Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

Rocky Linux8.4 ; Disable SELinux , Firewalld settings

1.Disable SELinux

First, disable selinux. selinux is a feature that improves auditing and security in Linux, but when it is enabled, it restricts the behavior of services and settings to a great extent. For this reason, selinux is basically disabled in most cases.

If you build a server while looking at a website and it does not work as expected, it may be due to the fact that selinux is enabled. So, don’t forget to disable it after installation.
You can disable it by doing the following (In this page, the general user name is “jimy” and the host name is “Lepard”)
After logging in as a general user, we will proceed with the known method of changing the permissions to the root user.

Lepard login: jimy
Password:
[jimy@Lepard ~]$ su –
[root@Lepard ~]# getenforce   ← Check the SELinux function.
Enforcing              ← SELinux enabled
[root@Lepard ~]# setenforce 0  ← Disable the SELinux feature.
[root@Lepard ~]# getenforce   ← Review the SELinux feature.
Permissive             ← SELinux function is disabled.   

Reboot the server and seinux will be enabled again. To permanently disable selinux, modify the /etc/sysconfig/selinux file.

[root@Lepard] ~]# vi /etc/sysconfig/selinux

Change “SELINUX=enforcing” to “SELINUX=disabled”

変更後

2.Setting up a remote connection using SSH

SSH is a service to connect to a server remotely, and is basically running right after the OS installation, but the default settings are somewhat insecure.
In this section, we will configure the settings to change the default settings and increase the security of the ssh connection.

2.1 Change the configuration file of SSH service.

Modify the configuration file to change the settings of the SSH service.
The configuration file for the SSH service is “/etc/ssh/sshd_config”.

When you open it with the vi editor, you will see a screen like the following.

「Find “Port 22” and change it to any port number other than the Wernon-port.
This time, we will proceed by changing the port number to “Port 3333” (just changing this port number will reduce unauthorized access).
②Remove the “#” in front of “#ListenAddress 0.0.0.0” (comment it out).
③Look for “#PermitRootLogin yes” and change it to “PermitRootLogin no”.
 Configure settings to deny login to the server with administrator privileges.

Restart SSH

3.How to set up a firewall (firewalld)

In Rocky Linux, the firewall is set to firewalld by default, which is enabled during OS installation.

To briefly explain firewalld, when setting up a communication control policy, communication permission/blocking rules are applied to predefined zones, and the zones are assigned to each NIC (network adapter).

3.1 How to use the firewall-cmd command to control “firewalld”.

1)About Zones
Nine zones are provided by default.

zoneCommunication Permission ServiceDescription.
blockNone All external connections are blockedSetting cannot be changed Return “CIMP Pohibited” when blocked, return communication is also allowed when communicating from inside
dmzsshZones defined for dmz
dropNone All external communications are blockedCannot change settings Internal communication can be sent, but return communication from the outside is blocked, resulting in all communication not being possible.
externalsshZone defined for use in connection with external networks, such as routers with IP masquerade enabled.
homedhcpv6-client  ipp-client  mdns  samba-client  sshZones defined for use at home, etc.
internaldhcpv6-client  ipp-client  mdns  samba-client Zone defined for use in the internal network.
publicdhcpv6-client sshZones defined for use in public places.
trustedAllow all communicationSetting cannot be changed
workdhcpv6-client ipp-client sshZones defined for use in work areas such as the workplace.

2)Command to check the status and settings of firewalld

①Check firewalld operation status

[root@Lepard ~]# firewall-cmd –state
If “firewalld” is running, “running” will be displayed; if it is not running, “not running” will be displayed.

or

[root@Lepard ~]# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since 金 2016-08-26 15:13:37 JST; 26min ago
Main PID: 735 (firewalld)
CGroup: /system.slice/firewalld.service
mq735 /usr/bin/python -Es /usr/sbin/firewalld –nofork –nopid
If the system is stopped
The message “Active: inactive (dead)” shows that firewalld is stopped.

➁Show default zone settings

[root@Lepard ~]# firewall-cmd –list-all
public (default, active)
interfaces: eno16777736 eno33554984
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

In the above example, you can see that the “public” zone is set to “default” and assigned to the NICs “eno16777736” and “eno33554984”, and the services “dhcpv6-client” and “ssh” are allowed, etc.

➂Show the settings for the specified zone.

