====== Network Services Overview SSH ======

**General Information**

This page covers the Network Services objectives, specifically for ssh. 

**Network Services Objectives**
  * Install the packages needed to provide the service
  * Configure SELinux to support the service
  * Use SELinux port labeling to allow services to use non-standard ports
  * Configure the service to start when the system is booted
  * Configure the service for basic operation
  * Configure host-based and user-based security for the service

----

====== Lab Setup ======

The following virtual machines will be used:
  * server1.example.com (192.168.1.150) -> The SSH client
  * server2.example.com (192.168.1.151) -> The SSH server

----

====== Install the packages needed to provide the service ======

Install the service: This should already be installed by default.
<code bash>
yum install openssh openssh-server
</code>
  * openssh -> the ssh client
  * openssh-server -> the ssh daemon

----

====== Configure SELinux to support the service ======

  * Service agnostic -> [[linux_wiki:set_enforcing_and_permissive_modes_for_selinux|Ensure SELinux is running and enabled (RHCSA objective)]].

----

====== Use SELinux port labeling to allow services to use non-standard ports ======

Configuring the ssh daemon with a non standard port and allowing port access with selinux.

  * Examples: "man semanage-port" has examples for allowing non-standard ports!
  * Tip: To see current port labels<code bash>semanage port -l | grep ssh</code>

__**Change SSHDs Port**__

Edit sshd's config
<code bash>
vim /etc/ssh/sshd_config

Port 2022
</code>

Restart the service
<code bash>
systemctl restart sshd
</code>

\\
__**SELinux: Configure Non-Standard Port**__

Add the new port to SELinux Ports
<code bash>
semanage port -a -t ssh_port_t -p tcp 2022
</code>

Open the firewall for the new port
<code bash>
firewall-cmd --permanent --add-port=2022/tcp
firewall-cmd --reload
</code>

\\
__**Connect on Non Standard Port**__

From a client system
<code bash>
ssh user@server1 -p 2022
</code>

----

====== Configure the service to start when the system is booted ======

Check Current Service Status
<code bash>
systemctl status sshd
</code>
  * Also displays if the service is enabled or disabled

\\
Enabling a service to start on boot
<code bash>
systemctl enable sshd
</code>

----

====== Configure the service for basic operation ======

Enable and Start the service
<code bash>
systemctl enable sshd
systemctl start sshd
</code>

----

====== Configure host-based and user-based security for the service ======

===== Firewall =====

Allow access through the firewall
<code bash>
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
</code>

===== Host Based =====

There are two methods to control access based on host:
  * Firewall rich rule
  * TCP Wrappers (hosts.allow, hosts.deny)

\\
==== Host Based: Firewall ====

Create a rich rule<code bash>firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="192.168.1.152" log prefix="SSHD HOST DENIED: " reject'
firewall-cmd --reload
</code>
  * Rejects ssh traffic from the source address 192.168.1.152 and logs the rejection.

\\
==== Host Based: TCP Wrappers ====

The first match of the following actions is taken
  * Matching entry in hosts.allow -> Host is allowed
  * Matching entry in hosts.deny -> Host is denied
  * No match of either -> Host is allowed

\\
Denied Hosts
<code bash>
vim /etc/hosts.deny

sshd:  hacker.local
</code>

\\
Allowed Hosts
<code bash>
vim /etc/hosts.allow

sshd:  *.example.com
</code>

===== User Based =====

SSHD Main Config (**space separated user list**)
<code bash>
vim /etc/ssh/sshd_config

AllowUsers yoda luke han
DenyUsers vader stormtrooper
</code>

----