ufw firewalld SELinux sshd
firewall
ubuntu
ufw status
ufw enable
ufw allow Apache
ufw app list
ufw allow OpenSSH
iptable -L
Centos
[svn@svn ~]$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2017-05-06 14:10:11 EEST; 1h 0min ago
Docs: man:firewalld(1)
Main PID: 761 (firewalld)
CGroup: /system.slice/firewalld.service
└─761 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
May 06 14:10:09 svn.localdomain systemd[1]: Starting firewalld - dynamic firewall .....
May 06 14:10:11 svn.localdomain systemd[1]: Started firewalld - dynamic firewall d...n.
Hint: Some lines were ellipsized, use -l to show in full.
Show current configuration
[svn@svn ~]$ firewall-cmd --list-all
public (active) #zone name
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
#list available services
[svn@svn ~]$ firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
#To open access to specific service in firewalld #add in runtime configuration
[svn@svn ~]$ firewall-cmd --add-service ldap
success
[svn@svn ~]$ firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ldap ssh <<<<<<
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[svn@svn ~]$ systemctl restart firewalld
[svn@svn ~]$ firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh <<<<<<
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
#to make configuration persisten after service restart
#configration to firewall should be run twice, with and without --permanent option
[svn@svn ~]$ firewall-cmd --add-service ldap --permanent
success
-------------
SELinux is so called mandatory access control
The idea of SELinux is to deny everything that hasnt been allowed specifically
[svn@svn ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[svn@svn ~]$
SELinux can operate in one of three modes:
disabled , meaning not enabled in the kernel;
permissive , meaning SELinux is running and logging but not controlling permissions; or enforcing , meaning SELinux is running and enforcing policy.
-------------
Disabling SELinux
Configure SELINUX=disabled in the /etc/selinux/config file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# >>>>>> enforcing - SELinux security policy is enforced.
# >>>>>> permissive - SELinux prints warnings instead of enforcing.
# >>>>>> disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Reboot your system. After reboot, confirm that the getenforce command returns Disabled:
~]~ getenforce
Disabled
#change /etc/ssh/sshd_config port from 22 to 2022
grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1494105534.979:571): avc: denied { name_bind } for pid=7978 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1494105534.982:572): avc: denied { name_bind } for pid=7978 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1494105577.034:579): avc: denied { name_bind } for pid=8016 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1494105577.034:580): avc: denied { name_bind } for pid=8016 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
[root@svn ~]# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1493742750.829:332): avc: denied { read } for pid=39678 comm="ifconfig" path="/run/vmware-active-nics" dev="tmpfs" ino=94494 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1493742750.838:333): avc: denied { read } for pid=39682 comm="ifconfig" path="/run/vmware-active-nics" dev="tmpfs" ino=94494 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
[root@svn ~]# netstat -tulpen | grep 22
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 0 24108 1644/dnsmasq
[root@svn ~]# getenforce
Enforcing
[root@svn ~]# setenforce Permissive
[root@svn ~]# systemctl restart sshd
#now after ssh restarted its available
[root@svn ~]# netstat -tulpen | grep 2022
tcp 0 0 0.0.0.0:2022 0.0.0.0:* LISTEN 0 91197 8344/sshd
tcp6 0 0 :::2022 :::* LISTEN 0 91199 8344/sshd
[root@svn ~]#
#option without switching off SELinux
[root@svn ~]# semanage port -a -t ssh_port_t -p tcp 2022
--------------
[root@svn ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
#we shouldnt use iptables if firewalld is used
SSH
[root@svn ~]# cat /etc/ssh/sshd_config
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#PermitRootLogin yes
[root@svn ~]# systemctl restart sshd
ubuntu
ufw status
ufw enable
ufw allow Apache
ufw app list
ufw allow OpenSSH
iptable -L
Centos
[svn@svn ~]$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2017-05-06 14:10:11 EEST; 1h 0min ago
Docs: man:firewalld(1)
Main PID: 761 (firewalld)
CGroup: /system.slice/firewalld.service
└─761 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
May 06 14:10:09 svn.localdomain systemd[1]: Starting firewalld - dynamic firewall .....
May 06 14:10:11 svn.localdomain systemd[1]: Started firewalld - dynamic firewall d...n.
Hint: Some lines were ellipsized, use -l to show in full.
Show current configuration
[svn@svn ~]$ firewall-cmd --list-all
public (active) #zone name
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
#list available services
[svn@svn ~]$ firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
#To open access to specific service in firewalld #add in runtime configuration
[svn@svn ~]$ firewall-cmd --add-service ldap
success
[svn@svn ~]$ firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ldap ssh <<<<<<
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[svn@svn ~]$ systemctl restart firewalld
[svn@svn ~]$ firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh <<<<<<
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
#to make configuration persisten after service restart
#configration to firewall should be run twice, with and without --permanent option
[svn@svn ~]$ firewall-cmd --add-service ldap --permanent
success
-------------
SELinux is so called mandatory access control
The idea of SELinux is to deny everything that hasnt been allowed specifically
[svn@svn ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[svn@svn ~]$
SELinux can operate in one of three modes:
disabled , meaning not enabled in the kernel;
permissive , meaning SELinux is running and logging but not controlling permissions; or enforcing , meaning SELinux is running and enforcing policy.
-------------
Disabling SELinux
Configure SELINUX=disabled in the /etc/selinux/config file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# >>>>>> enforcing - SELinux security policy is enforced.
# >>>>>> permissive - SELinux prints warnings instead of enforcing.
# >>>>>> disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Reboot your system. After reboot, confirm that the getenforce command returns Disabled:
~]~ getenforce
Disabled
#change /etc/ssh/sshd_config port from 22 to 2022
grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1494105534.979:571): avc: denied { name_bind } for pid=7978 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1494105534.982:572): avc: denied { name_bind } for pid=7978 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1494105577.034:579): avc: denied { name_bind } for pid=8016 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1494105577.034:580): avc: denied { name_bind } for pid=8016 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
[root@svn ~]# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1493742750.829:332): avc: denied { read } for pid=39678 comm="ifconfig" path="/run/vmware-active-nics" dev="tmpfs" ino=94494 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1493742750.838:333): avc: denied { read } for pid=39682 comm="ifconfig" path="/run/vmware-active-nics" dev="tmpfs" ino=94494 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
[root@svn ~]# netstat -tulpen | grep 22
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 0 24108 1644/dnsmasq
[root@svn ~]# getenforce
Enforcing
[root@svn ~]# setenforce Permissive
[root@svn ~]# systemctl restart sshd
#now after ssh restarted its available
[root@svn ~]# netstat -tulpen | grep 2022
tcp 0 0 0.0.0.0:2022 0.0.0.0:* LISTEN 0 91197 8344/sshd
tcp6 0 0 :::2022 :::* LISTEN 0 91199 8344/sshd
[root@svn ~]#
#option without switching off SELinux
[root@svn ~]# semanage port -a -t ssh_port_t -p tcp 2022
--------------
[root@svn ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
#we shouldnt use iptables if firewalld is used
SSH
[root@svn ~]# cat /etc/ssh/sshd_config
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#PermitRootLogin yes
[root@svn ~]# systemctl restart sshd
Comments
Post a Comment