Original link: Kirin KYLINOS configures kysec firewall through command line
Hello, everyone, today I bring you an article about using the command line to configure the kysec firewall. Through studying this article, you can understand how the firewall information in the graphical interface is generated. We will The relevant configurations of the firewall are put into the customized image for preparation. First, I will show you how to operate on the graphical interface, and then how to complete the corresponding operations using the command line interface.
1. View Kirin system information
pdsyw@pdsyw-pc:~/Desktop$ cat /etc/.kyinfo [dist] name=Kylin milestone=Desktop-V10-SP1-General-Release-2303 arch=arm64 beta=False time=2023-04-27 15:46:53 dist_id=Kylin-Desktop-V10-SP1-General-Release-2303-arm64-2023-04-27 15:46:53 [servicekey] key=0516013 [os] to= term=2024-08-01 pdsyw@pdsyw-pc:~/Desktop$
2. Install ssh
root@pdsyw-pc:~# apt install ssh -y Reading package list... Done Analyzing a package's dependency tree Reading status information... Complete The following packages were installed automatically and are no longer needed: archdetect-deb dmeventd libaio1 libdebian-installer4 libdevmapper-event1.02.1 liblvm2cmd2.03 localechooser-data lvm2 user-setup Use 'apt autoremove' to uninstall it(them). The following software will also be installed: ncurses-term openssh-server openssh-sftp-server ssh-import-id Recommended installation: molly-guard monkeysphere ssh-askpass ufw The following [new] packages will be installed: ncurses-term openssh-server openssh-sftp-server ssh ssh-import-id 0 packages upgraded, 5 newly installed, 0 packages to uninstall, 16 packages not upgraded. Requires download of 1,030 kB archive. After decompression, it consumes 6,097 kB of additional space. Get: 1 http://archive.kylinos.cn/kylin/KYLIN-ALL 10.1-2303-updates/main arm64 openssh-sftp-server arm64 1:8.2p1-4kylin3k0.3 [50.1 kB] Get: 2 http://archive.kylinos.cn/kylin/KYLIN-ALL 10.1-2303-updates/main arm64 openssh-server arm64 1:8.2p1-4kylin3k0.3 [357 kB] Get: 3 http://archive.kylinos.cn/kylin/KYLIN-ALL 10.1-2303-updates/main arm64 ssh all 1:8.2p1-4kylin3k0.3 [105 kB] Get: 4 http://archive.kylinos.cn/kylin/KYLIN-ALL 10.1/main arm64 ncurses-term all 6.2-0kylin2 [501 kB] Get: 5 http://archive.kylinos.cn/kylin/KYLIN-ALL 10.1/main arm64 ssh-import-id all 5.10-0kylin1 [17.2 kB] Downloaded 1,030 kB, took 1 second (1,489 kB/s) Preconfiguring packages... Selecting unselected package openssh-sftp-server. (Reading database... The system currently has a total of 191610 files and directories installed.) Prepare to decompress .../openssh-sftp-server_1:8.2p1-4kylin3k0.3_arm64.deb ... Unpacking openssh-sftp-server (1:8.2p1-4kylin3k0.3) ... Selecting unselected package openssh-server. Prepare to decompress .../openssh-server_1:8.2p1-4kylin3k0.3_arm64.deb ... Unpacking openssh-server (1:8.2p1-4kylin3k0.3) ... Selecting unselected package ssh. Prepare to decompress .../ssh_1:8.2p1-4kylin3k0.3_all.deb ... Unzipping ssh (1:8.2p1-4kylin3k0.3) ... Selecting unselected package ncurses-term. Prepare to unzip .../ncurses-term_6.2-0kylin2_all.deb ... Unpacking ncurses-term (6.2-0kylin2) ... Selecting unselected package ssh-import-id. Prepare to decompress .../ssh-import-id_5.10-0kylin1_all.deb ... Unpacking ssh-import-id (5.10-0kylin1) ... Setting up openssh-sftp-server (1:8.2p1-4kylin3k0.3) ... Setting up openssh-server (1:8.2p1-4kylin3k0.3) ... Creating config file /etc/ssh/sshd_config with new version Creating SSH2 RSA key; this may take some time ... 