Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:network_services_overview_ssh [2016/10/06 21:09] billdozor [Install the packages needed to provide the service] |
linux_wiki:network_services_overview_ssh [2019/05/25 23:50] (current) |
||
---|---|---|---|
Line 12: | Line 12: | ||
* Configure the service for basic operation | * Configure the service for basic operation | ||
* Configure host-based and user-based security for the service | * Configure host-based and user-based security for the service | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Lab Setup ====== | ||
+ | |||
+ | The following virtual machines will be used: | ||
+ | * server1.example.com (192.168.1.150) -> The SSH client | ||
+ | * server2.example.com (192.168.1.151) -> The SSH server | ||
---- | ---- | ||
Line 34: | Line 42: | ||
====== Use SELinux port labeling to allow services to use non-standard ports ====== | ====== Use SELinux port labeling to allow services to use non-standard ports ====== | ||
- | Configuring the < | + | Configuring the ssh daemon |
- | **NOTE**: "man semanage-port" | + | |
+ | * Tip: To see current port labels< | ||
+ | |||
+ | __**Change SSHDs Port**__ | ||
+ | |||
+ | Edit sshd's config | ||
+ | <code bash> | ||
+ | vim / | ||
+ | |||
+ | Port 2022 | ||
+ | </ | ||
+ | |||
+ | Restart the service | ||
+ | <code bash> | ||
+ | systemctl restart sshd | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | __**SELinux: | ||
+ | |||
+ | Add the new port to SELinux Ports | ||
+ | <code bash> | ||
+ | semanage port -a -t ssh_port_t -p tcp 2022 | ||
+ | </ | ||
+ | |||
+ | Open the firewall for the new port | ||
+ | <code bash> | ||
+ | firewall-cmd --permanent --add-port=2022/ | ||
+ | firewall-cmd --reload | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | __**Connect on Non Standard Port**__ | ||
+ | |||
+ | From a client system | ||
+ | <code bash> | ||
+ | ssh user@server1 -p 2022 | ||
+ | </ | ||
---- | ---- | ||
Line 44: | Line 89: | ||
Check Current Service Status | Check Current Service Status | ||
<code bash> | <code bash> | ||
- | systemctl status | + | systemctl status |
</ | </ | ||
* Also displays if the service is enabled or disabled | * Also displays if the service is enabled or disabled | ||
Line 51: | Line 96: | ||
Enabling a service to start on boot | Enabling a service to start on boot | ||
<code bash> | <code bash> | ||
- | systemctl enable | + | systemctl enable |
</ | </ | ||
Line 60: | Line 105: | ||
Enable and Start the service | Enable and Start the service | ||
<code bash> | <code bash> | ||
- | systemctl enable | + | systemctl enable |
- | systemctl start < | + | systemctl start sshd |
</ | </ | ||
Line 72: | Line 117: | ||
Allow access through the firewall | Allow access through the firewall | ||
<code bash> | <code bash> | ||
- | firewall-cmd --permanent --add-service=< | + | firewall-cmd --permanent --add-service=ssh |
firewall-cmd --reload | firewall-cmd --reload | ||
</ | </ | ||
Line 78: | Line 123: | ||
===== Host Based ===== | ===== Host Based ===== | ||
+ | There are two methods to control access based on host: | ||
+ | * Firewall rich rule | ||
+ | * TCP Wrappers (hosts.allow, | ||
+ | |||
+ | \\ | ||
+ | ==== Host Based: Firewall ==== | ||
+ | |||
+ | Create a rich rule< | ||
+ | firewall-cmd --reload | ||
+ | </ | ||
+ | * Rejects ssh traffic from the source address 192.168.1.152 and logs the rejection. | ||
+ | |||
+ | \\ | ||
+ | ==== Host Based: TCP Wrappers ==== | ||
+ | |||
+ | The first match of the following actions is taken | ||
+ | * Matching entry in hosts.allow -> Host is allowed | ||
+ | * Matching entry in hosts.deny -> Host is denied | ||
+ | * No match of either -> Host is allowed | ||
+ | |||
+ | \\ | ||
+ | Denied Hosts | ||
+ | <code bash> | ||
+ | vim / | ||
+ | |||
+ | sshd: hacker.local | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | Allowed Hosts | ||
+ | <code bash> | ||
+ | vim / | ||
+ | |||
+ | sshd: *.example.com | ||
+ | </ | ||
===== User Based ===== | ===== User Based ===== | ||
+ | |||
+ | SSHD Main Config (**space separated user list**) | ||
+ | <code bash> | ||
+ | vim / | ||
+ | |||
+ | AllowUsers yoda luke han | ||
+ | DenyUsers vader stormtrooper | ||
+ | </ | ||
---- | ---- | ||