1
00:00:06,750 --> 00:00:09,270
- In this video, I want
to talk a little bit more

2
00:00:09,270 --> 00:00:11,610
about running the SSH server.

3
00:00:11,610 --> 00:00:14,130
We've already talked about it in Lesson 7,

4
00:00:14,130 --> 00:00:16,380
which was quite at a basic level.

5
00:00:16,380 --> 00:00:18,480
And SSH is important enough

6
00:00:18,480 --> 00:00:21,660
to discuss some more
advanced topics as well.

7
00:00:21,660 --> 00:00:22,680
So you already know

8
00:00:22,680 --> 00:00:26,340
that SSH provides remote
access to a Linux terminal.

9
00:00:26,340 --> 00:00:29,250
And you may have to install
it before you can use it.

10
00:00:29,250 --> 00:00:33,210
sudo dnf install openssh-server
on Red Hat family,

11
00:00:33,210 --> 00:00:37,500
or sudo apt install
openssh-server on Ubuntu.

12
00:00:37,500 --> 00:00:38,730
And after installing it,

13
00:00:38,730 --> 00:00:42,003
make sure it is started
and enabled by systemd.

14
00:00:42,959 --> 00:00:46,200
Use sudo systemctl status sshd

15
00:00:46,200 --> 00:00:51,200
And if necessary, sudo
systemctl enable --now sshd

16
00:00:51,450 --> 00:00:52,283
to run it.

17
00:00:53,190 --> 00:00:55,260
All right, if you run an SSH server,

18
00:00:55,260 --> 00:00:56,370
you should realize that

19
00:00:56,370 --> 00:01:00,540
SSH server are a frequent
target by attackers.

20
00:01:00,540 --> 00:01:04,710
And that is because SSH is
often exposed on internet ports,

21
00:01:04,710 --> 00:01:06,090
on port 22.

22
00:01:06,090 --> 00:01:07,530
And well, if you're an attacker,

23
00:01:07,530 --> 00:01:08,740
there is nothing easier

24
00:01:10,380 --> 00:01:13,530
to launch a brute-force
attack on that port.

25
00:01:13,530 --> 00:01:14,940
In a brute-force attack,

26
00:01:14,940 --> 00:01:17,610
a script is used to try

27
00:01:17,610 --> 00:01:20,850
common usernames and common
passwords and combinations.

28
00:01:20,850 --> 00:01:25,803
And just many, many times
until the attacker gets access.

29
00:01:26,820 --> 00:01:28,200
You can easily secure that

30
00:01:28,200 --> 00:01:32,830
by modifying a few parameters
in /etc/ssh/sshd_config

31
00:01:33,930 --> 00:01:35,467
To start with, the port.

32
00:01:35,467 --> 00:01:39,120
"Port" defines the port
on which SSH is listening.

33
00:01:39,120 --> 00:01:42,840
PermitRootLogin should always be disabled.

34
00:01:42,840 --> 00:01:44,940
You don't want to allow
a root login directly,

35
00:01:44,940 --> 00:01:48,180
because that would mean that
the attacker already has

36
00:01:48,180 --> 00:01:51,393
half of the information required
to log in to your server.

37
00:01:52,303 --> 00:01:54,330
AllowedUsers is a nice option.

38
00:01:54,330 --> 00:01:56,520
It allows you to specify a list of users

39
00:01:56,520 --> 00:01:58,650
that is allowed to log in.

40
00:01:58,650 --> 00:02:01,770
By default, any user with
an account can log in,

41
00:02:01,770 --> 00:02:03,690
but if you use AllowedUsers

42
00:02:03,690 --> 00:02:06,210
and you specify just one SSH user

43
00:02:06,210 --> 00:02:09,120
with a not-so-frequent username,

44
00:02:09,120 --> 00:02:11,570
that would be a lot more secure.

45
00:02:11,570 --> 00:02:14,670
PasswordAuthentication is
the last option to consider.

46
00:02:14,670 --> 00:02:18,150
By default, password
authentication is allowed.

47
00:02:18,150 --> 00:02:20,010
Why would you allow that, if you know that

48
00:02:20,010 --> 00:02:23,850
key-based authentication
is much more secure?

49
00:02:23,850 --> 00:02:28,200
If you are going to change the
settings on your SSH server,

50
00:02:28,200 --> 00:02:30,693
you do need to consider
firewalling, though.

51
00:02:32,554 --> 00:02:37,440
If you have firewalld
firewall on Red Hat family,

52
00:02:37,440 --> 00:02:40,410
SSH by default is allowed.

53
00:02:40,410 --> 00:02:43,230
But if you are running
on a non-default port,

54
00:02:43,230 --> 00:02:45,060
you need to change something.

55
00:02:45,060 --> 00:02:45,893
Just to make sure,

56
00:02:45,893 --> 00:02:48,807
this is the line to
ensure that on firewalld

57
00:02:48,807 --> 00:02:52,740
the SSH port is allowed.

58
00:02:52,740 --> 00:02:55,710
But if you use a non-default port, you use

59
00:02:55,710 --> 00:03:00,710
firewall-cmd --add-port
2022/tcp --permanent

60
00:03:01,530 --> 00:03:04,050
After which you reload the firewall

61
00:03:04,050 --> 00:03:07,860
using firewall-cmd --reload

62
00:03:07,860 --> 00:03:10,890
Now, firewalling is different
between Red Hat and Ubuntu.

63
00:03:10,890 --> 00:03:13,740
If you want to do something
similar on Ubuntu,

64
00:03:13,740 --> 00:03:18,623
you use ufw, the Uncomplicated Firewall.

