Note: This is an RHCE 7 exam objective.
Install the SSH service if it is not already there:
# yum install -y openssh-server
Activate the SSH service at boot:
# systemctl enable sshd
Start the SSH service:
# systemctl start sshd
Add a new service to the firewall:
# firewall-cmd --permanent --add-service=ssh
Reload the firewall configuration:
# firewall-cmd --reload
Let’s open the /etc/ssh/sshd_config file and discuss its content:
Port 22 # defines listening port for ssh AddressFamily any # accepts IPv4 et IPv6 addresses ListenAddress 0.0.0.0 # allows ssh to listen on all network interfaces ListenAddress :: # listens on IPv6 addresses too Protocol 2 # defines version of ssh (version 1 is not used any more) SyslogFacility AUTHPRIV # stores logging attempts in /var/log/secure (see rsyslog.conf file) LoginGraceTime 2m # sets the time to connect PermitRootLogin yes # allows direct login as root: outside lab, this option should be set to 'no' StrictModes yes # allows connection only if the user's home directory is not world-writable MaxAuthTries 6 # defines the number of authentication attempts allowed MaxSessions 10 # defines the limit of simultaneous open connections PubKeyAuthentication yes # enables public key authentication AuthorizedKeysFile .ssh/authorized_keys # defines the location of the authorized-keys file HostbasedAuthentication no # forbids the use of /etc/hosts.equiv IgnoreUserKnownHosts no # reads the .ssh/known_hosts at each connection IgnoreRhosts yes # doesn't read user's ~/.rhosts file PasswordAuthentication yes # sets password-based authentication PermitEmptyPasswords no # doesn't allow empty passwords (hopefully!) ChallengeResponseAuthentication no # forbids use of one-time passwords UsePAM yes # enables the Pluggable Authentication Module interface AllowAgentForwarding yes # allows the ssh-agent to forward private keys AllowTCPForwarding yes # allows TCP communications to be forwarded GatewayPorts no # prevents remote hosts from connecting to ports forwarded for the client X11Forwarding yes # enables X11 forwarding X11DisplayOffset 10 # limits the number of GUI display open at the same time X11UseLocalhost yes # defines how the GUI display is bound to the SSH server PrintMotd yes # displays the message of the day PrintLastLog yes # displays the date of the last login TCPKeepAlive yes # allows the system to send TCP keepalive messages UseLogin no # specifies whether login is used for interactive login session UsePrivilegeSeparation yes # separates incoming network traffic processing from the rest PermitUserEnvironment no # doesn't deal with environment options Compression delayed # specifies that compression is delayed until user authentication ClientAliveInterval 0 # doesn't send any message before client deconnection ClientAliveCountMax 3 # defines the number of messages before client deconnection - # if ClientAliveInterval is different from 0 UseDNS yes # checks remote hostnames against DNS PidFile /var/run/sshd.pid # defines the file where the SSH process ID is stored MaxStartups 10 # defines the number of terminals simultaneously allowed PermitTunnel no # doesn't support device forwarding ChrootDirectory none # disables the use of chroot Subsystem sftp /usr/libexec/openssh/sftp-server # supports the use of SSH encryption for SFTP file transfers
I found DenyUsers,AllowUsers,DenyGroups,AllowGroups options in sshd_config useful to limit ssh access to certain hosts and login users/groups. That’s when using user/password credentials.
//allow users only from ip 10.0.1.100
//allow only wheel group to access
For securing key-based access, you should check ‘man sshd’ and navigate to AUTHORIZED_KEYS file format. You can add “from=” and “command=” prefixes to limit Pubkey authenticated sessions to access from certain hosts or to execute only some particular commands.
// allow 10.0.1.100 to do pubkey authentication and execute ps command (no interactive shell).
from=”10.0.1.100″,command=”ps aux” ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDzf8glreEBwm0zd0nU6kNVXpjc2AFiCkfOdVfE6QhHhvkd/t+VIatrPWSDStnixDQAJCqlBtegKxh8b1C0oYmAAGUNPhgtMqYHm5jrQOYm2uempXg8ai11qPpEI7sdy7a89Mb7ultOA1Ie7vhc0DdU8Imiwq5/EZq/lT+ZQzZQdLlzAnyp9Khs67SBS3HeR8iZJyL8tMr7ZEtD+u5wOrCuFvldtqxFYbrDNgJ2mwsScokiEYR7PznN1GpUaGW0AaCCGWlguqtuwM2V9M4u4WjiG8yuBpCI42N5Be8vNmJt6d7AbolYo3TkezYrU8Y/jrBZONAPmZ1khxf9MwmbAtyD
what particular tasks can be requested on the exam regarding additional options from /etc/ssh/sshd_config?
I don’t know but I think you shouldn’t be too worried about this.
what about SSH tunelling? is it needed to know?
I haven’t seen any requirement for SSH tunelling until now.
how do you disallow access from certain hostname to the ssh ?
I think you need to use tcpwrapper and the /etc/hosts.deny file.
Or use the firewall…
This won’t work if hostname changes it’s IP address over time, as firewall records will be IP based, not DNS based.
Setting multiple rules in tcp.wrappers is also not a good solution. FQDNs rarely change their IPs in the enterprise. At least – it never happened to me.
Can you give us a reason why it’s not a good solution? What would you advise as a good solution then?
My point is that regardless of your personal experience, adding FQDNs to firewall is not a reliable solution.
Adding multiple rules in the /etc/hosts.allow and /etc/hosts.deny will slow down the processing of any connection.
Imagine a MySQL Server where you have 2000 requests/per second. Now Add 100 lines in /etc/hosts.deny and all those requests will get slower.
Now you can imagine the situation with an Oracle DB which outperforms MySQL way more…
FQDNs in firewall – I agree that this is not a solution.I meant to use the IP of the hostname and put it in the iptables/firewalld.
Of course we can use Fail2Ban in a situation where you need to prevent spammers/abusers.
I think you got carried away a bit. OP asked for how to disallow access from certain hostname via SSH. Where does MySQL/Oracle come from?
Putting host names in hosts.allow or hosts.deny means the server will do a reverse DNS lookup to get the domain name for the IP address. This will slow down an SSH connection, but that is expected.
Can you elaborate on how adding hosts entries for an SSH service impacts MySQL/Oracle server? Database connections don’t do any reverse lookups.
And another thing, if you have SSH available to the world on a MySQL/Oracle server so that you need to block domains from accessing the server, you are simply doing it wrong. A database server must not have SSH visible to the world – it should be placed behind a VPN etc.