configuration file to change the SSH service settings.
The SSH service configuration file is "/etc/ssh/sshd_config".
|
1 |
# vi /etc/ssh/sshd_config |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 Port 2244 #AddressFamily any ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # This system is following system-wide crypto policy. The changes to # crypto properties (Ciphers, MACs, ...) will not have any effect here. # They will be overridden by command-line options passed to the server # on command line. # Please, check manual pages for update-crypto-policies(8) and sshd_config(5). # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys |
Delete the "#" in line 20 "#ListenAddress 0.0.0.0
Change "PermitRootLogin yes" to "PermitRootLogin no" on line 44.
Since the root user already knows the user name and can log in to the server with administrator privileges once the password is known, the setting is set to deny this.
SSH Restart
|
1 |
# systemctl restart sshd.service |
2. How to set up a firewall (firewalld)
In AlmaLinux, the firewall is set to firewalld by default and is enabled during OS installation.
Briefly explaining "firewalld," when setting communication control policies, the method is to apply communication permission/blocking rules to predefined zones, and then assign those zones to each NIC (network adapter).
2.1 How to use the "firewall-cmd" command to control "firewalld
1)Command to check the status and settings of "firewalld"
① Check firewalld operation status
|
1 2 3 |
# firewall-cmd --state running If "firewalld" is running, the message "running" will be displayed; if it is not running, the message "not running" will be displayed. |
OR
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-06-07 22:09:30 JST; 4min 27s ago Docs: man:firewalld(1) Main PID: 993 (firewalld) Tasks: 2 (limit: 11170) Memory: 34.1M CGroup: /system.slice/firewalld.service mq993 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid ※When the firewall is stopped Active: inactive (dead)" is displayed, indicating that the firewall is stopped. |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
③ About the "--permanent" option
To prevent the settings from disappearing when the server is restarted or the "firewalld" service is restarted, you must use the "--permanent" option.
The "--permanent" option must be used to configure the settings.
If the "--permanent" option is specified, the setting is not reflected in "firewalld" as it is, so it is necessary to reflect the setting by "fiewall-cmd --reload".
As an example, to use the HTTP service permanently without initialization even if the system is rebooted
|
1 2 |
# firewall-cmd --add-service=http --permanent # firewall-cmd --reload |
④ How to start/stop
Since "firewalld" is controlled by "systemd", use the "systemctl" command to start and stop it.
|
1 2 3 4 |
Start firewalld # systemctl start firewalld Stopping firewalld # systemctl stop firewalld |
2.2 Release modified SSH port 2244
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# firewall-cmd --add-port=2244/tcp --permanent # firewall-cmd --reload # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: 2244/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
2244/tcp ports have been added
3. Remote connection from Windows
Configuration in Windows
The terminal emulator is "Tera Term".
Start Tera Term, cancel the startup screen, and then select "New Connection" from "File" in the Tera Term menu.
Enter the server IP address in "Host" and the SSH port number in "TCP port#". Finally, click "OK.
After clicking "OK," click "Continue" on the security confirmation screen.
Enter a general user name in "User name" and a general user password in "Passphrasee", then click "OK".
If the information is correct, you should be able to log in normally as shown below.
4. NTP Server Settings
Synchronize server time with Japan Standard Time
① Chrony Installation and Configuration
|
1 |
# dnf -y install chrony |
|
1 2 3 4 |
# vi /etc/chrony.conf #Line 2 : comment out and add under it #pool 2.cloudlinux.pool.ntp.org iburst pool ntp.nict.jp iburst |
|
1 2 |
# systemctl enable chronyd.service # systemctl restart chronyd.service |
|
1 2 |
# firewall-cmd --add-service=ntp --permanent # firewall-cmd --reload |
|
1 2 3 4 5 6 7 |
# chronyc sources MS Name/IP address Stratum Poll Reach LastRx Last sample ============================================================== ^+ ntp-b2.nict.go.jp 1 6 77 27 -50us[ -342us] +/- 5432us ^+ ntp-b3.nict.go.jp 1 6 77 26 +103us[ +103us] +/- 5681us ^* ntp-k1.nict.jp 1 6 77 26 -250us[ -544us] +/- 3445us ^+ ntp-a2.nict.go.jp 1 6 77 27 -211us[ -503us] +/- 5513us |
If it is marked with "^*", it has been synchronized.