linux_wiki:network_services_overview_ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:network_services_overview_ssh [2016/10/06 21:14]
billdozor [Use SELinux port labeling to allow services to use non-standard ports] 		linux_wiki:network_services_overview_ssh [2019/05/25 23:50] (current)
Line 12: Line 12:
   * Configure the service for basic operation   * Configure the service for basic operation
   * Configure host-based and user-based security for the service   * Configure host-based and user-based security for the service
 +
 +----
 +
 +====== Lab Setup ======
 +
 +The following virtual machines will be used:
 +  * server1.example.com (192.168.1.150) -> The SSH client
 +  * server2.example.com (192.168.1.151) -> The SSH server
  
 ---- ----
Line 65: Line 73:
 firewall-cmd --permanent --add-port=2022/tcp firewall-cmd --permanent --add-port=2022/tcp
 firewall-cmd --reload firewall-cmd --reload
 +</code>
 +
 +\\
 +__**Connect on Non Standard Port**__
 +
 +From a client system
 +<code bash>
 +ssh user@server1 -p 2022
 </code> </code>
  
Line 73: Line 89:
 Check Current Service Status Check Current Service Status
 <code bash> <code bash>
-systemctl status <service-name>+systemctl status sshd
 </code> </code>
   * Also displays if the service is enabled or disabled   * Also displays if the service is enabled or disabled
Line 80: Line 96:
 Enabling a service to start on boot Enabling a service to start on boot
 <code bash> <code bash>
-systemctl enable <service-name>+systemctl enable sshd
 </code> </code>
  
Line 89: Line 105:
 Enable and Start the service Enable and Start the service
 <code bash> <code bash>
-systemctl enable <service-name> +systemctl enable sshd 
-systemctl start <service-name>+systemctl start sshd
 </code> </code>
  
Line 101: Line 117:
 Allow access through the firewall Allow access through the firewall
 <code bash> <code bash>
-firewall-cmd --permanent --add-service=<service-name>+firewall-cmd --permanent --add-service=ssh
 firewall-cmd --reload firewall-cmd --reload
 </code> </code>
Line 107: Line 123:
 ===== Host Based ===== ===== Host Based =====
  
 +There are two methods to control access based on host:
 +  * Firewall rich rule
 +  * TCP Wrappers (hosts.allow, hosts.deny)
 +
 +\\
 +==== Host Based: Firewall ====
 +
 +Create a rich rule<code bash>firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="192.168.1.152" log prefix="SSHD HOST DENIED: " reject'
 +firewall-cmd --reload
 +</code>
 +  * Rejects ssh traffic from the source address 192.168.1.152 and logs the rejection.
 +
 +\\
 +==== Host Based: TCP Wrappers ====
 +
 +The first match of the following actions is taken
 +  * Matching entry in hosts.allow -> Host is allowed
 +  * Matching entry in hosts.deny -> Host is denied
 +  * No match of either -> Host is allowed
 +
 +\\
 +Denied Hosts
 +<code bash>
 +vim /etc/hosts.deny
 +
 +sshd:  hacker.local
 +</code>
 +
 +\\
 +Allowed Hosts
 +<code bash>
 +vim /etc/hosts.allow
 +
 +sshd:  *.example.com
 +</code>
  
 ===== User Based ===== ===== User Based =====
 +
 +SSHD Main Config (**space separated user list**)
 +<code bash>
 +vim /etc/ssh/sshd_config
 +
 +AllowUsers yoda luke han
 +DenyUsers vader stormtrooper
 +</code>
  
 ---- ----
  
  • linux_wiki/network_services_overview_ssh.1475802898.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)