Slackware 15.0 ; OSインストール後の各種設定 Ⅱ

Contents

SSHリモート接続
ファイアウォールの導入と設定方法

SSHリモート接続

デフォルトの設定を変更してssh接続のセキュリティを高める設定を行います。

1. SSHサービスの設定ファイル変更

SSHサービスの設定を変更するために設定ファイルを変更します。
SSHサービスの設定ファイルは"/etc/ssh/sshd_config"になります。

# vi /etc/ssh/sshd_config

  1 #       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
  7
  8 # The strategy used for options in the default sshd_config shipped with
  9 # OpenSSH is to specify options with their default value where
 10 # possible, but leave them commented.  Uncommented options override the
 11 # default value.
 12
 13 #Port 22
 14 Port 2244
 15 #AddressFamily any
 16 ListenAddress 0.0.0.0
 17 #ListenAddress ::
 18
 19 #HostKey /etc/ssh/ssh_host_rsa_key
 20 #HostKey /etc/ssh/ssh_host_ecdsa_key
 21 #HostKey /etc/ssh/ssh_host_ed25519_key
 22
 23 # Ciphers and keying
 24 #RekeyLimit default none
 25
 26 # Logging
 27 #SyslogFacility AUTH
 28 #LogLevel INFO
 29
 30 # Authentication:
 31
 32 #LoginGraceTime 2m
 33 PermitRootLogin prohibit-password
 34 #StrictModes yes
 35 #MaxAuthTries 6
 36 #MaxSessions 10
 37
 38 #PubkeyAuthentication yes
 39
 40 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys    2
 41 # but this is overridden so installations will only check .ssh/authorized_ke    ys
 42 AuthorizedKeysFile      .ssh/authorized_keys
 43
 44 #AuthorizedPrincipalsFile none
 45
 46 #AuthorizedKeysCommand none
 47 #AuthorizedKeysCommandUser nobody
 48
 49 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 50 #HostbasedAuthentication no
 51 # Change to yes if you don't trust ~/.ssh/known_hosts for
 52 # HostbasedAuthentication
 53 #IgnoreUserKnownHosts no
 54 # Don't read the user's ~/.rhosts and ~/.shosts files
 55 #IgnoreRhosts yes
 56
 57 # To disable tunneled clear text passwords, change to no here!
 58 PasswordAuthentication yes
 59 #PermitEmptyPasswords no

# vi /etc/ssh/sshd_config

1 # $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

8 # The strategy used for options in the default sshd_config shipped with

9 # OpenSSH is to specify options with their default value where

10 # possible, but leave them commented. Uncommented options override the

11 # default value.

13 #Port 22

14 Port 2244

15 #AddressFamily any

16 ListenAddress 0.0.0.0

17 #ListenAddress ::

19 #HostKey /etc/ssh/ssh_host_rsa_key

20 #HostKey /etc/ssh/ssh_host_ecdsa_key

21 #HostKey /etc/ssh/ssh_host_ed25519_key

23 # Ciphers and keying

24 #RekeyLimit default none

26 # Logging

27 #SyslogFacility AUTH

28 #LogLevel INFO

30 # Authentication:

32 #LoginGraceTime 2m

33 PermitRootLogin prohibit-password

34 #StrictModes yes

35 #MaxAuthTries 6

36 #MaxSessions 10

38 #PubkeyAuthentication yes

40 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys 2

41 # but this is overridden so installations will only check .ssh/authorized_ke ys

42 AuthorizedKeysFile .ssh/authorized_keys

44 #AuthorizedPrincipalsFile none

46 #AuthorizedKeysCommand none

47 #AuthorizedKeysCommandUser nobody

49 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

50 #HostbasedAuthentication no

51 # Change to yes if you don't trust ~/.ssh/known_hosts for

52 # HostbasedAuthentication

53 #IgnoreUserKnownHosts no

54 # Don't read the user's ~/.rhosts and ~/.shosts files

55 #IgnoreRhosts yes

57 # To disable tunneled clear text passwords, change to no here!

