Contents
1.Setting up remote connection via SSH
SSH is a service for connecting remotely to a server and is basically running immediately after the OS is installed, but the default settings are somewhat insecure.
Here we will configure the default settings to increase the security of ssh connections.
1 |
# vi /etc/ssh/sshd_config |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # To modify the system-wide sshd configuration, create a *.conf file under # /etc/ssh/sshd_config.d/ which will be automatically included below Include /etc/ssh/sshd_config.d/*.conf # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 Port 2244 #AddressFamily any ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 |
Line 21 "Port 22" changed to "Port 2244" this time
Delete the "#" in line 24 "#ListenAddress 0.0.0.0
Line 41, "#PermitRootLogin prohibit-password", delete "#".
The root user can log in to the server with administrator privileges if the user name is already known and the password is known, so the settings are set to deny this.
SSH restart
1 |
# systemctl restart sshd.service |
If this is not done, the next time you reboot, you will not be able to connect remotely via SSH. Please free SSH port 2244 in the following firewall settings.
2.Firewall (firewalld) settings
On CentOS9 ST, the firewall is set to firewalld by default and is enabled during OS installation.
To briefly explain "firewalld," when setting communication control policies, communication permission/blocking rules are applied to predefined zones, and these zones are then assigned to each NIC (network adapter).
2.1 How to use the "firewall-cmd" command to control "firewalld"
1)Command to check the status and settings of "firewalld
①Check firewalld operation status
1 2 3 |
# firewall-cmd --state running If "firewalld" is running, the message "running" will be displayed; if it is not running, the message "not running" will be displayed. |
OR
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset> Active: active (running) since Tue 2023-02-21 14:24:05 JST; 2h 38min ago Docs: man:firewalld(1) Main PID: 869 (firewalld) Tasks: 3 (limit: 10936) Memory: 41.7M CPU: 1.060s CGroup: /system.slice/firewalld.service mq869 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid Feb 21 14:24:05 localhost systemd[1]: Starting firewalld - dynamic firewall dae> Feb 21 14:24:05 localhost systemd[1]: Started firewalld - dynamic firewall daem> |
Active: active (running)と表示されています
➁View default zone settings
1 |
# firewall-cmd --list-all |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
In the above example, we can see that the services "cockpit", "dhcpv6-client", "ssh" are allowed, etc.
③About the "--permanent" option
To prevent the settings from disappearing when the server is restarted or the "firewalld" service is restarted, the "--permanent" option must be used to configure the settings. If the "--permanent" option is specified, the settings will not be reflected in "firewalld" as is, so it is necessary to reflect the settings using "fiewall-cmd --reload".
As an example, to use the HTTP service permanently without initialization even if the system is rebooted
1 2 |
# firewall-cmd --add-service=http --permanent # firewall-cmd --reload |
④How to start/stop
Since "firewalld" is controlled by "systemd", use the "systemctl" command to start and stop it.
1 2 3 4 |
Start firewalld # systemctl start firewalld Stop firewalld # systemctl stop firewalld |
2.2 Release modified SSH port 2244
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# firewall-cmd --add-port=2244/tcp --permanent # firewall-cmd --reload # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client http ssh ports: 2244/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
2244 ports have been added
3.Remote connection from Windows
Configuration in Windows
The terminal emulator is "Tera Term".
Start Tera Term, cancel the startup screen, and then select "New Connection" from "File" in the Tera Term menu.
Enter your own settings in the "Server IP Address" and "TCP Port Number" fields. Finally, click "OK.
After clicking "OK," click "Continue" on the security confirmation screen.
Enter "User name" and "Passphrase" and click "OK
If the information is correct, you should be able to log in successfully.
4.NTP Server Settings
Build an NTP server to synchronize the server time with Japan Standard Time
①Chrony Installation and Configuration
1 |
# dnf -y install chrony |
Change time synchronization server
1 2 3 4 |
# vi /etc/chrony.conf Line 3: Comment out and add under it #pool 2.centos.pool.ntp.org iburst pool ntp.nict.jp iburst |
②Restart chrony and enable chrony after system reboot
1 2 |
# systemctl enable chronyd.service # systemctl restart chronyd.service |
③NTP port release in firewall
1 2 |
# firewall-cmd --add-service=ntp --permanent # firewall-cmd --reload |
④Check chronyd status (behavior)
1 2 3 4 5 6 7 8 |
# chronyc sources MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^+ ntp-b2.nict.go.jp 1 6 377 3 -797us[ -938us] +/- 7344us ^* ntp-k1.nict.jp 1 6 377 1 -123us[ -264us] +/- 3424us ^+ ntp-b3.nict.go.jp 1 6 377 63 +187us[ +69us] +/- 6099us ^+ ntp-a2.nict.go.jp 1 6 377 1 -817us[ -958us] +/- 7079us |
If it is marked with *, it has been synchronized.