1.6. Enhancing System Security with a Firewall, SELinux and SSH Logings

Computer security is the protection of computer systems from the theft or damage to their hardware, software, or information, as well as from disruption or misdirection of the services they provide. Ensuring computer security is therefore an essential task not only in the enterprises processing sensitive data or handling some business transactions.
Computer security includes a wide variety of features and tools. This section covers only the basic security features that you need to configure after you have installed the operating system. For detailed information on securing Red Hat Enterprise Linux 7, see Red Hat Enterprise Linux 7 Security Guide.

1.6.1. Ensuring the Firewall is Enabled and Running

1.6.1.1. What is a Firewall and How it Enhances System Security

A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and another outside network.
On Red Hat Enterprise Linux 7, the firewall is provided by the firewalld service, which is automatically enabled during the installation of Red Hat Enterprise Linux. However, if you explicitly disabled the service, for example in the kickstart configuration, you can re-enable it, as described in Section 1.6.1.2, “Re-enabling the firewalld Service”. For overview of firewall setting options in the Kickstart file, see Red Hat Enterprise Linux 7 Installation Guide.

1.6.1.2. Re-enabling the firewalld Service

In case that the firewalld service is disabled after the installation, Red Hat recommends to consider re-enabling it.
You can display the current status of firewalld even as a regular user:
~]$ systemctl status firewalld
If firewalld is not enabled and running, switch to the root user, and change its status:
~]# systemctl start firewalld
~]# systemctl enable firewalld
For further information on post-installation procedures related to firewalld, see Red Hat Enterprise Linux 7 Security Guide. For detailed information on configuring and using firewall, see Red Hat Enterprise Linux 7 Security Guide

1.6.2. Ensuring the Appropriate State of SELinux

1.6.2.1. What is SELinux and How it Enhances System Security

Security Enhanced Linux (SELinux) is an additional layer of system security that determines which process can access which files, directories, and ports.
SELinux states
SELinux has two possible states:
  • Enabled
  • Disabled
When SELinux is disabled, only Discretionary Access Control (DAC) rules are used.
SELinux modes
When SELinux is enabled, it can run in one of the following modes:
  • Enforcing
  • Permissive
Enforcing mode means that SELinux policies is enforced. SELinux denies access based on SELinux policy rules, and enables only the interactions that are particularly allowed. Enforcing mode is the default mode after the installation and it is also the safest SELinux mode.
Permissive mode means that SELinux policies is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Permissive mode is the default mode during the installation. Operating in permissive mode is also useful in some specific cases, for example if you require access to the Access Vector Cache (AVC) denials when troubleshooting problems.
For further information on SELinux in Red Hat Enterprise Linux 7, see Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide.

1.6.2.2. Ensuring the Required State of SELinux

By default, SELinux operates in permissive mode during the installation and in enforcing mode when the installation has finished.
However, in some specific situations, SELinux might be explicitly set to permissive mode or it might even be disabled on the installed operating system. This can be set for example in the kickstart configuration. For overview of SELinux setting options in the Kickstart file, see Red Hat Enterprise Linux 7 Installation Guide.

Important

Red Hat recommends to keep your system in enforcing mode.
To display the current SELinux mode, and to set the mode as needed:

Procedure 1.2. Ensuring the required state of SELinux

  1. Display the current SELinux mode in effect:
    ~]$ getenforce
  2. If needed, switch between the SELinux modes.
    The switch can be either temporary or permanent. A temporary switch is not persistent across reboots, while permanent switch is.
    • To temporary switch to either enforcing or permissive mode:
      ~]# setenforce Enforcing
      ~]# setenforce Permissive
    • To permanently set the SELinux mode, modify the SELINUX variable in the /etc/selinux/config configuration file.
      For example, to switch SELinux to enforcing mode:
      # This file controls the state of SELinux on the system.
      # SELINUX= can take one of these three values:
      #     enforcing - SELinux security policy is enforced.
      #     permissive - SELinux prints warnings instead of enforcing.
      #     disabled - No SELinux policy is loaded.
      SELINUX=enforcing

1.6.2.3. Managing SELinux in Cockpit

In Cockpit, use the SELinux option to turn SELinux enforcing policy on or off.
By default, SELinux enforcing policy in Cockpit is on, and SELinux operates in enforcing mode. By turning it off, you can switch SELinux into permissive mode. Note that such deviation from the default configuration in the /etc/sysconfig/selinux file is automatically reverted on the next boot.
Managing SELinux in Cockpit

Figure 1.3. Managing SELinux in Cockpit

1.6.3. Using SSH-based authentication

1.6.3.1. What is SSH-based Authentication and How it Enhances System Security

If you want to secure your communication with another computer, you can use SSH-based authentication.
Secure Shell (SSH) is a protocol which facilitates client-server communication and allows users to log in to any host system running SSH remotely. SSH encrypts the connection. The client transmits its authentication information to the server using encryption, and all data sent and received during a session are transferred under the encryption.
SSH enables its users to authenticate without a password. To do so, SSH uses a private-public key scheme.
For further information about SSH safeguards, see Section 12.1.2, “Main Features”.

1.6.3.2. Establishing an SSH Connection

To be able to use SSH connection, create a pair of two keys consisting of a public and a private key.

Procedure 1.3. Creating the key files and Copying them to the Server

  1. Generate a public and a private key:
    ~]$ ssh-keygen
    Both keys are stored in the ~/.ssh/ directory:
    • ~/.ssh/id_rsa.pub - public key
    • ~/.ssh/id_rsa - private key
    The public key does not need to be secret. It is used to verify the private key. The private key is secret. You can choose to protect the private key with the passphrase that you specify during the key generation process. With the passphrase, authentication is even more secure, but is no longer password-less. You can avoid this using the ssh-agent command. In this case, you will enter the passphrase only once - at the beginning of a session. For more information on ssh-agent configuration, see Section 12.2.4, “Using Key-based Authentication”.
  2. Copy the most recently modified public key to a remote machine you want to log into:
    ~]# ssh-copy-id USER@hostname
    As a result, you are now able to enter the system in a secure way, but without entering a password.

1.6.3.3. Disabling SSH Root Login

To increase system security, you can disable SSH access for the root user, which is enabled by default.
For more information on this topic, see Red Hat Enterprise Linux 7 Security Guide.

Procedure 1.4. Disabling SSH root login

  1. Access the /etc/ssh/sshd_config file:
    ~]# vi /etc/ssh/sshd_config
  2. Change the line that reads #PermitRootLogin yes to:
    PermitRootLogin no
  3. Restart the sshd service:
    ~]# systemctl restart sshd