The following example shows how to display the settings for the “dmz” zone
[root@Lepard ~]# firewall-cmd –zone=dmz –list-all
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

④About the “–permanent” option
In order to prevent the settings from being lost when the server is restarted or the “firewalld” service is restarted, the “–permanent” option must be used.
To prevent the settings from being lost when the server is restarted or the “firewalld” service is restarted, the “–permanent” option must be used to configure the settings. In this case, if the “–permanent” option is specified, the settings will not be reflected in “firewalld” as they are, so it is necessary to reflect the settings using “fiewall-cmd –reload”.

As an example, to use the HTTP service permanently without being initialized even if the system is rebooted
[root@Lepard~]# firewall-cmd –add-service=http –permanent
[root@Lepard~]# firewall-cmd –reload

⑤Adding and removing services to and from a zone

To add an already defined service to the zone, use “–add-service” to specify the serviceす
[root@Lepard~]# firewall-cmd [–permanent] –zone=Zone name –add-service=Service Name
If you want to add a service to the zone permanently, you need to configure it with the “–permanent” option.

Configuration example for adding a temporary service

[root@Lepard~]# firewall-cmd –zone=public –add-service=http
success

Configuration example for permanently adding a service

Example of adding the “http” service to the “public” zone with the “–permanent” option
[root@Lepard~]# firewall-cmd –permanent –zone=public –add-service=http
success

⑥service deletion

Use “–remove-service” to remove a service configured for a zone
[root@Lepard~]# firewall-cmd [–permanent] –zone=Zone name –remove-service=Service Name
Remove the “http” service from the “public” zone as an example
[root@Lepard~]# firewall-cmd –permanent –zone=public –remove-service=http
success
# firewall-cmd –reload
success

⑦Add or remove ports to a zone
To add a communication that has not been added as a service to the zone, add it by specifying the port number and protocol

Adding a port

Use “–add-port” to add a port to the zone
[root@Lepard~]# firewall-cmd [–permanent]–zone=Zone name –add-port=Port number/protocol
Configuration example
Added rules for port number 10022 and protocol TCP in the “public” zone.
[root@Lepard~]# firewall-cmd –permanent –zone=public –add-port=10022/tcp
success
# firewall-cmd –reload
success

Deleting a port

Use “–remove-port” to remove a port from a zone
[root@Lepard~]#  firewall-cmd [–permanent]–zone=Zone name –remove-port=Port number/protocol
Configuration example
Delete the “10022/tcp” rule in the “public” zone that we just added
[root@Lepard~]# firewall-cmd –permanent –zone=public –remove-port=10022/tcp
success
# firewall-cmd –reload
success

⑧How to start and stop

Since firewalld is controlled by systemd, use the systemctl command to start and stop it.
Start firewalld
[root@Lepard~]# systemctl start firewalld
Stop firewalld
[root@Lepard~]# systemctl stop firewalld

⑧Additional Information
If you check the operation status of the firewall (firewalld)
# systemctl status firewalld
firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since 月 2014-09-** 06:01:06 JST; 5min ago
Main PID: 567 (firewalld)
[abbreviation]
WARNING: AllowZoneDrifting is enabled.>
Edit firewalld.conf if you see

Back up “firewalld.conf”.
[root@Lepard~]# cp -p /etc/firewalld/firewalld.conf /etc/firewalld/firewalld.conf.original_bk
Edit “firewalld.conf”
[root@Lepard~]# vi /etc/firewalld/firewalld.conf
Change the last line to AllowZoneDrifting=no
[root@Lepard~]# systemctl restart firewalld

4.Install the missing package

Starting with RHEL 8, yum has been changed to dnf by default. You can still use yum.
Install “Base” and “Other Development” with groupinstall.
※※ Caution.※※
Note that if you do yum -y update first, you will get an error installing Base.
In other words, do not set the kernel version to the latest version first.
# dnf -y groupinstall “Base” “Additional Development”

5.Services to be stopped for security measures

Stop the following services that you think are unnecessary.

# systemctl stop atd.service
# systemctl disable atd.service
# systemctl stop auditd.service
# systemctl disable auditd.service
# systemctl stop kdump.service
# systemctl disable kdump.service
# systemctl stop lvm2-monitor.service
# systemctl disable lvm2-monitor.service
# systemctl stop mdmonitor.service
# systemctl disable mdmonitor.service
# systemctl stop rngd.service
# systemctl disable rngd.service
# systemctl stop smartd.service
# systemctl disable smartd.service
# systemctl stop tuned.service
# systemctl disable tuned.service
# systemctl stop dm-event.socket
# systemctl disable dm-event.socket

タイトルとURLをコピーしました