Click here for "Error Codes for Commercial Air Conditioners".(Japanese Version)

Rocky Linux8.4 ; Disable SELinux , Firewalld settings

1.Disable SELinux

First, disable selinux. selinux is a feature that improves auditing and security in Linux, but when it is enabled, it restricts the behavior of services and settings to a great extent. For this reason, selinux is basically disabled in most cases.

If you build a server while looking at a website and it does not work as expected, it may be due to the fact that selinux is enabled. So, don't forget to disable it after installation.
You can disable it by doing the following (In this page, the general user name is "jimy" and the host name is "Lepard")
After logging in as a general user, we will proceed with the known method of changing the permissions to the root user.

Reboot the server and seinux will be enabled again. To permanently disable selinux, modify the /etc/sysconfig/selinux file.

Change "SELINUX=enforcing" to "SELINUX=disabled"

After change

2.Setting up a remote connection using SSH

SSH is a service to connect to a server remotely, and is basically running right after the OS installation, but the default settings are somewhat insecure.
In this section, we will configure the settings to change the default settings and increase the security of the ssh connection.

2.1 Change the configuration file of SSH service.

Modify the configuration file to change the settings of the SSH service.
The configuration file for the SSH service is "/etc/ssh/sshd_config".

When you open it with the vi editor, you will see a screen like the following.

「Find "Port 22" and change it to any port number other than the Wernon-port.
This time, we will proceed by changing the port number to "Port 3333" (just changing this port number will reduce unauthorized access).
②Remove the "#" in front of "#ListenAddress 0.0.0.0" (comment it out).
③Look for "#PermitRootLogin yes" and change it to "PermitRootLogin no".
 Configure settings to deny login to the server with administrator privileges.

Restart SSH

3.How to set up a firewall (firewalld)

In Rocky Linux, the firewall is set to firewalld by default, which is enabled during OS installation.

To briefly explain firewalld, when setting up a communication control policy, communication permission/blocking rules are applied to predefined zones, and the zones are assigned to each NIC (network adapter).

3.1 How to use the firewall-cmd command to control "firewalld".

1)About Zones
Nine zones are provided by default.

zone Communication Permission Service Description.
block None All external connections are blocked Setting cannot be changed Return "CIMP Pohibited" when blocked, return communication is also allowed when communicating from inside
dmz ssh Zones defined for dmz
drop None All external communications are blocked Cannot change settings Internal communication can be sent, but return communication from the outside is blocked, resulting in all communication not being possible.
external ssh Zone defined for use in connection with external networks, such as routers with IP masquerade enabled.
home dhcpv6-client  ipp-client  mdns  samba-client  ssh Zones defined for use at home, etc.
internal dhcpv6-client  ipp-client  mdns  samba-client  Zone defined for use in the internal network.
public dhcpv6-client ssh Zones defined for use in public places.
trusted Allow all communication Setting cannot be changed
work dhcpv6-client ipp-client ssh Zones defined for use in work areas such as the workplace.

2)Command to check the status and settings of firewalld

①Check firewalld operation status

If "firewalld" is running, "running" will be displayed; if it is not running, "not running" will be displayed.

or

➁Show default zone settings

In the above example, you can see that the "public" zone is set to "default" and assigned to the NICs "eno16777736" and "eno33554984", and the services "dhcpv6-client" and "ssh" are allowed, etc.

➂Show the settings for the specified zone.
The following example shows how to display the settings for the "dmz" zone

④About the "--permanent" option

In order to prevent the settings from being lost when the server is restarted or the "firewalld" service is restarted, the "--permanent" option must be used.
To prevent the settings from being lost when the server is restarted or the "firewalld" service is restarted, the "--permanent" option must be used to configure the settings. In this case, if the "--permanent" option is specified, the settings will not be reflected in "firewalld" as they are, so it is necessary to reflect the settings using "fiewall-cmd --reload".
As an example, to use the HTTP service permanently without being initialized even if the system is rebooted

⑤Adding and removing services to and from a zone
To add an already defined service to the zone, use "--add-service" to specify the serviceす

If you want to add a service to the zone permanently, you need to configure it with the "--permanent" option.
Configuration example for adding a temporary service

Configuration example for permanently adding a service
Example of adding the "http" service to the "public" zone with the "--permanent" option

⑥service deletion
Use "--remove-service" to remove a service configured for a zone

Remove the "http" service from the "public" zone as an example

⑦Add or remove ports to a zone
To add a communication that has not been added as a service to the zone, add it by specifying the port number and protocol

Adding a port
Use "--add-port" to add a port to the zone

Configuration example
Added rules for port number 10022 and protocol TCP in the "public" zone.

Deleting a port
Use "--remove-port" to remove a port from a zone
Configuration example
Delete the "10022/tcp" rule in the "public" zone that we just added
⑧Allow modified SSH port 3333 in firewall
⑨How to start and stop
Since firewalld is controlled by systemd, use the systemctl command to start and stop it.
Start firewalld

Stop firewalld

⑩Additional Information
If you check the operation status of the firewall (firewalld)
Edit firewalld.conf if you see "WARNING: AllowZoneDrifting is enabled.>
Back up "firewalld.conf".
Edit "firewalld.conf"

4.Install the missing package

Starting with RHEL 8, yum has been changed to dnf by default. You can still use yum.
Install "Base" and "Other Development" with groupinstall.
※※ Caution.※※
Note that if you do yum -y update first, you will get an error installing Base.
In other words, do not set the kernel version to the latest version first.

5.Services to be stopped for security measures

Stop the following services that you think are unnecessary.

Copied title and URL