linux_wiki:network_services_overview_ssh

Network Services Overview SSH

General Information

This page covers the Network Services objectives, specifically for ssh.

Network Services Objectives

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Use SELinux port labeling to allow services to use non-standard ports
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service

Lab Setup

The following virtual machines will be used:

  • server1.example.com (192.168.1.150) → The SSH client
  • server2.example.com (192.168.1.151) → The SSH server

Install the packages needed to provide the service

Install the service: This should already be installed by default.

yum install openssh openssh-server
  • openssh → the ssh client
  • openssh-server → the ssh daemon

Configure SELinux to support the service

Use SELinux port labeling to allow services to use non-standard ports

Configuring the ssh daemon with a non standard port and allowing port access with selinux.

  • Examples: “man semanage-port” has examples for allowing non-standard ports!
  • Tip: To see current port labels
    semanage port -l | grep ssh

Change SSHDs Port

Edit sshd's config

vim /etc/ssh/sshd_config
 
Port 2022

Restart the service

systemctl restart sshd


SELinux: Configure Non-Standard Port

Add the new port to SELinux Ports

semanage port -a -t ssh_port_t -p tcp 2022

Open the firewall for the new port

firewall-cmd --permanent --add-port=2022/tcp
firewall-cmd --reload


Connect on Non Standard Port

From a client system

ssh user@server1 -p 2022

Configure the service to start when the system is booted

Check Current Service Status

systemctl status sshd
  • Also displays if the service is enabled or disabled


Enabling a service to start on boot

systemctl enable sshd

Configure the service for basic operation

Enable and Start the service

systemctl enable sshd
systemctl start sshd

Configure host-based and user-based security for the service

Allow access through the firewall

firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload

There are two methods to control access based on host:

  • Firewall rich rule
  • TCP Wrappers (hosts.allow, hosts.deny)


Create a rich rule

firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="192.168.1.152" log prefix="SSHD HOST DENIED: " reject'
firewall-cmd --reload
  • Rejects ssh traffic from the source address 192.168.1.152 and logs the rejection.


The first match of the following actions is taken

  • Matching entry in hosts.allow → Host is allowed
  • Matching entry in hosts.deny → Host is denied
  • No match of either → Host is allowed


Denied Hosts

vim /etc/hosts.deny
 
sshd:  hacker.local


Allowed Hosts

vim /etc/hosts.allow
 
sshd:  *.example.com

SSHD Main Config (space separated user list)

vim /etc/ssh/sshd_config
 
AllowUsers yoda luke han
DenyUsers vader stormtrooper

  • linux_wiki/network_services_overview_ssh.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)