General Information

This page covers the Network Services objectives, specifically for ssh.

Network Services Objectives

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Use SELinux port labeling to allow services to use non-standard ports
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

The following virtual machines will be used:

• server1.example.com (192.168.1.150) → The SSH client
• server2.example.com (192.168.1.151) → The SSH server

Install the service: This should already be installed by default.

yum install openssh openssh-server

• openssh → the ssh client
• openssh-server → the ssh daemon

• Service agnostic → Ensure SELinux is running and enabled (RHCSA objective).

Configuring the ssh daemon with a non standard port and allowing port access with selinux.

• Examples: “man semanage-port” has examples for allowing non-standard ports!
• Tip: To see current port labels

  semanage port -l | grep ssh

Change SSHDs Port

Edit sshd's config

vim /etc/ssh/sshd_config
 
Port 2022

Restart the service

systemctl restart sshd

SELinux: Configure Non-Standard Port

Add the new port to SELinux Ports

semanage port -a -t ssh_port_t -p tcp 2022

Open the firewall for the new port

firewall-cmd --permanent --add-port=2022/tcp
firewall-cmd --reload

Connect on Non Standard Port

From a client system

ssh user@server1 -p 2022

Check Current Service Status

systemctl status sshd

• Also displays if the service is enabled or disabled

Enabling a service to start on boot

systemctl enable sshd

Enable and Start the service

systemctl enable sshd
systemctl start sshd

Allow access through the firewall

firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload

There are two methods to control access based on host:

• Firewall rich rule
• TCP Wrappers (hosts.allow, hosts.deny)

Create a rich rule

firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="192.168.1.152" log prefix="SSHD HOST DENIED: " reject'
firewall-cmd --reload

• Rejects ssh traffic from the source address 192.168.1.152 and logs the rejection.

The first match of the following actions is taken

• Matching entry in hosts.allow → Host is allowed
• Matching entry in hosts.deny → Host is denied
• No match of either → Host is allowed

Denied Hosts

vim /etc/hosts.deny
 
sshd:  hacker.local

Allowed Hosts

vim /etc/hosts.allow
 
sshd:  *.example.com

SSHD Main Config (space separated user list)

vim /etc/ssh/sshd_config
 
AllowUsers yoda luke han
DenyUsers vader stormtrooper