Contents
1.Setting up a remote connection via SSH
SSH is a service for connecting remotely to a server and is basically running immediately after the OS is installed, but the default settings are somewhat insecure.
Here we will configure the default settings to increase the security of ssh connections.
1.1 SSH service configuration file changes
Modify the configuration file to change the SSH service settings.
The SSH service configuration file is "/etc/ssh/sshd_config".
|
1 |
# vi /etc/ssh/sshd_config |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 Port 2244 #AddressFamily any ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes |
Line 17 "Port 22" This time change to "Port 2244" and proceed
Delete "#" from line 19 "#ListenAddress 0.0.0.0".
Line 43, "#PermitRootLogin yes" and change it to "PermitRootLogin no".
The root user can log in to the server with administrator privileges if the user name is already known and the password is known, so the settings are set to deny this.
SSH restart
|
1 |
# systemctl restart sshd.service |
If this is not done, the next time you reboot, you will not be able to connect remotely via SSH. Please free SSH port 2244 in the following firewall settings.
2.How to set up a firewall (firewalld)
In MiracleLinux, the firewall is set to firewalld by default and is enabled during OS installation.
2.1 「How to use the "firewall-cmd" command to control "firewalld"
1)Command to check the status and settings of "firewalld
①Check firewalld operation status
|
1 |
# firewall-cmd --state |
「If "firewalld" is running, "running" is displayed; if it is stopped, "not running" is displayed.
OR
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2023-10-12 15:22:11 JST; 1h 34min ago Docs: man:firewalld(1) Main PID: 31519 (firewalld) Tasks: 3 (limit: 10933) Memory: 28.8M CGroup: /system.slice/firewalld.service mq31519 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid Oct 12 15:22:11 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon... Oct 12 15:22:11 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon. |
※If the firewalld is stopped, the message "Active: inactive (dead)" is displayed.
➁View default zone settings
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
In the above example, the services "cockpit", "dhcpv6-client" and "ssh" are allowed.
③About the "--permanent" option
To prevent the settings from disappearing when the server is restarted or the "firewalld" service is restarted, the
The "--permanent" option must be used to configure the settings.
If the "--permanent" option is specified, the setting is not reflected in "firewalld" as it is, so it is necessary to use "fiewall-cmd --reload" to reflect the setting.
To use the HTTP service permanently without initialization even if the system is rebooted
|
1 2 |
# firewall-cmd --add-service=http --permanent # firewall-cmd --reload |
④How to start/stop
Since "firewalld" is controlled by "systemd", use the "systemctl" command to start and stop it.
|
1 2 3 4 5 |
Start firewalld # systemctl start firewalld Stop firewalld # systemctl stop firewalld |
2.2 Allow modified SSH port 2244
|
1 2 |
# firewall-cmd --add-port=2244/tcp --permanent # firewall-cmd --reload |
3.Remote connection from Windows
Setup in Windows
Start setting up a remote connection from Windows, using "Tera Term" as the terminal emulator.
Start Tera Term, cancel the startup screen, and then select "New Connection" from "File" in the Tera Term menu.
Enter your own settings in the "Server IP address" and "TCP port number" fields. Finally, click "OK.
After clicking "OK," click "Continue" on the security confirmation screen.
Enter "User name" Passphrase" and click "OK".
If the information is correct, you should be able to log in successfully.
4.Synchronize server time with Japan Standard Time
①Change the configuration file as follows
|
1 2 3 4 5 6 7 8 |
# vi /etc/chrony.conf Per Line 2 server ntp.miraclelinux.net iburst Change as follows server ntp.nict.jp server ntp1.jst.mfeed.ad.jp server ntp2.jst.mfeed.ad.jp |
②Restart chrony and enable chrony after system reboot
|
1 2 |
# systemctl enable chronyd.service # systemctl restart chronyd.service |
③NTP port allowed in firewall
|
1 2 |
# firewall-cmd --add-service=ntp --permanent # firewall-cmd --reload |
④Check chronyd status (behavior)
|
1 |
# chronyc sources |
Display as follows
|
1 2 3 4 |
MS Name/IP address Stratum Poll Reach LastRx Last sample =========================================== ^+ ntp1.jst.mfeed.ad.jp 2 9 377 125 -462us[ -462us] +/- 93ms ^* ntp2.jst.mfeed.ad.jp 2 10 377 1019 +140us[ +265us] +/- 97ms |
If it is marked with *, it has been synchronized. (It takes about 10 minutes to synchronize after startup.)