Differences
This shows you the differences between two versions of the page.
linux_wiki:network_services_overview_ssh [2018/05/20 15:30] billdozor |
linux_wiki:network_services_overview_ssh [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Network Services Overview SSH ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | This page covers the Network Services objectives, specifically for ssh. | ||
- | |||
- | **Network Services Objectives** | ||
- | * Install the packages needed to provide the service | ||
- | * Configure SELinux to support the service | ||
- | * Use SELinux port labeling to allow services to use non-standard ports | ||
- | * Configure the service to start when the system is booted | ||
- | * Configure the service for basic operation | ||
- | * Configure host-based and user-based security for the service | ||
- | |||
- | ---- | ||
- | |||
- | ====== Lab Setup ====== | ||
- | |||
- | The following virtual machines will be used: | ||
- | * server1.example.com (192.168.1.150) -> The SSH client | ||
- | * server2.example.com (192.168.1.151) -> The SSH server | ||
- | |||
- | ---- | ||
- | |||
- | ====== Install the packages needed to provide the service ====== | ||
- | |||
- | Install the service: This should already be installed by default. | ||
- | <code bash> | ||
- | yum install openssh openssh-server | ||
- | </ | ||
- | * openssh -> the ssh client | ||
- | * openssh-server -> the ssh daemon | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure SELinux to support the service ====== | ||
- | |||
- | * Service agnostic -> [[linux_wiki: | ||
- | |||
- | ---- | ||
- | |||
- | ====== Use SELinux port labeling to allow services to use non-standard ports ====== | ||
- | |||
- | Configuring the ssh daemon with a non standard port and allowing port access with selinux. | ||
- | |||
- | * Examples: "man semanage-port" | ||
- | * Tip: To see current port labels< | ||
- | |||
- | __**Change SSHDs Port**__ | ||
- | |||
- | Edit sshd's config | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | Port 2022 | ||
- | </ | ||
- | |||
- | Restart the service | ||
- | <code bash> | ||
- | systemctl restart sshd | ||
- | </ | ||
- | |||
- | \\ | ||
- | __**SELinux: | ||
- | |||
- | Add the new port to SELinux Ports | ||
- | <code bash> | ||
- | semanage port -a -t ssh_port_t -p tcp 2022 | ||
- | </ | ||
- | |||
- | Open the firewall for the new port | ||
- | <code bash> | ||
- | firewall-cmd --permanent --add-port=2022/ | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | \\ | ||
- | __**Connect on Non Standard Port**__ | ||
- | |||
- | From a client system | ||
- | <code bash> | ||
- | ssh user@server1 -p 2022 | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure the service to start when the system is booted ====== | ||
- | |||
- | Check Current Service Status | ||
- | <code bash> | ||
- | systemctl status sshd | ||
- | </ | ||
- | * Also displays if the service is enabled or disabled | ||
- | |||
- | \\ | ||
- | Enabling a service to start on boot | ||
- | <code bash> | ||
- | systemctl enable sshd | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure the service for basic operation ====== | ||
- | |||
- | Enable and Start the service | ||
- | <code bash> | ||
- | systemctl enable sshd | ||
- | systemctl start sshd | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure host-based and user-based security for the service ====== | ||
- | |||
- | ===== Firewall ===== | ||
- | |||
- | Allow access through the firewall | ||
- | <code bash> | ||
- | firewall-cmd --permanent --add-service=ssh | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | ===== Host Based ===== | ||
- | |||
- | There are two methods to control access based on host: | ||
- | * Firewall rich rule | ||
- | * TCP Wrappers (hosts.allow, | ||
- | |||
- | \\ | ||
- | ==== Host Based: Firewall ==== | ||
- | |||
- | Create a rich rule< | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | * Rejects ssh traffic from the source address 192.168.1.152 and logs the rejection. | ||
- | |||
- | \\ | ||
- | ==== Host Based: TCP Wrappers ==== | ||
- | |||
- | The first match of the following actions is taken | ||
- | * Matching entry in hosts.allow -> Host is allowed | ||
- | * Matching entry in hosts.deny -> Host is denied | ||
- | * No match of either -> Host is allowed | ||
- | |||
- | \\ | ||
- | Denied Hosts | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | sshd: hacker.local | ||
- | </ | ||
- | |||
- | \\ | ||
- | Allowed Hosts | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | sshd: *.example.com | ||
- | </ | ||
- | |||
- | ===== User Based ===== | ||
- | |||
- | SSHD Main Config (**space separated user list**) | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | AllowUsers yoda luke han | ||
- | DenyUsers vader stormtrooper | ||
- | </ | ||
- | |||
- | ---- | ||