Differences

This shows you the differences between two versions of the page.

--- linux_wiki:network_services_overview_ssh [2016/10/06 21:23]
billdozor [Use SELinux port labeling to allow services to use non-standard ports]
+++ linux_wiki:network_services_overview_ssh [2019/05/25 23:50] (current)
@@ Line 12: / Line 12: @@
   * Configure the service for basic operation
   * Configure host-based and user-based security for the service
+----
+====== Lab Setup ======
+The following virtual machines will be used:
+  * server1.example.com (192.168.1.150) -> The SSH client
+  * server2.example.com (192.168.1.151) -> The SSH server
 ----
@@ Line 72: / Line 80: @@
 From a client system
 <code bash>
-ssh server1 -p 2022
+ssh user@server1 -p 2022
 </code>
@@ Line 115: / Line 123: @@
 ===== Host Based =====
-All are allowed by default.
+There are two methods to control access based on host:
+  * Firewall rich rule
+  * TCP Wrappers (hosts.allow, hosts.deny)
+\\
+==== Host Based: Firewall ====
+Create a rich rule<code bash>firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="192.168.1.152" log prefix="SSHD HOST DENIED: " reject'
+firewall-cmd --reload
+</code>
+  * Rejects ssh traffic from the source address 192.168.1.152 and logs the rejection.
+\\
+==== Host Based: TCP Wrappers ====
+The first match of the following actions is taken
+  * Matching entry in hosts.allow -> Host is allowed
+  * Matching entry in hosts.deny -> Host is denied
+  * No match of either -> Host is allowed
 \\
@@ Line 135: / Line 161: @@
 ===== User Based =====
-SSHD Main Config
+SSHD Main Config (**space separated user list**)
 <code bash>
 vim /etc/ssh/sshd_config
-AllowUsers yoda,luke,han
+AllowUsers yoda luke han
-DenyUsers vader,stormtrooper
+DenyUsers vader stormtrooper
 </code>
 ----