3072 SHA256:KGiMMxfVed8XFMfJDAgboVL3LT/WWfU8szRWwe0IzuA root@pdsyw-pc (RSA) Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:NMxxVNmzCAP21CttTPR2jljmf8dxfLAoo25PJ7/f7Jw root@pdsyw-pc (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:9MM0et35Ll8U28DnUbrDx0NR8LjQ81qgNFPCJodEjfE root@pdsyw-pc (ED25519) Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.servi ce. Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/s systemd/system/ssh.service. rescue-ssh.target is a disabled or a static unit, not starting it. Setting up ssh-import-id (5.10-0kylin1) ... Attempting to convert /etc/ssh/ssh_import_id Setting up ncurses-term (6.2-0kylin2) ... Setting up ssh (1:8.2p1-4kylin3k0.3) ... Processing triggers for man-db (2.9.1-1kylin0k1) ... Processing triggers for systemd (245.4-4kylin3.15k0.26) ... root@pdsyw-pc:~#
3. Check shh service status
root@pdsyw-pc:~# systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: e> Active: active (running) since Wed 2023-10-25 16:58:06 CST; 23s ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 10573 (sshd) Tasks: 1 (limit: 9420) Memory: 1.2M CGroup: /system.slice/ssh.service └─10573 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups October 25 16:58:06 pdsyw-pc systemd[1]: Starting OpenBSD Secure Shell server... October 25 16:58:06 pdsyw-pc sshd[10573]: Server listening on 0.0.0.0 port 22. Oct 25 16:58:06 pdsyw-pc sshd[10573]: Server listening on :: port 22. October 25 16:58:06 pdsyw-pc systemd[1]: Started OpenBSD Secure Shell server. root@pdsyw-pc:~#
4. Check the IP address
root@pdsyw-pc:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:1c:42:3b:79:c8 brd ff:ff:ff:ff:ff:ff inet 10.211.55.49/24 brd 10.211.55.255 scope global dynamic noprefixroute enp0s5 valid_lft 1564sec preferred_lft 1564sec inet6 fdb2:2c26:f4e4:0:e583:5d78:f1b6:d339/64 scope global temporary dynamic valid_lft 604445sec preferred_lft 85893sec inet6 fdb2:2c26:f4e4:0:70f4:6b68:3f20:cd70/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 2591920sec preferred_lft 604720sec inet6 fe80::3aa3:f428:7b8:728/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 link/sit 0.0.0.0 brd 0.0.0.0 4: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000 link/tunnel6 :: brd :: root@pdsyw-pc:~#
5. Use remote connection and find that the connection failed.
Last login: Wed Oct 25 15:19:17 on ttys001 roc@ROC ~ % ssh [email protected] ssh: connect to host 10.211.55.49 port 22: Connection refused roc@ROC ~ %
6. Click Security Center Advanced Configuration
7. Add a firewall with port 22 open
8. Port 22 is released
9. Successful connection using ssh
roc@ROC ~ % ssh [email protected] The authenticity of host '10.211.55.49 (10.211.55.49)' can't be established. ED25519 key fingerprint is SHA256:txRKtgIJRu8kLSoI6AfI3mM5f3Ufb9BL + njSlgrAkfk. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.211.55.49' (ED25519) to the list of known hosts. [email protected]'s password: Welcome to Kylin V10 SP1 (GNU/Linux 5.4.18-85-generic aarch64) * Management: http://www.kylinos.cn/ * Support: http://www.kylinos.cn/service.aspx pdsyw@pdsyw-pc:~$
