Change SSH Port On CentOS 7

sudo vi /etc/ssh/sshd_config
Port 9922
sudo yum -y install policycoreutils-python
sudo semanage port -a -t ssh_port_t -p tcp 9922
sudo firewall-cmd –permanent –zone=public –add-port=9922/tcp
sudo firewall-cmd –reload
sudo systemctl restart sshd.service
ss -tlpn | grep ssh
ssh user@192.168.0.1 -p 9922

Details here:

How To Change OpenSSH Port On CentOS 7

Change the Default SSH Port on CentOS 7 Minimal

CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )

create MySQL for WordPress

mysql -u root -pxxx
CREATE DATABASE yyy;
CREATE USER zzz@localhost IDENTIFIED BY ‘zzz’;
GRANT ALL PRIVILEGES ON yyy.* TO zzz@localhost IDENTIFIED BY ‘zzz’;
FLUSH PRIVILEGES;
exit
Thanks to:
https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-on-centos-7

DenyHosts: Remove / Delete an IP address

Step # 1: Stop DenyHosts
# /etc/init.d/denyhosts stop

Step # 2: Remove Your IP From /etc/hosts.deny
# vi /etc/hosts.deny

Delete your IP address. Save and close the file.

Step # 3: Remove Your IP From /usr/share/denyhosts/data Directory
Cd to /usr/share/denyhosts/data
# cd /usr/share/denyhosts/data

You need to edit the following files using vi and remove the lines containing the IP address. Save the file.

hosts
hosts-restricted
hosts-root
hosts-valid
users-hosts
If you’ve static IP address add to allowed-hosts file. Any IP address that appears in this file will not be blocked by default (consider this as a whilelist):
# echo ‘1.2.3.4’ >> allowed-hosts

Step # 4: Start DenyHosts
# /etc/init.d/denyhosts start

Allow an IP:
nano /etc/hosts.allow
add the line:
sshd: Your_IP

check the logs:
tail -f /var/log/secure

And if you want to remove a banned IP address from the denyhosts:
# /etc/init.d/denyhosts stop
And then use the following lines to remove or delete the banned IP address completely:

# nano /etc/hosts.deny
# nano /var/lib/denyhosts/hosts
# nano /var/lib/denyhosts/hosts-restricted
# nano /var/lib/denyhosts/hosts-root
# nano /var/lib/denyhosts/hosts-valid
# nano /var/lib/denyhosts/users-hosts

Start deny host:
# /etc/init.d/denyhosts start
use grep for searching an IP:
#cd /var/lib/denyhosts
grep wanted_IP *

thanks to:
http://www.cyberciti.biz/faq/linux-unix-delete-remove-ip-address-that-denyhosts-blocked/
http://www.unixmen.com/install-configure-denyhost-centos/

Configuring a VNC Server

# yum -y install tigervnc-server
tigervnc is client and tigervnc-server is server.
Spcify settings for specific user:
# useradd lisa
# passwd lisa
# cd /usr/lib/systemd/system
# cp vncserver@.service vncserver@\:2.service
we need the backslash “\” because the “:” will be intepreted and is interpreted and “2” is for session. DO NOT use session “0” because cannot start the service.
Modify the content of vncserver@\:2.service
# vi vncserver@\:2.service
Replace with the user created above (lisa):
ExecStart=/sbin/runuser -l lisa -c “/usr/bin/vncserver %i”
PIDFile=/home/lisa/.vnc/%H%i.pid
Have to reload configuration files:
# systemctl daemon-reload
Before start the session, set the password for that user and this can be done by user:
# su – lisa
# vncpasswd
# exit
start the server:
# systemctl start vncserver@\:1
check the status:
# systemctl status vncserver@\:1
Setup firewall. Firewall prevent user come in and not go outside.
# firewall-cmd –permanent –ad-service vnc-server
# firewall-cmd –reload

Firewalld

Configure firewalld or iptables.
# systemctl status firewalld
# systemctl start firewalld
# systemctl enable firewall
There are the following commands for firewalld:
# firewall-cmd or firewall-config
concept: zones and services:
Get the zones:
# firewall-cmd –get-zones
Get default zone:
# firewall-cmd –get-default-zone
Set default zone is using set-default-zone.
Service is a name associated with a name and a protocol.
The services are into: /etc/firewalld/services
Here are all services.
Default services are into:
/usr/lib/firewalld/services
Check the hish-availability.xml. Is a collection of ports:
Add the service:
# firewall-cmd –zone=home –add-service=high-availability
check the configuration for current zone:
# firewall -cmd –list-all
This way will persist untill reboot. To save the changes, use –permanent
# firewall-cmd –permanent –zone=home –add-service=high-availability
This command is hard to use. Is GUI firewall-config.
Select the zone > click the zone > check the Permanent configuration.