65
00:03:18,623 --> 00:03:22,137
So sudo ufw allow OpenSSH,

66
00:03:22,137 --> 00:03:25,800
and sudo ufw allow 2022/tcp

67
00:03:25,800 --> 00:03:27,993
if you want to allow the TCP port.

68
00:03:29,610 --> 00:03:30,960
Then there's this other thing.

69
00:03:30,960 --> 00:03:34,290
On Red Hat only, you have SELinux,

70
00:03:34,290 --> 00:03:35,700
and SELinux on Red Hat

71
00:03:35,700 --> 00:03:39,300
will not allow SSH to
run on non-default port.

72
00:03:39,300 --> 00:03:41,460
And if you want to configure SELinux

73
00:03:41,460 --> 00:03:43,650
to allow a non-default port as well,

74
00:03:43,650 --> 00:03:45,270
you need to run this command:

75
00:03:45,270 --> 00:03:49,720
semanage port -a -t ssh_port_t -p 2022 tcp

76
00:03:50,880 --> 00:03:53,920
That will flag port 2022/tcp

77
00:03:53,920 --> 00:03:57,540
as a port that is allowed for SSH.

78
00:03:57,540 --> 00:04:00,210
Another option, which
is not so very pretty,

79
00:04:00,210 --> 00:04:04,170
is to edit the /etc/sysconfig/selinux
configuration file

80
00:04:04,170 --> 00:04:06,330
and set SELINUX to disabled,

81
00:04:06,330 --> 00:04:07,590
and then you reboot.

82
00:04:07,590 --> 00:04:10,590
But then you make your system insecure.

83
00:04:10,590 --> 00:04:11,970
And that doesn't really make sense,

84
00:04:11,970 --> 00:04:15,270
because the mission
here was to secure SSH.

85
00:04:15,270 --> 00:04:17,700
And in order to have a secure SSH,

86
00:04:17,700 --> 00:04:20,340
it should be running on a secure system.

87
00:04:20,340 --> 00:04:22,140
Now, let me demonstrate how we can apply

88
00:04:22,140 --> 00:04:27,140
some of this SSH security
to an SSH service.

89
00:04:29,400 --> 00:04:34,170
All right, I'm going to
start on this CentOS machine

90
00:04:34,170 --> 00:04:38,620
by editing ssh/sshd_config

91
00:04:39,630 --> 00:04:42,210
So I want to change the ports,

92
00:04:42,210 --> 00:04:44,520
because this port really is a problem.

93
00:04:44,520 --> 00:04:47,613
And I want to set the port to Port 2022.

94
00:04:48,510 --> 00:04:50,490
If you look carefully, then you can see

95
00:04:50,490 --> 00:04:53,467
that the SELinux information
is already included here.

96
00:04:53,467 --> 00:04:57,420
"semanage port," it's telling
me which command to use.

97
00:04:57,420 --> 00:05:00,060
Some people will often
complain about SELinux,

98
00:05:00,060 --> 00:05:02,490
and I know SELinux is complicated,

99
00:05:02,490 --> 00:05:04,620
but on Red Hat family systems,

100
00:05:04,620 --> 00:05:06,570
if changes of common parameters

101
00:05:06,570 --> 00:05:09,030
affect SELinux security state,

102
00:05:09,030 --> 00:05:13,290
then it's often indicated
in the configuration file.

103
00:05:13,290 --> 00:05:15,423
So if you can read, should be doable,

104
00:05:16,470 --> 00:05:18,810
even without having a full understanding

105
00:05:18,810 --> 00:05:20,043
of what is going on.

106
00:05:20,880 --> 00:05:23,730
This course is not a place
to tell you about SELinux.

107
00:05:23,730 --> 00:05:25,890
That's more advanced
system administration,

108
00:05:25,890 --> 00:05:28,650
and not really Linux fundamentals.

109
00:05:28,650 --> 00:05:33,000
But we can easily copy-paste
this command, right?

110
00:05:33,000 --> 00:05:34,680
So there we go, and this should make sure

111
00:05:34,680 --> 00:05:37,410
that SELinux allows port access.

112
00:05:37,410 --> 00:05:39,540
Then the second thing is the firewall.

113
00:05:39,540 --> 00:05:44,190
So sudo firewall-cmd --list-all

114
00:05:44,190 --> 00:05:47,670
is showing the current
firewall configuration.

115
00:05:47,670 --> 00:05:49,560
And on Red Hat family systems,

116
00:05:49,560 --> 00:05:52,410
by default SSH is allowed,

117
00:05:52,410 --> 00:05:55,050
but port 2022 is not allowed.

118
00:05:55,050 --> 00:05:55,883
So let me use

119
00:05:55,883 --> 00:06:00,740
sudo firewall-cmd --add-port
2022/tcp --permanent

120
00:06:09,150 --> 00:06:12,900
That will write this port to
the firewalld configuration.

121
00:06:12,900 --> 00:06:17,010
And next we need firewall-cmd --reload

122
00:06:17,010 --> 00:06:21,870
That will reload and, oh,
I need superuser powers.

123
00:06:21,870 --> 00:06:23,580
So there we go.

124
00:06:23,580 --> 00:06:26,520
That will reload the firewall
with the new setting.

125
00:06:26,520 --> 00:06:31,287
So if I'm using firewall-cmd --list-all

126
00:06:35,606 --> 00:06:36,663
at this point,

127
00:06:37,590 --> 00:06:41,223
I am getting port 2022/tcp.

128
00:06:42,570 --> 00:06:46,200
So now the SSH server is configured

129
00:06:46,200 --> 00:06:48,780
in a somewhat more secure way.

130
00:06:48,780 --> 00:06:49,740
Let's continue,

131
00:06:49,740 --> 00:06:52,623
and let's see how we can
tell the SSH client about it.