Differences

This shows you the differences between two versions of the page.

--- linux_wiki:network_services_overview_ssh [2018/05/20 15:29]
billdozor [Host Based: Firewall]
+++ linux_wiki:network_services_overview_ssh [2019/05/25 23:50]
@@ Line 1: / Line 1: @@
-====== Network Services Overview SSH ======
-**General Information**
-This page covers the Network Services objectives, specifically for ssh.
-**Network Services Objectives**
-  * Install the packages needed to provide the service
-  * Configure SELinux to support the service
-  * Use SELinux port labeling to allow services to use non-standard ports
-  * Configure the service to start when the system is booted
-  * Configure the service for basic operation
-  * Configure host-based and user-based security for the service
-----
-====== Lab Setup ======
-The following virtual machines will be used:
-  * server1.example.com (192.168.1.150) -> The SSH client
-  * server2.example.com (192.168.1.151) -> The SSH server
-----
-====== Install the packages needed to provide the service ======
-Install the service: This should already be installed by default.
-<code bash>
-yum install openssh openssh-server
-</code>
-  * openssh -> the ssh client
-  * openssh-server -> the ssh daemon
-----
-====== Configure SELinux to support the service ======
-  * Service agnostic -> [[linux_wiki:set_enforcing_and_permissive_modes_for_selinux|Ensure SELinux is running and enabled (RHCSA objective)]].
-----
-====== Use SELinux port labeling to allow services to use non-standard ports ======
-Configuring the ssh daemon with a non standard port and allowing port access with selinux.
-  * Examples: "man semanage-port" has examples for allowing non-standard ports!
-  * Tip: To see current port labels<code bash>semanage port -l | grep ssh</code>
-__**Change SSHDs Port**__
-Edit sshd's config
-<code bash>
-vim /etc/ssh/sshd_config
-Port 2022
-</code>
-Restart the service
-<code bash>
-systemctl restart sshd
-</code>
-\\
-__**SELinux: Configure Non-Standard Port**__
-Add the new port to SELinux Ports
-<code bash>
-semanage port -a -t ssh_port_t -p tcp 2022
-</code>
-Open the firewall for the new port
-<code bash>
-firewall-cmd --permanent --add-port=2022/tcp
-firewall-cmd --reload
-</code>
-\\
-__**Connect on Non Standard Port**__
-From a client system
-<code bash>
-ssh user@server1 -p 2022
-</code>
-----
-====== Configure the service to start when the system is booted ======
-Check Current Service Status
-<code bash>
-systemctl status sshd
-</code>
-  * Also displays if the service is enabled or disabled
-\\
-Enabling a service to start on boot
-<code bash>
-systemctl enable sshd
-</code>
-----
-====== Configure the service for basic operation ======
-Enable and Start the service
-<code bash>
-systemctl enable sshd
-systemctl start sshd
-</code>
-----
-====== Configure host-based and user-based security for the service ======
-===== Firewall =====
-Allow access through the firewall
-<code bash>
-firewall-cmd --permanent --add-service=ssh
-firewall-cmd --reload
-</code>
-===== Host Based =====
-There are two methods to control access based on host:
-  * Firewall rich rule
-  * TCP Wrappers (hosts.allow, hosts.deny)
-==== Host Based: Firewall ====
-Create a rich rule<code bash>firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="192.168.1.152" log prefix="SSHD HOST DENIED: " reject'
-firewall-cmd --reload
-</code>
-  * Rejects ssh traffic from the source address 192.168.1.152 and logs the rejection.
-==== Host Based: TCP Wrappers ====
-The first match of the following actions is taken
-  * Matching entry in hosts.allow -> Host is allowed
-  * Matching entry in hosts.deny -> Host is denied
-  * No match of either -> Host is allowed
-\\
-Denied Hosts
-<code bash>
-vim /etc/hosts.deny
-sshd:  hacker.local
-</code>
-\\
-Allowed Hosts
-<code bash>
-vim /etc/hosts.allow
-sshd:  *.example.com
-</code>
-===== User Based =====
-SSHD Main Config (**space separated user list**)
-<code bash>
-vim /etc/ssh/sshd_config
-AllowUsers yoda luke han
-DenyUsers vader stormtrooper
-</code>
-----