# firewall-cmd –get-default-zone
# firewall-cmd –set-default-zone dmz
add service:
# firewall-cmd –permanent –add-service=ssh
# firewall-cmd –permanent –add-service=ntp
# firewall-cmd –permanent –add-service=ftp
Check one service if is available:
# firewall-cmd –get-services
# firewall-cmd –permanent –add-service=vnc-server
# firewall-cmd –permanent –add-service=http
# firewall-cmd –permanent –add-service=dns
Check:
# firewall-cmd –list-all
reload the settings
# systemctl restart firewalld
Also can type:
# firewall-config
to check the configuration

Configuring SELinux for Apache

I want to use a new document root with a file
Change apache configuration
# mkdir /web
# cd /web
# vi index.html
# vi /etc/httpd/conf/httpd.conf
I’m creating another DocumentRoot.
DocumentRoot “/web”
And another directory to files:

AllowOverride None
Require all granted

Also check the settings for Directory:

Restart apache:
# systemctl restart httpd
if is not restarting, try to start it
I have my new document root and want to use it:
# elinks http://localhost
Is the default homeage. Check the logs audit.log for AVC and messages.
Click details from GUI troubleshoot.
I can’t use the SEAlert.
The audit log is the only reliable:
# grep AVC /var/log/audit/audit.log
This is clear.
Set it correclty:
# man semanage
Check the line with semanage-fcontext
and on the man page:
# man semanage-fcontext
and there is an example:
Now paste it and use restorecon:
Check it.

SELinux Modes and Policy

SELinux mode: /etc/sysconfig/selinux
# modes are available: disable, permissive, enforcing. Change between modes must boot.
Enforcing mode can be change without booting only to permissive.
# getenforce
# setenforce Enforcing
# set enforce Permissive
by default should be all time Enforcing
set context/
# ls -Z -see the context.
Context have 3 parts:
User part is first which is for advanced.
Role part – also for advanced configuration
Type part – access on files or directories
All processes have context.
Also ports have the context:
# netstat -Ztulpen
Context match a process with a file or port in order to match the access.
Boolean are switch for enable/disable the policy.
# getsebool -a
# getsebool -a | grep ftp

SELinux Labels and Booleans managing context
Show the current context for http context:
# ps Zaux | grep http
For http is httpd_t
default document root for httpd is /var/www/
Here I can see that the context is setup correctly.
In policy there should be a line which say that the httpd_t SOURCE context is allow to go to TARGET context httpd_sys_content_t
If something is wrong and a script on server which allow to go to /tmp directory, SELinux will not allow because have wrong context: tmp_t:
Set context:
# semanage –help
Arguments: fcontext, boolean, port
For file context:
# man semanage
On this page are subpages for othr subfunctions:
# man semanage-fcontext
At end of this man page have example. Just copy/paste the example and modify it as need it.
SELinux write to policy and not to file system. To apply to file system, must run the command:
# restorecon -R -v /web
This utility is ok to check it when something is not going OK.
# restorecon -R -v /etc – is restoring to whole directory.

# semanage fcontext -l – display all context from system.
# yum provides *sepolicy – check which is provide the documentation because is not installed by default.
Install the policy:
# yum -y install policycoreutils-devel
Now I have to run:
# sepolicy manpage -a
Is generating the man pages for all services with selinux
Update the man database
# mandb
Check all pages with _selinux in description:
# man -k _selinux
And now for httpd:
# man -k _selinux | grep httpd
and there is httpd_selinux
The man pages are all by default into /tmp directory. Must be moved:
# cd /tmp
# mv * /usr/share/man/man8
Update the man pages index:
# mandb
Now use the man page:
# manpage -a -p /usr/share/man/man8

Using booleans
# getseboot -a – show all bools from system.
# getsebool -a | grep ftp
User access home directory:
# setsebool ftp_home_dir on
This will survive reboot:
Check it:
# semanage boolean -l | grep ftp
Make it persistent:
# setsebool -P ftp_home_dir on
-P is from PERSISTENT

