Differences

This shows you the differences between two versions of the page.

--- linux_wiki:network_services_overview_ssh [2016/10/06 21:09]
billdozor [Install the packages needed to provide the service]
+++ linux_wiki:network_services_overview_ssh [2018/05/20 15:29]
billdozor [Host Based: Firewall]
@@ Line 12: / Line 12: @@
   * Configure the service for basic operation
   * Configure host-based and user-based security for the service
+----
+====== Lab Setup ======
+The following virtual machines will be used:
+  * server1.example.com (192.168.1.150) -> The SSH client
+  * server2.example.com (192.168.1.151) -> The SSH server
 ----
@@ Line 34: / Line 42: @@
 ====== Use SELinux port labeling to allow services to use non-standard ports ======
-Configuring the <service-name> with a non standard port and allowing port access with selinux.
+Configuring the ssh daemon with a non standard port and allowing port access with selinux.
-**NOTE**: "man semanage-port" has examples for allowing non-standard ports!
+  * Examples: "man semanage-port" has examples for allowing non-standard ports!
+  * Tip: To see current port labels<code bash>semanage port -l | grep ssh</code>
+__**Change SSHDs Port**__
+Edit sshd's config
+<code bash>
+vim /etc/ssh/sshd_config
+Port 2022
+</code>
+Restart the service
+<code bash>
+systemctl restart sshd
+</code>
+\\
+__**SELinux: Configure Non-Standard Port**__
+Add the new port to SELinux Ports
+<code bash>
+semanage port -a -t ssh_port_t -p tcp 2022
+</code>
+Open the firewall for the new port
+<code bash>
+firewall-cmd --permanent --add-port=2022/tcp
+firewall-cmd --reload
+</code>
+\\
+__**Connect on Non Standard Port**__
+From a client system
+<code bash>
+ssh user@server1 -p 2022
+</code>
 ----
@@ Line 44: / Line 89: @@
 Check Current Service Status
 <code bash>
-systemctl status <service-name>
+systemctl status sshd
 </code>
   * Also displays if the service is enabled or disabled
@@ Line 51: / Line 96: @@
 Enabling a service to start on boot
 <code bash>
-systemctl enable <service-name>
+systemctl enable sshd
 </code>
@@ Line 60: / Line 105: @@
 Enable and Start the service
 <code bash>
-systemctl enable <service-name>
+systemctl enable sshd
-systemctl start <service-name>
+systemctl start sshd
 </code>
@@ Line 72: / Line 117: @@
 Allow access through the firewall
 <code bash>
-firewall-cmd --permanent --add-service=<service-name>
+firewall-cmd --permanent --add-service=ssh
 firewall-cmd --reload
 </code>
@@ Line 78: / Line 123: @@
 ===== Host Based =====
+There are two methods to control access based on host:
+  * Firewall rich rule
+  * TCP Wrappers (hosts.allow, hosts.deny)
+==== Host Based: Firewall ====
+Create a rich rule<code bash>firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="192.168.1.152" log prefix="SSHD HOST DENIED: " reject'
+firewall-cmd --reload
+</code>
+  * Rejects ssh traffic from the source address 192.168.1.152 and logs the rejection.
+==== Host Based: TCP Wrappers ====
+The first match of the following actions is taken
+  * Matching entry in hosts.allow -> Host is allowed
+  * Matching entry in hosts.deny -> Host is denied
+  * No match of either -> Host is allowed
+\\
+Denied Hosts
+<code bash>
+vim /etc/hosts.deny
+sshd:  hacker.local
+</code>
+\\
+Allowed Hosts
+<code bash>
+vim /etc/hosts.allow
+sshd:  *.example.com
+</code>
 ===== User Based =====
+SSHD Main Config (**space separated user list**)
+<code bash>
+vim /etc/ssh/sshd_config
+AllowUsers yoda luke han
+DenyUsers vader stormtrooper
+</code>
 ----