58 PasswordAuthentication yes

59 #PermitEmptyPasswords no

13行目「Port 22」今回は「Port 2244」に変更して進めていきます
15行目「#ListenAddress 0.0.0.0」の「#」を削除します
32行目「#PermitRootLogin prohibit-password」「#」を削除します
58行目「#PasswordAuthentication yes」「#」を削除します

SSH の再起動

# /etc/rc.d/rc.sshd restart
WARNING: killing listener process only.  To kill every sshd process, you must
         use 'rc.sshd stop'.  'rc.sshd restart' kills only the parent sshd to
         allow an admin logged in through sshd to use 'rc.sshd restart' without
         being cut off.  If sshd has been upgraded, new connections will now
         use the new version, which should be a safe enough approach.

# /etc/rc.d/rc.sshd restart

WARNING: killing listener process only. To kill every sshd process, you must

use 'rc.sshd stop'. 'rc.sshd restart' kills only the parent sshd to

allow an admin logged in through sshd to use 'rc.sshd restart' without

being cut off. If sshd has been upgraded, new connections will now

use the new version, which should be a safe enough approach.

このままでは次に再起動したときSSHによるリモート接続ができなくなるので、次のファイアウォールの設定でSSHポート2244番を解放してください。

ファイアウォールの導入と設定方法

Slackwareにはファイアウォールが導入されていませんので、Linuxでよく利用されるUFWを導入しますが、標準リポジトリーにはありませんのでサードパーティーリポジトリーから導入します

# wget http://www.slackel.gr/repo/x86_64/current/slackel/extra/ufw-0.30-x86_64-1dj.txz
# upgradepkg --install-new ufw-0.30-x86_64-1dj.txz

1 2	# wget http://www.slackel.gr/repo/x86_64/current/slackel/extra/ufw-0.30-x86_64-1dj.txz # upgradepkg --install-new ufw-0.30-x86_64-1dj.txz