Analyzing SELinux Log Files
Check the troubleshoot packages:
# yum installed | grep setrouble
Must have installed the packages.
Check if the auditd is started:
# systemctl status auditd
Analyze the audit log:
# grep AVC /var/log/audit/audit.log
All SELinux messages have the header AVC
denied{getattr} is the atribute denied for server vsftpd.
Check the SOURCE context and TARGET context which are not the same.
Conclusion: vsftpd dont have the SELInux permissions to access audion_home_t target files.
Must relable the files or allow ftpd to access the files:
Check /var/log/messages for additional information
“sealert” is the word to search. Copy it.

Using rd.break to Reset the Root Password

reboot > e > line starting with linux17 > remove “rhgb quiet”, insert the parameters: “rd.break”
ctrl+x
# mount -o remount,rw /sysroot
# chroot /sysroot
# echo secret | passwd –stdin root
# touch /.autorelabel
ctrl+d
ctrl+d
Login again normal

systemd and mounting

I want to mount lvdisk to directory /lvdisk
Inside /etc/systemd/system I will create the file:
# vi lvdisk.mount
[Unit]
Description = my test mount
[Mount]
What = /dev/vgdisk/lvdisk
Where =/lvdisk
Type = xfs

[Install]
WantedBy = multi-user.target

(I can copy as exemple of mounting from/usr/lib/systemd/system)
To mount the disk I have to run:
# systemctl start lvdisk.mount
Make sure that will come back after reboot:
# systemctl enable lvdisk.mount

Part191 – Managing Automount in a systemd Environment
Must create a mount file for a disk which I want to be mounted automatically when is used.
First I have to be sure that the mount is stoped, disabled:
# systemctl disable lvdisk.mount
# systemctl stop lvdisk.mount
Check:
# mount | grep lvdisk
Create a automount file which have the name: directoryName.automount
The lvdisk is directoryName, so the file will be:
# lvdisk.automount
[unit]
Description = lvdisk automount

[Automount]
Where = /lvdisk

[Install]
WantedBy = multi-user.target

Is important that the name of automount file is matching the name of corresponding of the mount file.
Now I can enable and start automount
# systemctl enable lvdisk.automount
# systemctl start lvdisk.automount
Can use this option or the one discussed before, but this is the future.

systemd

:
cd /usr/lib/systemd/system
This are default services.
The changes should be done into:
/etc/systemd
Here are service scripts and will overwrite the one from /usr/lib/systemd/system
The basic unit of the systemd are the services from /usr/lib/systemd/system
Here is an example of service httpd.service.
Can make everything as service and start it.
The buttom line show how service should be started.
It should be started by target.
To manage service:
# systemctl status httpd
stop – stop the service
disable – take it out from startup procedure of OS.
System stated are TARGETS.
Those are in /etc/
or in /usr/lib/systemd/system
There are 2 targets:
multiuser – server without GUI
graphical – GUI
When enable a server, a symbolic link is created in /usr/lib/systemd/system/multi-user.target.wants/.
the rest are into:
/etc/systemd/system/multi-user.target.wants
To define, in systemd is a default.target which decide what will start. This can be change by changing the symbolic link.
Check active targets:
# systemctl list-units –type=target
We have the service which is responsible to start specific things from OS. Also is the targets which is a collection of a services. The target itself define dependencies with other targets in order to be sure that all requirements are started as need it and in order to put services into a target, will have to create a wants. A wants is a symbolic link which is created automatically when is issue the command “systemctl enable serviceName”

Switching Between systemd Targets
Check the status target:
# systemctl list-units -type=target
Change to minimum mode:
# system isolate rescue.target
Check the targets:
# systemctl list-units -type=target
From rescue mode there is the only option to exit and reboot from grub:
# exit
From boot menu:
type: e (from edit)
go to line which starts with “linux16”
At end of line add: systemd.unit=rescue.target
ctrl+x to start system.
Type password to get access.
From rescue mode press “ctrl+d” in order to go to GRUB and exit.
EMERGENCY.TARGET
Add at end of line linux16:
systemd.uni=emergency.target
ctrl+x
enter the root passwd
# systemctl list-units –type=target
To start the default target:
# systemctl default