Slackware15.0 ; Various settings after OS installation #2

Contents

SSH Remote Connection
How to install and configure a firewall

SSH Remote Connection

Configure the default settings to increase the security of ssh connections.

1. SSH service configuration file modification

Modify the configuration file to change the SSH service settings.
The SSH service configuration file is "/etc/ssh/sshd_config".

# vi /etc/ssh/sshd_config

  1 #       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
  7
  8 # The strategy used for options in the default sshd_config shipped with
  9 # OpenSSH is to specify options with their default value where
 10 # possible, but leave them commented.  Uncommented options override the
 11 # default value.
 12
 13 #Port 22
 14 Port 2244
 15 #AddressFamily any
 16 ListenAddress 0.0.0.0
 17 #ListenAddress ::
 18
 19 #HostKey /etc/ssh/ssh_host_rsa_key
 20 #HostKey /etc/ssh/ssh_host_ecdsa_key
 21 #HostKey /etc/ssh/ssh_host_ed25519_key
 22
 23 # Ciphers and keying
 24 #RekeyLimit default none
 25
 26 # Logging
 27 #SyslogFacility AUTH
 28 #LogLevel INFO
 29
 30 # Authentication:
 31
 32 #LoginGraceTime 2m
 33 PermitRootLogin prohibit-password
 34 #StrictModes yes
 35 #MaxAuthTries 6
 36 #MaxSessions 10
 37
 38 #PubkeyAuthentication yes
 39
 40 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys    2
 41 # but this is overridden so installations will only check .ssh/authorized_ke    ys
 42 AuthorizedKeysFile      .ssh/authorized_keys
 43
 44 #AuthorizedPrincipalsFile none
 45
 46 #AuthorizedKeysCommand none
 47 #AuthorizedKeysCommandUser nobody
 48
 49 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 50 #HostbasedAuthentication no
 51 # Change to yes if you don't trust ~/.ssh/known_hosts for
 52 # HostbasedAuthentication
 53 #IgnoreUserKnownHosts no
 54 # Don't read the user's ~/.rhosts and ~/.shosts files
 55 #IgnoreRhosts yes
 56
 57 # To disable tunneled clear text passwords, change to no here!
 58 PasswordAuthentication yes
 59 #PermitEmptyPasswords no

# vi /etc/ssh/sshd_config

1 # $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

8 # The strategy used for options in the default sshd_config shipped with

9 # OpenSSH is to specify options with their default value where

10 # possible, but leave them commented. Uncommented options override the

11 # default value.

13 #Port 22

14 Port 2244

15 #AddressFamily any

16 ListenAddress 0.0.0.0

17 #ListenAddress ::

19 #HostKey /etc/ssh/ssh_host_rsa_key

20 #HostKey /etc/ssh/ssh_host_ecdsa_key

21 #HostKey /etc/ssh/ssh_host_ed25519_key

23 # Ciphers and keying

24 #RekeyLimit default none

26 # Logging

27 #SyslogFacility AUTH

28 #LogLevel INFO

30 # Authentication:

32 #LoginGraceTime 2m

33 PermitRootLogin prohibit-password

34 #StrictModes yes

35 #MaxAuthTries 6

36 #MaxSessions 10

38 #PubkeyAuthentication yes

40 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys 2

41 # but this is overridden so installations will only check .ssh/authorized_ke ys

42 AuthorizedKeysFile .ssh/authorized_keys

44 #AuthorizedPrincipalsFile none

46 #AuthorizedKeysCommand none

47 #AuthorizedKeysCommandUser nobody

49 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

50 #HostbasedAuthentication no

51 # Change to yes if you don't trust ~/.ssh/known_hosts for

52 # HostbasedAuthentication

53 #IgnoreUserKnownHosts no

54 # Don't read the user's ~/.rhosts and ~/.shosts files

55 #IgnoreRhosts yes

57 # To disable tunneled clear text passwords, change to no here!

58 PasswordAuthentication yes

59 #PermitEmptyPasswords no

Line 13 "Port 22" This time change to "Port 2244" and proceed.
Delete "#" from line 15 "#ListenAddress 0.0.0.0".
Line 32, "#PermitRootLogin prohibit-password", delete the "#".
Line 58 Delete "#" in "#PasswordAuthentication yes" "#" Delete "#" in "#PasswordAuthentication yes

Restart SSH

# /etc/rc.d/rc.sshd restart
WARNING: killing listener process only.  To kill every sshd process, you must
         use 'rc.sshd stop'.  'rc.sshd restart' kills only the parent sshd to
         allow an admin logged in through sshd to use 'rc.sshd restart' without
         being cut off.  If sshd has been upgraded, new connections will now
         use the new version, which should be a safe enough approach.

# /etc/rc.d/rc.sshd restart

WARNING: killing listener process only. To kill every sshd process, you must

use 'rc.sshd stop'. 'rc.sshd restart' kills only the parent sshd to

allow an admin logged in through sshd to use 'rc.sshd restart' without

being cut off. If sshd has been upgraded, new connections will now

use the new version, which should be a safe enough approach.

If this is not done, the next time you reboot, you will not be able to connect remotely via SSH. Please free SSH port 2244 in the following firewall settings.

How to install and configure a firewall

Slackware does not have a firewall, so we will install UFW, which is commonly used in Linux, but not in the standard repositories, so we will install it from third-party repositories.

