I've been playing around a bit with the just-released Red Hat Enterprise Linux 6 Beta ( RHEL6 ). In case anyone else is interested here are some useful links to the Red Hat website: Downloads Documentation FAQS The beta is fully functional as far as I can tell and it's free. No registration is required to download it or use it. Currently, I am using CentOS 5.x on my production server so I was interested to see what the new RHEL6 looks like. The install is still done by anaconda but the package and software selections are different in the installer versus CentOS 5.x: One other thing that's a bit tricky, both SELINUX and the FIREWALL are installed by default. This drove me crazy as I could not get pubkey authorization to work due to selinux and could not use a non-standard port for SSH due to the firewall. Here's how to turn OFF selinux: Code: vi /etc/selinux/config Change: Code: SELINUX=disabled reboot Here's how to configure or turn the firewall off/on: Code: sudo system-config-firewall-tui
Configuring RHEL Both SELinux and iptables are enabled by default, and have been since they were implemented. I agree that SELinux is a pain, but rather than turning off iptables completely, it's better to set up your own rules (especially if you're allowing traffic to pass back from your router, and definitely if your system sits open to the world). To have SSH listen on a non-standard port, such as 7000, on a server with the IP of 192.168.1.100, you'd code this as root: Code: iptables -I INPUT -d 192.168.1.100 -p tcp -m tcp --dport 7000 -j ACCEPT iptables-save > /etc/sysconfig/iptables Now you can freely move SSH to port 7000 without worries. The first line opens port 7000 to all incoming traffic, and the second line saves the running rules to disk so that when the system restarts your open port is still there. Though it can be a bit of a pain at times, leaving the firewall up is always a good idea. Granted, the default rules sent out by RedHat are pretty strict, but they're also easy to work around. You could, if you wanted to, wipe the default config and load your own entirely. If you want to wipe the default configuration so that you can load only your own rules, do this (again, as root) Code: > /etc/sysconfig/iptables /etc/init.d/iptables restart One other pair of rules that I always add is this: Code: iptables -I INPUT -d 192.168.1.100 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -I INPUT -d 192.168.1.100 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP These rules prevent brute-force SSH attacks (on port 22) by counting the number of hits over a two-minute span. If any single IP tries to connect more than 4 times, it is blocked until the server (or iptables) is restarted. Again, replace the IP with your own, and remember to save the ruleset to keep these persistent across a reboot.
