This is an old revision of the document!
Network Services Overview SSH
General Information
This page covers the Network Services objectives, specifically for ssh.
Network Services Objectives
- Install the packages needed to provide the service
- Configure SELinux to support the service
- Use SELinux port labeling to allow services to use non-standard ports
- Configure the service to start when the system is booted
- Configure the service for basic operation
- Configure host-based and user-based security for the service
Install the packages needed to provide the service
Install the service: This should already be installed by default.
yum install openssh openssh-server
- openssh → the ssh client
- openssh-server → the ssh daemon
Configure SELinux to support the service
- Service agnostic → Ensure SELinux is running and enabled (RHCSA objective).
Use SELinux port labeling to allow services to use non-standard ports
Configuring the ssh daemon with a non standard port and allowing port access with selinux.
- Examples: “man semanage-port” has examples for allowing non-standard ports!
- Tip: To see current port labels
semanage port -l | grep ssh
Change SSHDs Port
Edit sshd's config
vim /etc/ssh/sshd_config Port 2022
Restart the service
systemctl restart sshd
SELinux: Configure Non-Standard Port
Add the new port to SELinux Ports
semanage port -a -t ssh_port_t -p tcp 2022
Open the firewall for the new port
firewall-cmd --permanent --add-port=2022/tcp firewall-cmd --reload
Configure the service to start when the system is booted
Check Current Service Status
systemctl status sshd
- Also displays if the service is enabled or disabled
Enabling a service to start on boot
systemctl enable sshd
Configure the service for basic operation
Enable and Start the service
systemctl enable sshd
systemctl start sshd
Configure host-based and user-based security for the service
Firewall
Allow access through the firewall
firewall-cmd --permanent --add-service=ssh firewall-cmd --reload
Host Based
All are allowed by default.
Denied Hosts
vim /etc/hosts.deny sshd: hacker.local
Allowed Hosts
vim /etc/hosts.allow sshd: *.example.com
User Based
SSHD Main Config
vim /etc/ssh/sshd_config AllowUsers yoda,luke,han DenyUsers vader,stormtrooper