Contents
1.Setting up remote connection by SSH
SSH is a service for connecting remotely to a server and is basically running immediately after the OS is installed, but the default settings are somewhat insecure.
Here we will configure the default settings to increase the security of ssh connections.
1.1 SSH service configuration file changes
Modify the configuration file to change the SSH service settings.
The SSH service configuration file is "/etc/ssh/sshd_config".
|
1 |
# vi /etc/ssh/sshd_config |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 Port 2244 #AddressFamily any ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 |
Restart SSH
|
1 |
# systemctl restart sshd.service |
2.How to set up a firewall (firewalld)
In openSUSE, the firewall is set to firewalld by default and is enabled during OS installation.
To briefly explain firewalld, when setting up a communication control policy, communication permission/blocking rules are applied to predefined zones, and the zones are assigned to each NIC (network adapter).
2.1 How to use the firewall-cmd command to control "firewalld".
1)About Zones
Nine zones are provided by default
| zone | Communication Permission Service | Description. |
| block | None All external connections are blocked | Setting cannot be changed Return "CIMP Pohibited" when blocked, return communication is also allowed when communicating from inside |
| dmz | ssh | Zones defined for dmz |
| drop | None All external communications are blocked | Cannot change settings Internal communication can be sent, but return communication from the outside is blocked, resulting in all communication not being possible. |
| external | ssh | Zone defined for use in connection with external networks, such as routers with IP masquerade enabled. |
| home | dhcpv6-client ipp-client mdns samba-client ssh | Zones defined for use at home, etc. |
| internal | dhcpv6-client ipp-client mdns samba-client | Zone defined for use in the internal network. |
| public | dhcpv6-client ssh | Zones defined for use in public places. |
| trusted | Allow all communication | Setting cannot be changed |
| work | dhcpv6-client ipp-client ssh | Zones defined for use in work areas such as the workplace. |
2)Command to check the status and settings of firewalld
①Check firewalld operation status
|
1 |
# firewall-cmd --state |
OR
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2022-09-09 20:43:27 JST; 11min ago Docs: man:firewalld(1) Main PID: 704 (firewalld) Tasks: 2 (limit: 2245) CGroup: /system.slice/firewalld.service mq 704 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid Sep 09 20:43:25 Lepard systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 09 20:43:27 Lepard systemd[1]: Started firewalld - dynamic firewall daemon. |
Active: inactive (dead) is displayed, indicating that firewalld is stopped
➁Show default zone settings
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
In the above example, the "public" zone is the "default" setting and is assigned to the "eth0" NIC, and the services "dhcpv6-client" and "ssh" are allowed, etc.
➂Show the settings for the specified zone.
The following example shows how to display the settings for the "dmz" zone
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# firewall-cmd --zone=dmz --list-all dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
④About the "--permanent" option
In order to prevent the settings from being lost when the server is restarted or the "firewalld" service is restarted, the "--permanent" option must be used.
To prevent the settings from being lost when the server is restarted or the "firewalld" service is restarted, the "--permanent" option must be used to configure the settings. In this case, if the "--permanent" option is specified, the settings will not be reflected in "firewalld" as they are, so it is necessary to reflect the settings using "fiewall-cmd --reload".
As an example, to use the HTTP service permanently without being initialized even if the system is rebooted
|
1 2 |
# firewall-cmd --add-service=http --permanent # firewall-cmd --reload |
⑤Adding and removing services to and from a zone
# firewall-cmd [--permanent] --zone=zone name --add-service=service name
If you want to permanently add services to a zone, you must configure it with the "--permanent" option.
Example configuration for temporarily adding a service
|
1 2 |
# firewall-cmd --zone=public --add-service=http success |
Configuration example for adding a temporary http service
|
1 2 |
# firewall-cmd --permanent --zone=public --add-service=http success |
⑥service deletion
Use "--remove-service" to remove a service configured for a zone
|
1 |
# firewall-cmd [--permanent] --zone=Zone name --remove-service=Service Name |
Remove the "http" service from the "public" zone as an example
|
1 2 3 4 |
# firewall-cmd --permanent --zone=public --remove-service=http success # firewall-cmd --reload success |
⑦Add or remove ports to a zone
To add a communication that has not been added as a service to the zone, add it by specifying the port number and protocol
Adding a port
Use "--add-port" to add a port to the zone
|
1 |
# firewall-cmd [--permanent] --zone=Zone name --add-port=Port number/protocol |
Configuration example
Added rules for port number 10022 and protocol TCP in the "public" zone.
|
1 2 3 4 |
# firewall-cmd --permanent --zone=public --add-port=10022/tcp success # firewall-cmd --reload success |
Deleting a port
Use "--remove-port" to remove a port from a zone
|
1 |
# firewall-cmd [--permanent]--zone=Zone name --remove-port=Port number/protocol |
Configuration example
Delete the "10022/tcp" rule in the "public" zone that we just added
|
1 2 3 4 |
# firewall-cmd --permanent --zone=public --remove-port=10022/tcp success # firewall-cmd --reload success |
⑧How to start and stop
Since firewalld is controlled by systemd, use the systemctl command to start and stop it.
Start firewalld
|
1 |
# systemctl start firewalld |
Stop firewalld
|
1 |
# systemctl stop firewalld |
2.2 Allow modified SSH port 2244
|
1 2 |
# firewall-cmd --add-port=2244/tcp --permanent # firewall-cmd --reload |
3.Remote connection from Windows
Configuration in Windows
Start setting up a remote connection from Windows, using "Tera Term" as the terminal emulator.
Start Tera Term, cancel the startup screen, and then select "New Connection" from "File" in the Tera Term menu.
Enter the following information on the next screen.
Host : Server IP Address
TCP port : SSH port number changed above
Enter the following information on the next screen.
User name : General Login Username
Passphrase : Password for the above user
If the information is correct, you should be able to log in normally as shown below.
4. NTP Server Settings
Install Chrony and build an NTP server for time synchronization. Note that NTP uses 123/UDP.
4.1 Chrony Install
|
1 |
# zypper -n install chrony |
4.2 Chrony Settings
|
1 2 3 4 5 6 7 8 9 10 |
# vi /etc/chrony.conf # Line 3:comment-out #pool 0.opensuse.pool.ntp.org iburst #add server ntp.nict.jp iburst server ntp1.jst.mfeed.ad.jp iburst # Per line 26: Added a range of time synchronization allowed allow 192.168.11..0/24 |
|
1 2 |
# systemctl start chronyd # systemctl enable chronyd |
4.3 Open NTP port
If Firewalld is enabled, permission for NTP service is required. Note that NTP uses 123/UDP.
|
1 2 3 4 |
# firewall-cmd --add-service=ntp --permanent success # firewall-cmd --reload success |
4.4 operation check
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# chronyc sources MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^- 122x215x240x52.ap122.ftt> 2 6 377 36 +35ms[ +35ms] +/- 73ms ^* ntp-b2.nict.go.jp 1 7 377 34 -442us[ -434us] +/- 5825us ^- any.time.nl 2 7 377 98 +682us[ +691us] +/- 44ms ^- time.cloudflare.com 3 7 377 96 +2633us[+2641us] +/- 141ms ^- 122x215x240x51.ap122.ftt> 2 7 377 32 +35ms[ +35ms] +/- 73ms ^- x.ns.gin.ntt.net 2 6 377 38 -2593us[-2586us] +/- 89ms ^- 138.3.216.120 2 7 177 94 -229us[ -221us] +/- 9751us ^+ ntp-a2.nict.go.jp 1 7 377 108 -193us[ -184us] +/- 5999us |