10. Delete firewall configuration
11. Use ssh to connect again and find that the connection failed.
12. Enter the /etc/kylin-firewall/ path
pdsyw@pdsyw-pc:~/Desktop$ sudo -i root@pdsyw-pc:~# cd /etc/kylin-firewall/ root@pdsyw-pc:/etc/kylin-firewall#ll Total usage 32 drwxr-xr-x 5 root root 4096 April 27 15:30 ./ drwxr-xr-x 165 root root 12288 October 25 16:58 ../ drwxr-xr-x 2 root root 4096 April 27 15:30 builtin_rules/ drwxr-xr-x 2 root root 4096 April 27 15:30 custom_rules/ -rw-r--r-- 1 root root 837 April 27 15:30 kylin-firewall.conf drwxr-xr-x 2 root root 4096 April 27 15:30 modes/ root@pdsyw-pc:/etc/kylin-firewall#
13. Enter custom_rules/ and copy icmp.xml to sshport.xml
root@pdsyw-pc:/etc/kylin-firewall# cd custom_rules/ root@pdsyw-pc:/etc/kylin-firewall/custom_rules#ll Total usage 44 drwxr-xr-x 2 root root 4096 April 27 15:30 ./ drwxr-xr-x 5 root root 4096 April 27 15:30 ../ -rw-r--r-- 1 root root 223 April 27 15:30 apt-p2p.xml -rw-r--r-- 1 root root 286 April 27 15:30 Default-Rule1.xml -rw-r--r-- 1 root root 273 April 27 15:30 Default-Rule2.xml -rw-r--r-- 1 root root 235 April 27 15:30 Default-Rule3.xml -rw-r--r-- 1 root root 227 April 27 15:30 icmp.xml -rw-r--r-- 1 root root 248 April 27 15:30 Kylin-Connectivity.xml -rw-r--r-- 1 root root 227 April 27 15:30 Remote-Desktop.xml -rw-r--r-- 1 root root 229 April 27 15:30 System-Activation.xml -rw-r--r-- 1 root root 223 April 27 15:30 Wireless-Projection.xml root@pdsyw-pc:/etc/kylin-firewall/custom_rules# cp icmp.xml sshport.xml root@pdsyw-pc:/etc/kylin-firewall/custom_rules#
14. Edit the sshport.xml file
root@pdsyw-pc:/etc/kylin-firewall/custom_rules# vi sshport.xml root@pdsyw-pc:/etc/kylin-firewall/custom_rules# cat sshport.xml <?xml version="1.0" encoding="utf-8"?> <rule><policy direction="all" action="allow" mode="all" status="on"/><filter program="all" protocol="ssh\ " local_ip="all" local_ports="all" remote_ip="all" remote_ports="all"/></rule> root@pdsyw-pc:/etc/kylin-firewall/custom_rules#
15. Enter the /etc/kylin-firewall/modes path
root@pdsyw-pc:/etc/kylin-firewall# root@pdsyw-pc:/etc/kylin-firewall#ll Total usage 32 drwxr-xr-x 5 root root 4096 April 27 15:30 ./ drwxr-xr-x 165 root root 12288 October 25 17:00 ../ drwxr-xr-x 2 root root 4096 April 27 15:30 builtin_rules/ drwxr-xr-x 2 root root 4096 October 25 17:00 custom_rules/ -rw-r--r-- 1 root root 837 April 27 15:30 kylin-firewall.conf drwxr-xr-x 2 root root 4096 April 27 15:30 modes/ root@pdsyw-pc:/etc/kylin-firewall# pwd /etc/kylin-firewall root@pdsyw-pc:/etc/kylin-firewall# cd modes/ root@pdsyw-pc:/etc/kylin-firewall/modes#ll Total usage 16 drwxr-xr-x 2 root root 4096 April 27 15:30 ./ drwxr-xr-x 5 root root 4096 April 27 15:30 ../ -rw-r--r-- 1 root root 346 April 27 15:30 private.xml -rw-r--r-- 1 root root 214 April 27 15:30 public.xml root@pdsyw-pc:/etc/kylin-firewall/modes#
16. Edit the private.xml file
root@pdsyw-pc:/etc/kylin-firewall/modes# vi private.xml root@pdsyw-pc:/etc/kylin-firewall/modes# cat private.xml <?xml version="1.0" encoding="utf-8"?> <mode inpolicy="deny" outpolicy="allow"><KSC/><rule name="System-Activation"/><rule name="icmp"/><rule name=\ "Default-Rule1"/><rule name="Default-Rule2"/><rule name="Default-Rule3"/><rule name="Wireless-Projection"/><rule name ="Kylin-Connectivity"/><rule name="Remote-Desktop"/><rule name="apt-p2p"/><rule name="sshport"/></mode > root@pdsyw-pc:/etc/kylin-firewall/modes#
17. Edit the public.xml file
root@pdsyw-pc:/etc/kylin-firewall/modes# vi public.xml root@pdsyw-pc:/etc/kylin-firewall/modes# cat public.xml <?xml version="1.0" encoding="utf-8"?> <mode inpolicy="deny" outpolicy="allow"><KSC/><rule name="System-Activation"/><rule name="Wireless-Projection"/><rule name ="Kylin-Connectivity"/><rule name="apt-p2p"/><rule name="sshport"/></mode> root@pdsyw-pc:/etc/kylin-firewall/modes#
18. Restart the system
19. Security Center firewall configuration has been automatically added
20. Successful connection using ssh
roc@ROC Desktop % ssh [email protected] [email protected]'s password: Welcome to Kylin V10 SP1 (GNU/Linux 5.4.18-85-generic aarch64) * Management: http://www.kylinos.cn/ * Support: http://www.kylinos.cn/service.aspx Last login: Wed Oct 25 15:46:22 2023 from 10.211.55.2 pdsyw@pdsyw-pc:~$