MiracleLinux ; Firewall , SSH , NTP server

Contents

1.Setting up SSH remote connection
- 1.1 Change the configuration file of SSH service.
2.How to set up a firewall (firewalld)
- 2.1 How to use the firewall-cmd command to control “firewalld”.
- 2.2 Release the modified SSH port 2244.
3.Connect remotely from Windows
- Setting up in Windows
3.Synchronize the server time with Japan Standard Time.

1.Setting up SSH remote connection

SSH is a service to connect to a server remotely, and is basically running right after the OS installation, but the default settings are somewhat insecure.
In this section, we will configure the settings to change the default settings and increase the security of the ssh connection.

1.1 Change the configuration file of SSH service.

The configuration file for the SSH service is “/etc/ssh/sshd_config”. Open the configuration file with vi editor

# vi /etc/ssh/sshd_config

# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

#Port 22
Port 2244
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

①Find “Port 22” and change it to any port number other than Wernon-port.
In this case, we will proceed by changing the port number to “Port 2244” (changing this port number alone can reduce unauthorized access).
②Find “#ListenAddress 0.0.0.0” and delete the “#” in front of it
③Look for “#PermitRootLogin yes” and change it to “PermitRootLogin no”.
　Since the root user already knows the user name, if the password is found, the user can log in to the server with administrative privileges, so we will configure the settings to deny this.

Restart SSH

# systemctl restart sshd.service

If this is not done, you will not be able to connect remotely via SSH the next time you reboot, so please free SSH port 2244 in the following firewall settings.

2.How to set up a firewall (firewalld)

In MiracleLinux, the firewall is set to firewalld by default, which is enabled when the OS is installed.

To briefly explain firewalld, when setting up a communication control policy, communication permission/blocking rules are applied to predefined zones, and the zones are assigned to each NIC (network adapter).

2.1 How to use the firewall-cmd command to control “firewalld”.

1)Command to check the status and settings of firewalld

①Check firewalld operation status

# firewall-cmd –state
If “firewalld” is running, “running” will be displayed; if it is not running, “not running” will be displayed.

# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2016-08-26 15:13:37 JST; 26min ago
Main PID: 735 (firewalld)
CGroup: /system.slice/firewalld.service
mq735 /usr/bin/python -Es /usr/sbin/firewalld –nofork –nopid
※If the system is stopped
Active:The message “inactive (dead)” is displayed, indicating that firewalld is stopped

➁Show default zone settings

# firewall-cmd –list-all
public (default, active)
interfaces: eno16777736 eno33554984
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

In the above example, you can see that the “public” zone is set to “default” and assigned to the NICs “eno16777736” and “eno33554984”, and the services “dhcpv6-client” and “ssh” are allowed, etc.

➂Show the settings for the specified zone.

The following example shows how to display the settings for the “dmz” zone
# firewall-cmd –zone=dmz –list-all
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

④About the “–permanent” option
In order to prevent the settings from being lost when the server is restarted or the “firewalld” service is restarted, use the “–permanent” option.
If the “–permanent” option is specified, the configuration will not be reflected in “firewalld” as it is, so it is necessary to reflect the configuration using “fiewall-cmd –reload”.

As an example, to use the HTTP service permanently without being initialized even if the system is rebooted
# firewall-cmd –add-service=http –permanent
# firewall-cmd –reload

⑤Adding and removing services to and from a zone

To add an already defined service to the zone, use “-add-service” to specify the service
# firewall-cmd [–permanent] –zone=Zone name –add-service=Service Name
If you want to add a service to the zone permanently, you need to configure it with the “–permanent” option.

Configuration example for adding a temporary service
# firewall-cmd –zone=public –add-service=http
success

Configuration example for permanently adding a service
# firewall-cmd –permanent –zone=public –add-service=http
success

⑥Service Removal

Use “–remove-service” to remove a service configured for a zone
# firewall-cmd [–permanent] –zone=Zone name –remove-service=Service Name

Remove the “http” service from the “public” zone as an example
# firewall-cmd –permanent –zone=public –remove-service=http
success
# firewall-cmd –reload
success

⑦Add or remove ports to a zone
To add a communication that has not been added as a service to the zone, add it by specifying the port number and protocol

Add a port by specifying a zone

Use “–add-port” to add a port to the zone
# firewall-cmd [–permanent]–zone=Zone name –add-port=Port number/protocol

Let’s add a rule with port number “10022” and protocol “TCP” to the “public” zone
# firewall-cmd –permanent –zone=public –add-port=10022/tcp
success
# firewall-cmd –reload
success

Deleting a port by specifying its zone

Use “–remove-port” to remove a port from a zone
# firewall-cmd [–permanent]–zone=Zone name –remove-port=Port number/protocol

Example: Delete the “10022/tcp” rule in the “public” zone
# firewall-cmd –permanent –zone=public –remove-port=10022/tcp
success
# firewall-cmd –reload
success

⑧How to start and stop

Since firewalld is controlled by systemd, use the systemctl command to start and stop it.

Start firewalld
# systemctl start firewalld
Stop firewalld
# systemctl stop firewalld

2.2 Release the modified SSH port 2244.

# firewall-cmd –add-port=2244/tcp –permanent
# firewall-cmd –reload

3.Connect remotely from Windows

Setting up in Windows

Use “Tera Term” as a terminal emulator.
Start Tera Term, cancel the startup screen, and then select “New Connection” from “File” in the Tera Term menu.

Enter your own settings in the “Server IP Address” and “TCP Port Number” fields.。Finally, click “OK”.

Click “OK” and you will see the following screen

Click “Continue” on the screen above, and you will see the following screen

Enter your user name and password. If the information is correct, you should be able to log in successfully.

3.Synchronize the server time with Japan Standard Time.

① Change the configuration file as follows

# vi /etc/chrony.conf
●3Per line 3.
server ntp.miraclelinux.net iburst
#Change as follows.
server ntp.nict.jp
server ntp1.jst.mfeed.ad.jp
server ntp2.jst.mfeed.ad.jp

②Restart chrony and enable chrony after restart

# systemctl enable chronyd.service

Check the status (operation) of chronyd.
# chronyc sources
It will be displayed as follows.
MS Name/IP address Stratum Poll Reach LastRx Last sample
===========================================
^+ ntp1.jst.mfeed.ad.jp 2 9 377 125 -462us[ -462us] +/- 93ms
^* ntp2.jst.mfeed.ad.jp 2 10 377 1019 +140us[ +265us] +/- 97ms
If you can see the “*” mark, synchronization is complete.

Go to top