1.6. Enhancing System Security with a Firewall, SELinux and SSH Logings
1.6.1. Ensuring the Firewall is Enabled and Running
220.127.116.11. What is a Firewall and How it Enhances System Security
firewalldservice, which is automatically enabled during the installation of Red Hat Enterprise Linux. However, if you explicitly disabled the service, for example in the kickstart configuration, you can re-enable it, as described in Section 18.104.22.168, “Re-enabling the firewalld Service”. For overview of firewall setting options in the Kickstart file, see Red Hat Enterprise Linux 7 Installation Guide.
22.214.171.124. Re-enabling the firewalld Service
firewalldservice is disabled after the installation, Red Hat recommends to consider re-enabling it.
firewalldeven as a regular user:
systemctl status firewalld
firewalldis not enabled and running, switch to the
rootuser, and change its status:
systemctl start firewalld
systemctl enable firewalld
1.6.2. Ensuring the Appropriate State of SELinux
126.96.36.199. What is SELinux and How it Enhances System Security
188.8.131.52. Ensuring the Required State of SELinux
Procedure 1.2. Ensuring the required state of SELinux
- Display the current SELinux mode in effect:
- If needed, switch between the SELinux modes.The switch can be either temporary or permanent. A temporary switch is not persistent across reboots, while permanent switch is.
- To temporary switch to either enforcing or permissive mode:
- To permanently set the SELinux mode, modify the SELINUX variable in the
/etc/selinux/configconfiguration file.For example, to switch SELinux to enforcing mode:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
184.108.40.206. Managing SELinux in Cockpit
Figure 1.3. Managing SELinux in Cockpit
1.6.3. Using SSH-based authentication
220.127.116.11. What is SSH-based Authentication and How it Enhances System Security
18.104.22.168. Establishing an SSH Connection
Procedure 1.3. Creating the key files and Copying them to the Server
- Generate a public and a private key:
ssh-keygenBoth keys are stored in the
The public key does not need to be secret. It is used to verify the private key. The private key is secret. You can choose to protect the private key with the passphrase that you specify during the key generation process. With the passphrase, authentication is even more secure, but is no longer password-less. You can avoid this using the
~/.ssh/id_rsa.pub- public key
~/.ssh/id_rsa- private key
ssh-agentcommand. In this case, you will enter the passphrase only once - at the beginning of a session. For more information on
ssh-agentconfiguration, see Section 12.2.4, “Using Key-based Authentication”.
- Copy the most recently modified public key to a remote machine you want to log into:
ssh-copy-id USER@hostnameAs a result, you are now able to enter the system in a secure way, but without entering a password.
22.214.171.124. Disabling SSH Root Login
rootuser, which is enabled by default.
Procedure 1.4. Disabling SSH root login
- Access the
- Change the line that reads
- Restart the
systemctl restart sshd