Contents
1. SSH Service Security Settings
Change the configuration file for the SSH service, which is "/etc/ssh/sshd_config".
In this case, we will change the default SSH port 22 to 2244.
Change /etc/ssh/sshd_config as follows
■Add ssh connection port 2244 on line 14
#port 22
Port 2244
■Line 16 Uncomment
#ListenAddress 0.0.0.0
↓
ListenAddress 0.0.0.0
■Line 33 Uncomment
#PermitRootLogin prohibit-password
↓
PermitRootLogin prohibit-password
Restarting SSH service and setting up automatic startup
|
1 2 |
# systemctl restart sshd # systemctl enable sshd |
2. Firewall (ufw)
2.1 Install
|
1 2 3 4 5 |
# pacman -S ufw # systemctl status ufw ○ ufw.service - CLI Netfilter Manager Loaded: loaded (/usr/lib/systemd/system/ufw.service; disabled; preset: dis> Active: inactive (dead) |
You can confirm that the ufw service is stopped by displaying "Active: inactive (dead)"
2.2 Enable ufw
|
1 2 |
# systemctl enable ufw Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service → /usr/lib/systemd/system/ufw.service. |
|
1 2 3 |
# ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup |
|
1 |
# systemctl start ufw |
2.3 Firewall rule settings
When ufw is enabled, default firewall rules are applied.
If you enable it as is, you may lose communication with the server, so set basic rules before enabling ufw.
Incoming packets Default rule settings
First, set the rules for incoming packets. The general rule is to deny all incoming packets except for specific communications. Execute "ufw default deny incoming" to basically deny all incoming packets.
|
1 2 3 |
# ufw default deny incoming Default incoming policy changed to 'deny' (be sure to update your rules accordingly) |
Outgoing packets Default rule settings
The general rule is to allow all outgoing packets. Execute "ufw default allow outgoing" to basically allow outgoing packets.
|
1 2 3 |
# ufw default allow outgoing Default outgoing policy changed to 'allow' (be sure to update your rules accordingly) |
2.4 SSH Port Permissions
Enable automatic startup of ufw, but set the permission for SSH connection first, as it may prevent SSH remote connection. Set permission for SSH port 2244 changed above with the following command
|
1 2 |
# ufw allow 2244/tcp # ufw reload |
2.5 Confirmation of ufw settings
Check the rules configured in the firewall after enabling." ufw status verbose".
|
1 2 3 4 5 6 7 8 9 10 |
# ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 2244/tcp ALLOW IN Anywhere 2244/tcp (v6) ALLOW IN Anywhere (v6) |
2.6 To disable ipv6
|
1 2 |
# vim /etc/default/ufw IPV6=yes → IPV6=no |
2.7 Restart ufw
|
1 |
# systemctl restart ufw |
3. SSH connection with authentication using public key cryptography
The method is the same as in other distributions, so we omit it.
Please refer to the following and others.
