====== Network Services Overview SSH ======
**General Information**
This page covers the Network Services objectives, specifically for ssh.
**Network Services Objectives**
* Install the packages needed to provide the service
* Configure SELinux to support the service
* Use SELinux port labeling to allow services to use non-standard ports
* Configure the service to start when the system is booted
* Configure the service for basic operation
* Configure host-based and user-based security for the service
----
====== Lab Setup ======
The following virtual machines will be used:
* server1.example.com (192.168.1.150) -> The SSH client
* server2.example.com (192.168.1.151) -> The SSH server
----
====== Install the packages needed to provide the service ======
Install the service: This should already be installed by default.
yum install openssh openssh-server
* openssh -> the ssh client
* openssh-server -> the ssh daemon
----
====== Configure SELinux to support the service ======
* Service agnostic -> [[linux_wiki:set_enforcing_and_permissive_modes_for_selinux|Ensure SELinux is running and enabled (RHCSA objective)]].
----
====== Use SELinux port labeling to allow services to use non-standard ports ======
Configuring the ssh daemon with a non standard port and allowing port access with selinux.
* Examples: "man semanage-port" has examples for allowing non-standard ports!
* Tip: To see current port labelssemanage port -l | grep ssh
__**Change SSHDs Port**__
Edit sshd's config
vim /etc/ssh/sshd_config
Port 2022
Restart the service
systemctl restart sshd
\\
__**SELinux: Configure Non-Standard Port**__
Add the new port to SELinux Ports
semanage port -a -t ssh_port_t -p tcp 2022
Open the firewall for the new port
firewall-cmd --permanent --add-port=2022/tcp
firewall-cmd --reload
\\
__**Connect on Non Standard Port**__
From a client system
ssh user@server1 -p 2022
----
====== Configure the service to start when the system is booted ======
Check Current Service Status
systemctl status sshd
* Also displays if the service is enabled or disabled
\\
Enabling a service to start on boot
systemctl enable sshd
----
====== Configure the service for basic operation ======
Enable and Start the service
systemctl enable sshd
systemctl start sshd
----
====== Configure host-based and user-based security for the service ======
===== Firewall =====
Allow access through the firewall
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
===== Host Based =====
There are two methods to control access based on host:
* Firewall rich rule
* TCP Wrappers (hosts.allow, hosts.deny)
\\
==== Host Based: Firewall ====
Create a rich rulefirewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="192.168.1.152" log prefix="SSHD HOST DENIED: " reject'
firewall-cmd --reload
* Rejects ssh traffic from the source address 192.168.1.152 and logs the rejection.
\\
==== Host Based: TCP Wrappers ====
The first match of the following actions is taken
* Matching entry in hosts.allow -> Host is allowed
* Matching entry in hosts.deny -> Host is denied
* No match of either -> Host is allowed
\\
Denied Hosts
vim /etc/hosts.deny
sshd: hacker.local
\\
Allowed Hosts
vim /etc/hosts.allow
sshd: *.example.com
===== User Based =====
SSHD Main Config (**space separated user list**)
vim /etc/ssh/sshd_config
AllowUsers yoda luke han
DenyUsers vader stormtrooper
----