0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

SSHとfirewallの設定(CentoOS7)

Posted at

Userの追加

useradd dev-user
passwd dev-user
パスワード入力

※この時点でdev-userでSSHログインできるはず

秘密鍵と公開鍵の作成

鍵を作る

$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/www-data/.ssh/id_rsa): (→空Enter)
Created directory '/home/dev-user/.ssh'.
Enter passphrase (empty for no passphrase):  (→パスワード入力)
Enter same passphrase again:   (→パスワード入力)
Your identification has been saved in /home/dev-user/.ssh/id_rsa.
Your public key has been saved in /home/dev-user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:kxg8DaNRswVpv3k0clPQHM3bnFr5FtxBH1zQ4KWPkPk dev-user@localhost.localdomain
The key's randomart image is:
+---[RSA 4096]----+
|    ..*o. .+.+=*+|
|     +oB    ++o=+|
|    ..=..  .+ ++*|
|       +o.=  o.O+|
|      . S* o  E +|
|        o..  .  o|
|         .     . |
|                 |
|                 |
+----[SHA256]-----+

↓秘密鍵
/home/dev-user/.ssh/id_rsa
↓公開鍵
/home/dev-user/.ssh/id_rsa.pub

公開鍵のファイル名とパーミッションの変更

$ mv /home/dev-user/.ssh/id_rsa.pub /home/dev-user/.ssh/authorized_keys
$ chmod 700 /home/dev-user/.ssh
$ chmod 600 /home/dev-user/.ssh/authorized_keys

sshd_configの設定変更

$ vi /etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
- #Port 22
+ Port 12345
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
- #PermitRootLogin yes
+ PermitRootLogin no

#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
- PasswordAuthentication yes
+ PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

+ AllowUsers dev-user
  • Port → SSH接続ポートを変更
  • PermitRootLogin → rootでログインできないように
  • PasswordAuthentication → パスワードでログインできないように
  • AllowUsers → SSHログインできるユーザーを設定

※デフォルトの22ポートだと不正アクセスがうっとおしいので変更をお勧めします。

ファイアウォールの設定の変更

ポート変更しない場合は設定しなくてOK

現在の設定を確認

$ sudo systemctl start firewalld
$ firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

設定を変更

# 既存のSSHの設定を削除
$ sudo firewall-cmd --permanent --remove-service=ssh

#設定をコピー
$ sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ssh-123456.xml

コピーしたファイルを変更

$ sudo vi /etc/firewalld/services/ssh-123456.xml
-  <port protocol="tcp" port="22"/>
+  <port protocol="tcp" port="123456"/>

反映

$ sudo firewall-cmd --permanent --add-service=ssh-123456

# ついでにHTTP、HTTPSも解放
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https

# 設定を反映
$ sudo firewall-cmd --reload

確認

$ firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client http https ssh-123456
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

servicesの箇所に下記が含まれていたらOK

  • ssh-123456
  • http
  • https

さあログインできるかな?

$ sudo systemctl start firewalld
$ sudo systemctl start sshd

ログインできない場合、ログをみてエラーで検索しよう!

tail -f /var/log/secure

パスワードなしで、sudo su出来るユーザーに設定する

$ sudo visudo

#下記をファイルに追加
dev-user ALL=NOPASSWD: ALL

以上、セキュリティ対策はこれぐらいかなー
またあれば追記

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?