UFWのインストールファイルのパス

Path
/etc/default/ufw
/etc/rc.d/rc.ufw
/etc/ufw/after.rules
/etc/ufw/after6.rules
/etc/ufw/before.rules
/etc/ufw/before6.rules
/etc/ufw/sysctl.conf
/etc/ufw/ufw.conf
/etc/ufw/applications.d/ufw-bittorrent
/etc/ufw/applications.d/ufw-chat
/etc/ufw/applications.d/ufw-directoryserver
/etc/ufw/applications.d/ufw-dnsserver
/etc/ufw/applications.d/ufw-fileserver
/etc/ufw/applications.d/ufw-loginserver
/etc/ufw/applications.d/ufw-mailserver
/etc/ufw/applications.d/ufw-printserver
/etc/ufw/applications.d/ufw-proxyserver
/etc/ufw/applications.d/ufw-webserver
/lib/ufw/ufw-init
/lib/ufw/ufw-init-functions
/lib/ufw/user.rules
/lib/ufw/user6.rules
/usr/doc/ufw-0.30/AUTHORS
/usr/doc/ufw-0.30/COPYING
/usr/doc/ufw-0.30/ChangeLog
/usr/doc/ufw-0.30/ChangeLog.pre-0.25
/usr/doc/ufw-0.30/README
/usr/doc/ufw-0.30/README.design
/usr/doc/ufw-0.30/README.translations
/usr/doc/ufw-0.30/TODO
/usr/lib64/python2.7/site-packages/ufw-0.30-py2.7.egg-info
/usr/lib64/python2.7/site-packages/ufw/init.py
/usr/lib64/python2.7/site-packages/ufw/init.pyc
/usr/lib64/python2.7/site-packages/ufw/applications.py
/usr/lib64/python2.7/site-packages/ufw/applications.pyc
/usr/lib64/python2.7/site-packages/ufw/backend.py
/usr/lib64/python2.7/site-packages/ufw/backend.pyc
/usr/lib64/python2.7/site-packages/ufw/backend_iptables.py
/usr/lib64/python2.7/site-packages/ufw/backend_iptables.pyc
/usr/lib64/python2.7/site-packages/ufw/common.py
/usr/lib64/python2.7/site-packages/ufw/common.pyc
/usr/lib64/python2.7/site-packages/ufw/frontend.py
/usr/lib64/python2.7/site-packages/ufw/frontend.pyc
/usr/lib64/python2.7/site-packages/ufw/parser.py
/usr/lib64/python2.7/site-packages/ufw/parser.pyc
/usr/lib64/python2.7/site-packages/ufw/util.py
/usr/lib64/python2.7/site-packages/ufw/util.pyc
/usr/man/man8/ufw-framework.8.gz
/usr/man/man8/ufw.8.gz
/usr/sbin/ufw
/usr/share/ufw/iptables/after.rules
/usr/share/ufw/iptables/after6.rules
/usr/share/ufw/iptables/before.rules
/usr/share/ufw/iptables/before6.rules
/usr/share/ufw/iptables/user.rules
/usr/share/ufw/iptables/user6.rules
/usr/share/ufw/messages/ar.mo
/usr/share/ufw/messages/bg.mo
/usr/share/ufw/messages/ca.mo
/usr/share/ufw/messages/cs.mo
/usr/share/ufw/messages/da.mo
/usr/share/ufw/messages/de.mo
/usr/share/ufw/messages/el.mo
/usr/share/ufw/messages/en_AU.mo
/usr/share/ufw/messages/en_GB.mo
/usr/share/ufw/messages/es.mo
/usr/share/ufw/messages/fi.mo
/usr/share/ufw/messages/fr.mo
/usr/share/ufw/messages/he.mo
/usr/share/ufw/messages/hu.mo
/usr/share/ufw/messages/id.mo
/usr/share/ufw/messages/it.mo
/usr/share/ufw/messages/nb.mo
/usr/share/ufw/messages/nl.mo
/usr/share/ufw/messages/pl.mo
/usr/share/ufw/messages/pt.mo
/usr/share/ufw/messages/pt_BR.mo
/usr/share/ufw/messages/ru.mo
/usr/share/ufw/messages/sk.mo
/usr/share/ufw/messages/sl.mo
/usr/share/ufw/messages/sr.mo
/usr/share/ufw/messages/sv.mo
/usr/share/ufw/messages/tl.mo
/usr/share/ufw/messages/zh_CN.mo
/usr/src/ufw-0.30/SLKBUILD
/usr/src/ufw-0.30/rc.ufw

ufwを有効にし起動します

# ufw enable
# ufw status
Status: active

# ufw enable

# ufw status

Status: active

受信パケットデフォルトルールの設定

まず受信パケットに対するルールを設定します。受信パケットは特定の通信以外、全てを拒否する形が一般的なルールになります。全ての受信パケットを基本的に拒否するように"ufw default deny incoming"を実行します。

# ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

# ufw default deny incoming

Default incoming policy changed to 'deny'

(be sure to update your rules accordingly)

送信パケットデフォルトルールの設定

送信パケットは全てを許可する形が一般的なルールになります。送信パケットを基本的に許可するように"ufw default allow outgoing"を実行します。

# ufw default allow outgoing
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

# ufw default allow outgoing

Default outgoing policy changed to 'allow'

(be sure to update your rules accordingly)

とりあえず、標準SSHポートと変更した2244ポートを許可します

# ufw allow ssh
# ufw allow 2244/tcp
# ufw reload

# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
2244/tcp                   ALLOW IN    Anywhere
22                         ALLOW IN    Anywhere

# ufw allow ssh

# ufw allow 2244/tcp

# ufw reload

# ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing)

New profiles: skip

To Action From

-- ------ ----

2244/tcp ALLOW IN Anywhere

22 ALLOW IN Anywhere

ページのトップへ

SSHリモート接続

ファイアウォールの導入と設定方法

受信パケット デフォルトルールの設定

送信パケット デフォルトルールの設定

受信パケットデフォルトルールの設定

送信パケットデフォルトルールの設定