Click here for "Error Codes for Commercial Air Conditioners".

Debian10 ; SSH service and firewall configuration

The following are the initial settings after installing Debian 10.

・Security settings for SSH service
・Configuring UFW as a firewall

1. Security settings for SSH service

The SSH service allows the root user to log in by default, and since the root user already knows the user name and password, he can log in to the server with administrative privileges.

1.1 Creating a general user

If you have created a general user during the installation of Debian, this procedure is not necessary.
If the only user created on the server is root, you will not be able to login remotely via SSH, so if you did not create a user during the OS installation, you will need to create one beforehand. If you have created a user at the time of OS installation, this procedure is not necessary.
To create a user, use the "useradd" command. The "-m" option creates the home directory, and the "-p" option specifies the password.
For example, if you want to set "debianuser" as the user account name and "123456" as the password, execute the command as follows.

1.2 Change the configuration file of SSH service.

To change the SSH service configuration, change the configuration file, which is "/etc/ssh/sshd_config".

Change the "PermitRootLogin prohibit-password" parameter found near line 46 of the configuration file. The parameter "prohibit-password" means that the password authentication will be disabled for root.

[file contents] # Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
↓ remove #
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

1.3 Restart the SSH service

With the SSH client, make a remote connection to the server and verify that the connection is rejected.

The server's authentication log "/var/log/auth.log" also shows that the connection was rejected as follows.

2. Firewall Settings

Since Debian often uses the "ufw" software to configure firewalls, we will configure the firewall settings using ufw.
Since ufw is not installed when you install the OS, you will need to install the ufw package before configuring it. After the installation, we will show you the procedure to configure the minimum filter settings.
Filter rules to be set by ufw
- Deny all packets forwarded to the server
- Allow all packets sent from the server to the outside
- The first port to allow is the port for SSH
- Restrict packets coming into the server

2.1 Install the ufw package

2.2 Checking after installing the ufw package

Check the installed packages with the "dpkg" command to display the packages.

The "ufw package" you installed is now displayed.
Run the command "systemctl status" to check the status of ufw.

You can confirm that the ufw service is stopped by the message "Active: inactive (dead)".

2.3 Configuring basic firewall rules

When ufw is enabled, the default firewall rules will be applied. If you enable it as is, you may not be able to communicate with the server, so set the basic rules before enabling ufw.

2.3.1 Incoming packets Setting the default rule

The first step is to set the rules for incoming packets. The general rule is to deny all incoming packets except for specific communications. Execute "ufw default deny incoming" so that all incoming packets are basically denied.

2.3.2 Outgoing Packets Configuring Default Rules

The general rule is to allow all outgoing packets. Execute "ufw default allow outgoing" to basically allow outgoing packets.

2.4 Enable ufw

Enable ufw auto-start. but you may not be able to connect to SSH remotely, so set the SSH connection permission first. The default SSH port is 22. Set the permission with the following command

If you have set your own 3000 port (example)

Execute the "ufw enable" command.

You will see a confirmation that the SSH connection will be disconnected when the command is executed. Since SSH is allowed by the rule, it will not be disconnected. In this case, enter "y".

2.5 Check ufw settings.

Check the rules configured in the firewall after they are enabled." Execute "ufw status verbose".

2.6 Allow to limit packets coming into the server

If you want to set ufw to "allow communication to port number ◯◯◯◯◯◯", use the following command
# ufw allow [port number]
On the other hand, if you want to "disallow communication coming to port number ◯◯◯◯," use the following command
# ufw deny [port number]

2.6.1 Do not allow connections from IP addresses that are accessed consecutively.

Let's use SSH port 3000 as an example.
The ssh connection will be allowed to communicate to port 3000 for the change.
If you type in an appropriate password for port 3000, it will try to access the port in succession so that you can log in by accidental match. This is called a brute force attack.
As a countermeasure to this attack, set the "Do not allow connections from IP addresses that are accessed in succession" setting. Type the following command.

This will set the rule "Do not allow IP addresses that have attempted to connect more than 6 times in 30 seconds".

Check the settings. Displayed as follows.

2.6.2 Only allow ssh connections from specific networks

Even with the above settings, the ssh port is still open to the external Internet, so even if you set a limit on the number of connections, it is possible that the password will be guessed in some way and the connection will be made, or the connection will be made through a vulnerability attack.
For this reason, you should only allow ssh connections to internal networks, and not allow any external ssh connections.
As an example, in the local area network, there is a host with an IP address of "192.168.11.10". Allow ssh connections only from this host. Or, to allow ssh connections only from this network (192.168.11.0/24), type the following command
Allow ssh connections from 192.168.11.0/24

Allow ssh connections from 192.168.11.10

Check the settings.
Results when ssh connections from 192.168.11.0/24 are allowed

Deletes the rule with LIMIT on it. Display the rule number to confirm the setting.
Results when ssh connections from 192.168.11.0/24 are allowed

Delete rules 1 and 3 by specifying the number.
Results when ssh connections from 192.168.11.0/24 are allowed

Similarly, delete rule 3.

2.6.3 Permission for web and other services

You can specify a port number to allow connections, or you can specify an application.
You can see the list of applications with the following command.

For example, to enable http and https for web services
2.6.4 Disable ufw for ipv6
Reboot the firewall after everything is done.
タイトルとURLをコピーしました