# wget http://www.slackel.gr/repo/x86_64/current/slackel/extra/ufw-0.30-x86_64-1dj.txz
# upgradepkg --install-new ufw-0.30-x86_64-1dj.txz

1 2	# wget http://www.slackel.gr/repo/x86_64/current/slackel/extra/ufw-0.30-x86_64-1dj.txz # upgradepkg --install-new ufw-0.30-x86_64-1dj.txz

Path of the UFW installation files

Path
/etc/default/ufw
/etc/rc.d/rc.ufw
/etc/ufw/after.rules
/etc/ufw/after6.rules
/etc/ufw/before.rules
/etc/ufw/before6.rules
/etc/ufw/sysctl.conf
/etc/ufw/ufw.conf
/etc/ufw/applications.d/ufw-bittorrent
/etc/ufw/applications.d/ufw-chat
/etc/ufw/applications.d/ufw-directoryserver
/etc/ufw/applications.d/ufw-dnsserver
/etc/ufw/applications.d/ufw-fileserver
/etc/ufw/applications.d/ufw-loginserver
/etc/ufw/applications.d/ufw-mailserver
/etc/ufw/applications.d/ufw-printserver
/etc/ufw/applications.d/ufw-proxyserver
/etc/ufw/applications.d/ufw-webserver
/lib/ufw/ufw-init
/lib/ufw/ufw-init-functions
/lib/ufw/user.rules
/lib/ufw/user6.rules
/usr/doc/ufw-0.30/AUTHORS
/usr/doc/ufw-0.30/COPYING
/usr/doc/ufw-0.30/ChangeLog
/usr/doc/ufw-0.30/ChangeLog.pre-0.25
/usr/doc/ufw-0.30/README
/usr/doc/ufw-0.30/README.design
/usr/doc/ufw-0.30/README.translations
/usr/doc/ufw-0.30/TODO
/usr/lib64/python2.7/site-packages/ufw-0.30-py2.7.egg-info
/usr/lib64/python2.7/site-packages/ufw/init.py
/usr/lib64/python2.7/site-packages/ufw/init.pyc
/usr/lib64/python2.7/site-packages/ufw/applications.py
/usr/lib64/python2.7/site-packages/ufw/applications.pyc
/usr/lib64/python2.7/site-packages/ufw/backend.py
/usr/lib64/python2.7/site-packages/ufw/backend.pyc
/usr/lib64/python2.7/site-packages/ufw/backend_iptables.py
/usr/lib64/python2.7/site-packages/ufw/backend_iptables.pyc
/usr/lib64/python2.7/site-packages/ufw/common.py
/usr/lib64/python2.7/site-packages/ufw/common.pyc
/usr/lib64/python2.7/site-packages/ufw/frontend.py
/usr/lib64/python2.7/site-packages/ufw/frontend.pyc
/usr/lib64/python2.7/site-packages/ufw/parser.py
/usr/lib64/python2.7/site-packages/ufw/parser.pyc
/usr/lib64/python2.7/site-packages/ufw/util.py
/usr/lib64/python2.7/site-packages/ufw/util.pyc
/usr/man/man8/ufw-framework.8.gz
/usr/man/man8/ufw.8.gz
/usr/sbin/ufw
/usr/share/ufw/iptables/after.rules
/usr/share/ufw/iptables/after6.rules
/usr/share/ufw/iptables/before.rules
/usr/share/ufw/iptables/before6.rules
/usr/share/ufw/iptables/user.rules
/usr/share/ufw/iptables/user6.rules
/usr/share/ufw/messages/ar.mo
/usr/share/ufw/messages/bg.mo
/usr/share/ufw/messages/ca.mo
/usr/share/ufw/messages/cs.mo
/usr/share/ufw/messages/da.mo
/usr/share/ufw/messages/de.mo
/usr/share/ufw/messages/el.mo
/usr/share/ufw/messages/en_AU.mo
/usr/share/ufw/messages/en_GB.mo
/usr/share/ufw/messages/es.mo
/usr/share/ufw/messages/fi.mo
/usr/share/ufw/messages/fr.mo
/usr/share/ufw/messages/he.mo
/usr/share/ufw/messages/hu.mo
/usr/share/ufw/messages/id.mo
/usr/share/ufw/messages/it.mo
/usr/share/ufw/messages/nb.mo
/usr/share/ufw/messages/nl.mo
/usr/share/ufw/messages/pl.mo
/usr/share/ufw/messages/pt.mo
/usr/share/ufw/messages/pt_BR.mo
/usr/share/ufw/messages/ru.mo
/usr/share/ufw/messages/sk.mo
/usr/share/ufw/messages/sl.mo
/usr/share/ufw/messages/sr.mo
/usr/share/ufw/messages/sv.mo
/usr/share/ufw/messages/tl.mo
/usr/share/ufw/messages/zh_CN.mo
/usr/src/ufw-0.30/SLKBUILD
/usr/src/ufw-0.30/rc.ufw

Enable and start ufw

# ufw enable
# ufw status
Status: active

# ufw enable

# ufw status

Status: active

Incoming packets Default rule settings

First, set the rules for incoming packets. The general rule is to deny all incoming packets except for specific communications. Execute "ufw default deny incoming" to basically deny all incoming packets.

# ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

# ufw default deny incoming

Default incoming policy changed to 'deny'

(be sure to update your rules accordingly)

Outgoing packets Default rule settings

The general rule is to allow all outgoing packets. Execute "ufw default allow outgoing" to basically allow outgoing packets.

# ufw default allow outgoing
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

# ufw default allow outgoing

Default outgoing policy changed to 'allow'

(be sure to update your rules accordingly)

For now, allow the standard SSH port and the modified 2244 port

# ufw allow ssh
# ufw allow 2244/tcp
# ufw reload

# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
2244/tcp                   ALLOW IN    Anywhere
22                         ALLOW IN    Anywhere

# ufw allow ssh

# ufw allow 2244/tcp

# ufw reload

# ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing)

New profiles: skip

To Action From

-- ------ ----

2244/tcp ALLOW IN Anywhere

22 ALLOW IN Anywhere

Go to top