ufw firewalld SELinux sshd

firewall

ubuntu
ufw status
ufw enable
ufw allow Apache
ufw app list
ufw allow OpenSSH
iptable -L

Centos
[svn@svn ~]$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2017-05-06 14:10:11 EEST; 1h 0min ago
     Docs: man:firewalld(1)
 Main PID: 761 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─761 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

May 06 14:10:09 svn.localdomain systemd[1]: Starting firewalld - dynamic firewall .....
May 06 14:10:11 svn.localdomain systemd[1]: Started firewalld - dynamic firewall d...n.
Hint: Some lines were ellipsized, use -l to show in full.

Show current configuration
[svn@svn ~]$ firewall-cmd --list-all
public (active) #zone name
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

#list available services

[svn@svn ~]$ firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server


#To open access to specific service in firewalld #add in runtime configuration
[svn@svn ~]$ firewall-cmd --add-service ldap
success


[svn@svn ~]$ firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ldap ssh <<<<<<
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

[svn@svn ~]$ systemctl restart firewalld
[svn@svn ~]$ firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh  <<<<<<
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

#to make configuration persisten after service restart
#configration to firewall should be run twice, with and without --permanent option

[svn@svn ~]$ firewall-cmd --add-service ldap --permanent
success
-------------
SELinux is so called mandatory access control
The idea of SELinux is to deny everything that hasnt been allowed specifically


[svn@svn ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[svn@svn ~]$ 


SELinux can operate in one of three modes: 
disabled , meaning not enabled in the kernel; 
permissive , meaning SELinux is running and logging but not controlling permissions; or enforcing , meaning SELinux is running and enforcing policy.

-------------
Disabling SELinux

Configure SELINUX=disabled in the /etc/selinux/config file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#  >>>>>>   enforcing - SELinux security policy is enforced.
#  >>>>>>   permissive - SELinux prints warnings instead of enforcing.
#  >>>>>>   disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted
Reboot your system. After reboot, confirm that the getenforce command returns Disabled:
~]~ getenforce
Disabled

#change /etc/ssh/sshd_config port from 22 to 2022

grep AVC /var/log/audit/audit.log 

type=AVC msg=audit(1494105534.979:571): avc:  denied  { name_bind } for  pid=7978 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1494105534.982:572): avc:  denied  { name_bind } for  pid=7978 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1494105577.034:579): avc:  denied  { name_bind } for  pid=8016 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1494105577.034:580): avc:  denied  { name_bind } for  pid=8016 comm="sshd" src=2022 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


[root@svn ~]# grep AVC /var/log/audit/audit.log 
type=AVC msg=audit(1493742750.829:332): avc:  denied  { read } for  pid=39678 comm="ifconfig" path="/run/vmware-active-nics" dev="tmpfs" ino=94494 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1493742750.838:333): avc:  denied  { read } for  pid=39682 comm="ifconfig" path="/run/vmware-active-nics" dev="tmpfs" ino=94494 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file

[root@svn ~]# netstat -tulpen | grep 22
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      0          24108      1644/dnsmasq        

[root@svn ~]# getenforce 
Enforcing
[root@svn ~]# setenforce Permissive
[root@svn ~]# systemctl restart sshd

#now after ssh restarted its available
[root@svn ~]# netstat -tulpen | grep 2022
tcp        0      0 0.0.0.0:2022            0.0.0.0:*               LISTEN      0          91197      8344/sshd           
tcp6       0      0 :::2022                 :::*                    LISTEN      0          91199      8344/sshd           
[root@svn ~]# 

#option without switching off SELinux
[root@svn ~]# semanage port -a -t ssh_port_t -p tcp 2022

--------------
[root@svn ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

#we shouldnt use iptables if firewalld is used

SSH

[root@svn ~]# cat /etc/ssh/sshd_config 
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#PermitRootLogin yes


[root@svn ~]# systemctl restart sshd







  

Comments

Popular posts from this blog

HAproxy logging

teamcity Automatic Agent Start under Linux

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all