Contents
1.Setting up SSH remote connection
SSH is a service to connect to a server remotely, and is basically running right after the OS installation, but the default settings are somewhat insecure.
In this section, we will configure the settings to change the default settings and increase the security of the ssh connection.
1.1 Change the configuration file of SSH service.
The configuration file for the SSH service is "/etc/ssh/sshd_config". Open the configuration file with vi editor
|
1 |
# vi /etc/ssh/sshd_config |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 Port 2244 #AddressFamily any ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes |
Restart SSH
|
1 |
# systemctl restart sshd.service |
2.How to set up a firewall (firewalld)
In MiracleLinux, the firewall is set to firewalld by default, which is enabled when the OS is installed.
To briefly explain firewalld, when setting up a communication control policy, communication permission/blocking rules are applied to predefined zones, and the zones are assigned to each NIC (network adapter).
2.1 How to use the firewall-cmd command to control "firewalld".
1)Command to check the status and settings of firewalld
①Check firewalld operation status
|
1 |
# firewall-cmd --state |
or
|
1 2 3 4 5 6 7 8 |
# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2016-08-26 15:13:37 JST; 26min ago Main PID: 735 (firewalld) CGroup: /system.slice/firewalld.service mq735 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid ※If the system is stopped |
➁Show default zone settings
|
1 2 3 4 5 6 7 8 9 10 |
# firewall-cmd --list-all public (default, active) interfaces: eno16777736 eno33554984 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: |
In the above example, you can see that the "public" zone is set to "default" and assigned to the NICs "eno16777736" and "eno33554984", and the services "dhcpv6-client" and "ssh" are allowed, etc.
➂Show the settings for the specified zone.
The following example shows how to display the settings for the "dmz" zone
|
1 2 3 4 5 6 7 8 9 10 |
# firewall-cmd --zone=dmz --list-all dmz interfaces: sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: |
④About the "--permanent" option
In order to prevent the settings from being lost when the server is restarted or the "firewalld" service is restarted, use the "--permanent" option.
If the "--permanent" option is specified, the configuration will not be reflected in "firewalld" as it is, so it is necessary to reflect the configuration using "fiewall-cmd --reload".
As an example, to use the HTTP service permanently without being initialized even if the system is rebooted
|
1 2 |
# firewall-cmd --add-service=http --permanent # firewall-cmd --reload |
⑤Adding and removing services to and from a zone
To add an already defined service to the zone, use "-add-service" to specify the service
# firewall-cmd [--permanent] --zone=Zone name --add-service=Service Name
If you want to add a service to the zone permanently, you need to configure it with the "--permanent" option.
Configuration example for adding a temporary service
|
1 2 |
# firewall-cmd --zone=public --add-service=http success |
Configuration example for permanently adding a service
|
1 2 |
# firewall-cmd --permanent --zone=public --add-service=http success |
⑥Service Removal
Use "--remove-service" to remove a service configured for a zone
# firewall-cmd [--permanent] --zone=Zone name --remove-service=Service Name
Remove the "http" service from the "public" zone as an example
|
1 2 3 4 |
# firewall-cmd --permanent --zone=public --remove-service=http success # firewall-cmd --reload success |
⑦Add or remove ports to a zone
To add a communication that has not been added as a service to the zone, add it by specifying the port number and protocol
Add a port by specifying a zone
Use "--add-port" to add a port to the zone
# firewall-cmd [--permanent]--zone=Zone name --add-port=Port number/protocol
Let's add a rule with port number "10022" and protocol "TCP" to the "public" zone
|
1 2 3 4 |
# firewall-cmd --permanent --zone=public --add-port=10022/tcp success # firewall-cmd --reload success |
Deleting a port by specifying its zone
Use "--remove-port" to remove a port from a zone
# firewall-cmd [--permanent]--zone=Zone name --remove-port=Port number/protocol
Example: Delete the "10022/tcp" rule in the "public" zone
|
1 2 3 4 |
# firewall-cmd --permanent --zone=public --remove-port=10022/tcp success # firewall-cmd --reload success |
⑧How to start and stop
Since firewalld is controlled by systemd, use the systemctl command to start and stop it.
|
1 2 3 4 |
Start firewalld # systemctl start firewalld Stop firewalld # systemctl stop firewalld |
2.2 Release the modified SSH port 2244.
|
1 2 |
# firewall-cmd --add-port=2244/tcp --permanent # firewall-cmd --reload |
3.Connect remotely from Windows
Setting up in Windows
Use "Tera Term" as a terminal emulator.
Start Tera Term, cancel the startup screen, and then select "New Connection" from "File" in the Tera Term menu.
Enter your own settings in the "Server IP Address" and "TCP Port Number" fields.。Finally, click "OK".
Click "OK" and you will see the following screen
Click "Continue" on the screen above, and you will see the following screen
Enter your user name and password. If the information is correct, you should be able to log in successfully.
3.Synchronize the server time with Japan Standard Time.
① Change the configuration file as follows
|
1 2 3 4 5 6 7 |
# vi /etc/chrony.conf ●3Per line 3. server ntp.miraclelinux.net iburst #Change as follows. server ntp.nict.jp server ntp1.jst.mfeed.ad.jp server ntp2.jst.mfeed.ad.jp |
②Restart chrony and enable chrony after restart
|
1 |
# systemctl enable chronyd.service |
Check the status (operation) of chronyd.
|
1 |
# chronyc sources |
It will be displayed as follows.
|
1 2 3 4 |
MS Name/IP address Stratum Poll Reach LastRx Last sample =========================================== ^+ ntp1.jst.mfeed.ad.jp 2 9 377 125 -462us[ -462us] +/- 93ms ^* ntp2.jst.mfeed.ad.jp 2 10 377 1019 +140us[ +265us] +/- 97ms |
If you can see the "*" mark, synchronization is complete.
