1 00:00:06,580 --> 00:00:12,089 A service that is commonly used on Linux is Secure Shell. We already talked about it a bit before. 2 00:00:12,849 --> 00:00:15,949 Now it's time to talk about some more advanced features. 3 00:00:17,050 --> 00:00:20,030 So Secure Shell provides remote access to a Linux terminal. 4 00:00:20,890 --> 00:00:26,675 You may have to install it before using it using DNF install or APT install of 5 00:00:26,675 --> 00:00:32,460 Openh SSH server. After installing it, make sure that it is started and enabled by systemd. 6 00:00:33,520 --> 00:00:37,240 That should happen automatically on Ubuntu, but you will 7 00:00:37,240 --> 00:00:40,960 need to do it manually on Red Hat family. 8 00:00:41,899 --> 00:00:47,469 Now if you are running Secure Shell, you might be interested in some securing of secure Shell. 9 00:00:48,049 --> 00:00:53,919 The problem is that Internet based SSH servers that offer access on Port 22 are 10 00:00:53,919 --> 00:00:59,789 a common target for brute force attacks and you could consider modifying a few parameters 11 00:00:59,789 --> 00:01:05,659 in the configuration file in etc SSH SSHD config to make it more secure. 12 00:01:06,840 --> 00:01:10,469 There is port which defines the port on which SSH is listening. 13 00:01:11,150 --> 00:01:17,620 Permit root login is what you should consider disabling so that the root user cannot log in directly. 14 00:01:18,599 --> 00:01:24,769 Allowed users is what you can use to specify a list of users that are allowed to log in. 15 00:01:24,769 --> 00:01:30,939 Make that restricted so that only few users are allowed to log in and not everybody knows about it. 16 00:01:32,040 --> 00:01:38,080 And then we have password authentication which allows or disallows password authentication. If you do that, make 17 00:01:38,080 --> 00:01:44,120 sure that you first create some SSH keys as explained in a later video in this lesson. 18 00:01:45,459 --> 00:01:49,689 Now if you want to run Secure Shell on a non default port, you 19 00:01:49,689 --> 00:01:53,920 do need to open the firewall or Red hat family. That works using firewalld. 20 00:01:54,439 --> 00:02:00,268 So sudo firewall cmd add service permanent followed by 21 00:02:00,268 --> 00:02:06,096 firewall cmd reload and if you use the non 22 00:02:06,096 --> 00:02:11,924 default port then you need Firewall CMD add port 23 00:02:11,924 --> 00:02:17,752 2022 TCP permanent after which you reload the firewall. 24 00:02:17,752 --> 00:02:23,580 On Ubuntu the uncomplicated firewall or UFW is used. 25 00:02:24,199 --> 00:02:29,256 So use sudo UFW allow OpenSSH to allow generic access and allow 2022 26 00:02:29,256 --> 00:02:34,313 TCP to allow access on port 2022. Then there is one more thing 27 00:02:34,313 --> 00:02:39,370 and that is on Red hat only where you have selinux. 28 00:02:40,129 --> 00:02:45,590 Selinux is a security system and it will not allow SSH to run on a non default port. 29 00:02:46,129 --> 00:02:52,840 So if you want to run SSH on a non default port on Red hat, you need to 30 00:02:52,840 --> 00:02:59,550 issue the following command scmanage port A T SSH port T B2022 TCP do that before you are 31 00:02:59,549 --> 00:03:06,259 starting the SSH server because otherwise it won't work. Let me show you how to do this. 32 00:03:07,439 --> 00:03:13,879 I'M going to start with the SC Linux stuff. Sudo semanage port A t 33 00:03:13,879 --> 00:03:20,319 ssh port T P2022 TCP if I wouldn't be doing that, then I can 34 00:03:20,319 --> 00:03:26,759 never start my SSH server on port 2022 and oh no, apparently I'm doing 35 00:03:26,759 --> 00:03:33,199 something wrong in my SIO Linux command. Well, we have man for that and 36 00:03:33,200 --> 00:03:39,640 I'm checking out man scmanage iPhone port and there we can see that it 37 00:03:39,640 --> 00:03:46,080 needs to be P TCP2022 and I've done it the other way around. 38 00:03:47,639 --> 00:03:54,030 So let's fix and do it this way so that it will be better. 39 00:03:55,250 --> 00:04:00,715 Next I'm going to use sudo vim etc sshdconfig and what do we 40 00:04:00,715 --> 00:04:06,180 find? Well, we find the port which is currently set to 22. 41 00:04:07,539 --> 00:04:13,629 I'll make that 2022 so that it takes a little bit longer before the brute force attacks are going to happen. 42 00:04:14,490 --> 00:04:18,620 And then, well, I need to 43 00:04:18,620 --> 00:04:22,750 restart. So sudo systemctl restart sshd. 44 00:04:23,350 --> 00:04:29,959 This is the first example that actually we see where it's needed to restart the service so that it picks up the changes. 45 00:04:30,500 --> 00:04:36,432 So now it should be done and we can use SS tuln 46 00:04:36,432 --> 00:04:42,365 to figure out what is happening. And there we can see that 47 00:04:42,365 --> 00:04:48,297 actually Port 2022 is in a listening state. That's awesome. So I 48 00:04:48,297 --> 00:04:54,230 can use SSH localhost P2022 and that is making contact with localhost. 49 00:04:55,649 --> 00:05:01,337 I like that as a simple test, but I would like it even more 50 00:05:01,337 --> 00:05:07,024 if we also have it in a firewall. So sudo firewall cmd. That's how 51 00:05:07,024 --> 00:05:12,712 you manage firewalls on Red hat. Let me use help and let me grab 52 00:05:12,712 --> 00:05:18,399 all the on add port because I need a quick syntax summary. 53 00:05:18,660 --> 00:05:19,480 That's what I needed. 54 00:05:19,980 --> 00:05:26,056 So sudo firewall cmd add port is 2022 TCP and 55 00:05:26,056 --> 00:05:32,133 permanent. Because in firewall cmd you need to write it 56 00:05:32,133 --> 00:05:38,209 to the permanent configuration and also to the runtime configuration. 57 00:05:38,759 --> 00:05:43,656 And a quick check sudo firewall cmd minus minus list all is 58 00:05:43,656 --> 00:05:48,553 showing that port 2022 is now open and that means that my 59 00:05:48,553 --> 00:05:53,449 secure shell server is remotely accessible, but on port 2022 only.