MiracleLinux9.4 ; SSH , Firewalld , NTP Server

Contents

1. Setting up SSH remote connection
- 1.1 Change the configuration file of SSH service.
2. How to set up a firewall (firewalld)
- 2.1 Command to check the status and settings of firewalld
- 2.2 Allow modified SSH port 2244
3. Connect remotely from Windows
4. NTP Server Settings

1. Setting up SSH remote connection

SSH is a service to connect to a server remotely, and is basically running right after the OS installation, but the default settings are somewhat insecure.
In this section, we will configure the settings to change the default settings and increase the security of the ssh connection.

1.1 Change the configuration file of SSH service.

The configuration file for the SSH service is "/etc/ssh/sshd_config". Open the configuration file with vi editor

# vi /etc/ssh/sshd_config

1	# vi /etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# To modify the system-wide sshd configuration, create a  *.conf  file under
#  /etc/ssh/sshd_config.d/  which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
Port 2244
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file. See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options override the

# default value.

# To modify the system-wide sshd configuration, create a *.conf file under

# /etc/ssh/sshd_config.d/ which will be automatically included below

Include /etc/ssh/sshd_config.d/*.conf

# If you want to change the port on a SELinux system, you have to tell

# SELinux about this change.

# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#Port 22

Port 2244

#AddressFamily any

ListenAddress 0.0.0.0

#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying

#RekeyLimit default none

# Logging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin prohibit-password

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

Line 21 "Port 22" This time change to "Port 2244" and proceed
Delete the "#" in line 23 "#ListenAddress 0.0.0.0
Line 40, "#PermitRootLogin prohibit-password", delete "#".
The root user can log in to the server with administrator privileges if the user name is already known and the password is known, so the settings are set to deny this.

Restart SSH

# systemctl restart sshd.service

1	# systemctl restart sshd.service

If this is not done, you will not be able to connect remotely via SSH the next time you reboot, so please free SSH port 2244 in the following firewall settings.

2. How to set up a firewall (firewalld)

In MiracleLinux, the firewall is set to firewalld by default and is enabled during OS installation.

2.1 Command to check the status and settings of firewalld

Command to check the status and settings of firewalld

①Check firewalld operation status

# firewall-cmd --state

1	# firewall-cmd --state

If "firewalld" is running, "running" will be displayed; if it is not running, "not running" will be displayed.

# systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-09-09 08:47:28 JST; 24min ago
       Docs: man:firewalld(1)
   Main PID: 828 (firewalld)
      Tasks: 2 (limit: 10886)
     Memory: 41.6M
        CPU: 532ms
     CGroup: /system.slice/firewalld.service
             mq828 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid

Sep 09 08:47:26 Lepard systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 09 08:47:28 Lepard systemd[1]: Started firewalld - dynamic firewall daemon.

# systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon

Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)

Active: active (running) since Mon 2024-09-09 08:47:28 JST; 24min ago

Docs: man:firewalld(1)

Main PID: 828 (firewalld)

Tasks: 2 (limit: 10886)

Memory: 41.6M

CPU: 532ms

CGroup: /system.slice/firewalld.service

mq828 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid

Sep 09 08:47:26 Lepard systemd[1]: Starting firewalld - dynamic firewall daemon...

Sep 09 08:47:28 Lepard systemd[1]: Started firewalld - dynamic firewall daemon.

※If the system is stopped
Active:The message "inactive (dead)" is displayed, indicating that firewalld is stopped

➁Show default zone settings

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: ens160

sources:

services: cockpit dhcpv6-client ssh

ports:

protocols:

forward: no

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

In the above example, we can see that the services "cockpit", "dhcpv6-client", "ssh" are allowed, etc.

➂About the "--permanent" option
In order to prevent the settings from being lost when the server is restarted or the "firewalld" service is restarted, use the "--permanent" option.
If the "--permanent" option is specified, the configuration will not be reflected in "firewalld" as it is, so it is necessary to reflect the configuration using "fiewall-cmd --reload".

As an example, to use the HTTP service permanently without being initialized even if the system is rebooted

# firewall-cmd --add-service=http --permanent
# firewall-cmd --reload

1 2	# firewall-cmd --add-service=http --permanent # firewall-cmd --reload

④How to start and stop
Since firewalld is controlled by systemd, use the systemctl command to start and stop it.

Start firewalld
# systemctl start firewalld

Stop firewalld
# systemctl stop firewalld

Start firewalld

# systemctl start firewalld

Stop firewalld

# systemctl stop firewalld

2.2 Allow modified SSH port 2244

# firewall-cmd --add-port=2244/tcp --permanent
success
# firewall-cmd --reload
success

# firewall-cmd --add-port=2244/tcp --permanent

success

# firewall-cmd --reload

success

3. Connect remotely from Windows

Setting up in Windows
Use "Tera Term" as a terminal emulator.
Start Tera Term, cancel the startup screen, and then select "New Connection" from "File" in the Tera Term menu.

Enter your own settings in the "Server IP Address" and "TCP Port Number" fields.。Finally, click "OK".

After clicking "OK," click "Continue" on the security confirmation screen.

Enter "User name" and "Passphrase" and click "OK" on the next screen.

If the information is correct, you should be able to log in normally as shown below.

4. NTP Server Settings

Build an NTP server to synchronize the server time with Japan Standard Time

①Chrony Installation and Configuration

# dnf -y install chrony

1	# dnf -y install chrony

# vi /etc/chrony.conf
Line 2　: comment out and add under it
#pool ntp.miraclelinux.net iburst
pool ntp.nict.jp iburst

# vi /etc/chrony.conf

Line 2　: comment out and add under it

#pool ntp.miraclelinux.net iburst

pool ntp.nict.jp iburst

②Restart chrony and enable chrony after restart

# systemctl enable chronyd.service
# systemctl restart chronyd.service

1 2	# systemctl enable chronyd.service # systemctl restart chronyd.service

③NTP port allowed in firewall

# firewall-cmd --add-service=ntp --permanent
# firewall-cmd --reload

1 2	# firewall-cmd --add-service=ntp --permanent # firewall-cmd --reload

④Check the status (operation) of chronyd.

# chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^- ntp-a2.nict.go.jp             1   6    17    18   -505us[ -505us] +/- 6434us
^- ntp-b3.nict.go.jp             1   6    17    18   -316us[ -316us] +/- 5769us
^* ntp-k1.nict.jp                1   6    17    18  -1571us[ -793us] +/- 5080us
^- ntp-a3.nict.go.jp             1   6    17    18    -29us[  -29us] +/- 6291us

# chronyc sources

MS Name/IP address Stratum Poll Reach LastRx Last sample

===============================================================================

^- ntp-a2.nict.go.jp 1 6 17 18 -505us[ -505us] +/- 6434us

^- ntp-b3.nict.go.jp 1 6 17 18 -316us[ -316us] +/- 5769us

^* ntp-k1.nict.jp 1 6 17 18 -1571us[ -793us] +/- 5080us

^- ntp-a3.nict.go.jp 1 6 17 18 -29us[ -29us] +/- 6291us

If you can see the "*" mark, synchronization is complete.

Go to top