Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

openSUSE ; Firewall , SSH、NTP

1.Setting up a remote connection using SSH

SSH is a service to connect to a server remotely, basically running right after the OS installation, but the default settings are somewhat insecure.
Configure settings to increase the security of ssh connections.

1.1 Change the configuration file of SSH service.

The configuration file for the SSH service is “/etc/ssh/sshd_config”.

# vi /etc/ssh/sshd_config

# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

#Port 22
Port 2244
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

①Find “Port 22” and change it to any port number other than Wernon-port.
This time, we’ll change it to “Port 2244” and proceed.(Simply changing this port number can reduce unauthorized access.)

②Find “#ListenAddress 0.0.0.0” and delete the “#” in front of it
③Look for “#PermitRootLogin yes” and change it to “PermitRootLogin no”

Restart SSH

# systemctl restart sshd.service
The next time you reboot, you will not be able to connect remotely via SSH, so release SSH port 2244 in the next firewall setting.

2.How to set up a firewall (firewalld)

In openSUSE, the firewall is set to firewalld by default and is enabled during OS installation.

2.1 How to use the firewall-cmd command to control “firewalld”.

1)Command to check the status and settings of firewalld

①Check firewalld operation status

# firewall-cmd –state
If “firewalld” is running, “running” will be displayed; if it is not running, “not running” will be displayed.

or

# systemctl status firewalld
firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor>
Active: active (running) since Sun 2022-01-30 11:39:35 JST; 1h 31min ago
Docs: man:firewalld(1)
Main PID: 1005 (firewalld)
Tasks: 2 (limit: 2311)
CGroup: /system.slice/firewalld.service
mq1005 /usr/bin/python3 /usr/sbin/firewalld –nofork –nopidJan 30 11:39:34 Lepard systemd[1]: Starting firewalld – dynamic firewall daemon>
Jan 30 11:39:35 Lepard systemd[1]: Started firewalld – dynamic firewall daemon.※If the system is stopped
The message “Active: inactive (dead)” is displayed, indicating that firewalld is stopped

➁Show default zone settings

# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

In the above example, the “public” zone is set to “default”.
You can see that it is assigned to NIC “eth0” and that the services “dhcpv6-client” and “ssh” are allowed.

➂Show the settings for the specified zone.

The following example shows how to display the settings for the “dmz” zone
# firewall-cmd –zone=dmz –list-all
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

④About the “–permanent” option
In order to prevent the settings from being lost when the server is restarted or the “firewalld” service is restarted
In order to prevent the settings from being lost when the server is restarted or the “firewalld” service is restarted, the “–permanent” option must be used to configure the settings.
If the “–permanent” option is specified, the configuration will not be reflected in “firewalld” as it is, so it is necessary to reflect the configuration using “fiewall-cmd –reload”.

As an example, the HTTP service will not be initialized even if the system is restarted, and will be permanently used.
# firewall-cmd –add-service=http –permanent
# firewall-cmd –reload

⑤Adding and removing services to and from a zone

To add an already defined service to the zone, use “-add-service” to specify the service
# firewall-cmd [–permanent] –zone=Zone name –add-service=Service Name

Configuration example for adding a temporary service

# firewall-cmd –zone=public –add-service=http
success

Configuration example for permanently adding a service

Example of adding the “http” service to the “public” zone with the “–permanent” option
# firewall-cmd –permanent –zone=public –add-service=http
success

⑥service deletion

Use “–remove-service” to remove a service configured for a zone
# firewall-cmd [–permanent] –zone=Zone name–remove-service=Service Name
Remove the “http” service from the “public” zone as an example
# firewall-cmd –permanent –zone=public –remove-service=http
success
# firewall-cmd –reload
success

⑦Add or remove ports to a zone
To add communication that is not defined as a service to the zone, add it by specifying the port number and protocol

Add a port by specifying a zone

Use “–add-port” to add a port to the zone
# firewall-cmd [–permanent]–zone=Zone name –add-port=Port number/protocol
Configuration example
Added rules for port number 10022 and protocol TCP in the “public” zone.
# firewall-cmd –permanent –zone=public –add-port=10022/tcp
success
# firewall-cmd –reload
success

Deleting a port by specifying its zone

Use “–remove-port” to remove a port from a zone
#  firewall-cmd [–permanent]–zone=Zone name –remove-port=Port number/protocol
Configuration example
Delete the “10022/tcp” rule in the “public” zone
# firewall-cmd –permanent –zone=public –remove-port=10022/tcp
success
# firewall-cmd –reload
success

⑧How to start and stop

Since firewalld is controlled by systemd, use the systemctl command to start and stop it.
Start firewalld
# systemctl start firewalld
Stop firewalld
# systemctl stop firewalld

2.2 Release the modified SSH port 2244.

# firewall-cmd –add-port=2244/tcp –permanent
# firewall-cmd –reload

3.Connect remotely from Windows

Setting up in Windows
Use “Tera Term” as a terminal emulator
Start Tera Term, cancel the startup screen, and then select “New connection” from “File” in the Tera Term menu.
Enter the IP address and TCP port number of the server. Finally, click “OK”.


Click “Continue” on the screen above.

Enter your user name and password.

If the information is correct, you should be able to log in normally as shown below.

Last login: Thu Jan 13 21:39:44 2022
Have a lot of fun…
lan@Lepard:~>

4. NTP サーバーの設定

Install Chrony and build an NTP server for time synchronization. Note that NTP uses 123/UDP.

4.1 Chrony install

# zypper -n install chrony

4.2 Configuring Chrony

# vi /etc/chrony.conf
# Lines 3-7: comment out
#pool 0.suse.pool.ntp.org iburst
#pool 1.suse.pool.ntp.org iburst
#pool 2.suse.pool.ntp.org iburst
#pool 3.suse.pool.ntp.org iburst
#! pool pool.ntp.org iburst
# Add the following
server ntp.nict.jp iburst
server ntp1.jst.mfeed.ad.jp iburst
# Line 29: Add the range where time synchronization is allowed.
allow 192.168.11..0/24
# systemctl start chronyd
# systemctl enable chronyd

4.3 Open the NTP port.

# firewall-cmd –add-service=ntp –permanent
success
# firewall-cmd –reload
success

4.4 Operation check

# chronyc sources
210 Number of sources = 19
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================
^- any.time.nl 2 8 377 653 +4648us[+4712us] +/- 22ms
^* ntp-a2.nict.go.jp 1 8 377 70 +319us[ +293us] +/- 5508us
^- y.ns.gin.ntt.net 2 8 377 66 -507us[ -507us] +/- 109ms
^- 122x215x240x51.ap122.ftt> 2 8 377 73 +34ms[ +34ms] +/- 78ms
^- kuroa.me 2 8 377 198 +880us[ +854us] +/- 43ms
^- 103.202.216.35 3 8 377 75 +4871us[+4845us] +/- 150ms
^+ ipv4.ntp2.rbauman.com 2 7 377 399 +1714us[+1706us] +/- 14ms
^+ r025169.203112.miinet.jp 4 8 377 322 +393us[ +366us] +/- 12ms
^? any.time.nl 0 6 0 – +0ns[ +0ns] +/- 0ns
^? y.ns.gin.ntt.net 0 6 0 – +0ns[ +0ns] +/- 0ns
タイトルとURLをコピーしました