Contents
1. Set the root password and use the SU command
|
1 2 3 4 5 |
$ passwd root password for <user name> ← Current user's password Enter new UNIX password: ← Enter the root password to be set. Retype new UNIX password: ← Re-enter the same password passwd: password updated successfully |
2. Initial SSH configuration
|
1 2 3 |
$ su - password : # cd /etc/ssh |
|
1 2 3 |
# vi sshd_config PermitRootLogin no ← #Disable login as root |
3. Setting up SSH key authentication
#Become an ordinary user and create a key pair with RSA
|
1 2 3 4 5 6 |
$ ssh-keygen -t rsa Enter file in which to save the key (/home/masa/.ssh/id_rsa): #Storage location If there are no changes, just enter. Created directory '/home/<user>/.ssh'.Enter passphrase (empty for no passphrase): #Password setting(Enter, no password) Enter same passphrase again: |
|
1 2 |
$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys $ chmod 600 ~/.ssh/authorized_keys |
After this, use WINSCP or something similar to copy the id_rsa file to an appropriate location in Windows.
Rewrite the configuration file to disable password authentication.
|
1 2 3 4 5 |
$ su - # vi /etc/ssh/sshd_config #Line 56: Make password authentication impossible. PasswordAuthentication no → PubkeyAuthentication yes |
Restart SSH service
|
1 |
# systemctl restart ssh |
4. Firewalling with UFW
Type the following command to see the status of the ufw configuration
|
1 2 |
# sudo ufw status Status: inactive |
The ufw setting should be disabled at first, as it is marked as inactive.
Type the following command to activate ufw once.
|
1 |
# sudo ufw enable |
You may get the following message.
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
"This may interrupt your current ssh connection. Would you like to continue?" It means "Do you want to continue?", and it is displayed to users who are connected to the server by ssh connection.
In my environment, ssh was never disconnected even if I entered y (yes), so I think it is safe to enter y.
|
1 2 |
# ufw status Status: active |
Valid because it is marked as active
If you type the following command in this state, you should see various settings written to iptables
|
1 |
# iptables -nL |
If you want to disable ufw, type the following command
|
1 |
# ufw disable |
Disable all communication once by typing the following command
|
1 2 3 |
# ufw default DENY Default incoming policy changed to 'deny' (be sure to update your rules accordingly) |
This will block all communication from the outside.。(As for the ssh connection that you are currently connected to, it can be disconnected in the middle of the connection.
However, once you log out, it will be impossible to connect again via ssh.Please be careful.)Once all communication is blocked, we can decide which services to allow to communicate.
Even with this setting, the only communication that is disabled is the communication coming from "outside to inside".
Communication that goes from inside to outside is not disabled.。
Configure the settings
If you want to set ufw to "Allow communication coming to port number xxx", type the following command
|
1 |
# ufw allow [port number] |
On the other hand, if you want to "disallow communication coming to port number ◯◯◯◯," type the command as follows
|
1 |
# ufw deny [port number] |
Allow ssh connections
Allow ssh connections so that you can connect remotely in the future
To allow ssh connections, type the following command, assuming the ssh port is set to 5001
|
1 |
# ufw allow 5001 |
It will continuously try to access port 5001 by typing in the appropriate password and trying to find a coincidental match so that it can log in.
This is called a brute force attack. This is called a brute force attack.
As a countermeasure, apply the setting "Do not allow connections from IP addresses that are accessed consecutively".
Type the following command
|
1 |
# ufw limit 5001 |
This will set the rule "Do not allow IP addresses that have attempted to connect more than 6 times in 30 seconds".
Check the settings. You should see something like this
|
1 2 3 4 5 6 |
# ufw status Status: active To Action From -- ------ ---- 5001 LIMIT Anywhere 5001 (v6) 1 LIMIT Anywhere (v6) |
LIMIT (connection restriction) is set for port 5001 of IPv4 and IPv6
Only allow ssh connections from specific networks
Even with the above settings, you are still exposing your ssh port to the outside Internet.
Even if you set a limit on the number of times you can connect, it is still possible for someone to guess your password somehow and connect to you.
Even if you set a limit on the number of connections, it is possible that the password will be guessed somehow and the connection will be established, or the connection will be established through a vulnerability attack.
Therefore, ssh connections should only be allowed on internal networks, and all external ssh connections should not be allowed.
Therefore, allow ssh connections only for internal networks and do not allow any external ssh connections.
In the local area network, there is a host with an IP address of "192.168.11.xx".
Allow ssh connections only from this host. To allow ssh connections only from this host or from this network (192.168.11.0/24)
or from this network (192.168.11.0/24), type the following command.
Allow ssh connections from 192.168.11.0/24
|
1 2 |
# ufw allow from 192.168.11.0/24 to any port 5001 Rule added |
If you check your settings, you should see something like this
|
1 2 3 4 5 6 7 |
# ufw status Status: active To Action From -- ------ ---- 5001 LIMIT Anywhere 5001 ALLOW 192.168.11.0/24 5001 (v6) LIMIT Anywhere (v6) |
However, even in this state, it will allow ssh connections from outside with a limited number of connections.
Therefore, we will remove the rule with the LIMIT
#Use the following command to display the rule number and confirm the settings
|
1 2 3 4 5 6 7 |
# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 5001 LIMIT IN Anywhere [ 2] 5001 ALLOW IN 192.168.11.0/24 [ 3] 5001 (v6) LIMIT IN Anywhere (v6) |
Since rules 1 and 3 are not needed, we will delete them by specifying their numbers.
Rules 1 and 3 are not needed.
|
1 2 3 4 5 |
# ufw delete 1 Deleting: limit 5000 Proceed with operation (y|n)? y Rule deleted |
Now that rule #1 has been deleted, delete rule #3 in the same way as above.
Allow access to the web.
Since our goal is to set up a firewall for the web server, we will allow connections to 80 (HTTP) and 443 (HTTPS).
connections to 80 (HTTP) and 443 (HTTPS).
You can specify a port number to allow connections, or you can specify an application.
You can also specify the application.
You can see the list of applications with the following comman。
|
1 |
# vi /etc/services |
|
1 2 3 4 5 6 7 |
# ufw allow http Rule added Rule added (v6) # ufw allow https Rule added Rule added (v6) |
|
1 2 3 4 5 6 7 8 9 10 |
# ufw status Status: active To Action From -- ------ ---- 5001 ALLOW 192.168.11.0/24 80 ALLOW Anywhere 443 ALLOW Anywhere 80 (v6) ALLOW Anywhere 443 (v6) ALLOW Anywhere (v6) |
Disable ufw for ipv6
|
1 2 |
# vi /etc/default/ufw IPV6=yes → IPV6=no |
|
1 |
# systemctl restart ufw |