[CentOS-docs] firewalld configuration for securing SSH
Thibaut Perrin
thibaut.perrin at gmail.comFri Apr 26 23:39:47 UTC 2019
- Previous message: [CentOS-docs] firewalld configuration for securing SSH
- Next message: [CentOS-docs] firewalld configuration for securing SSH
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
No, I think the rules you created might have a better place in a custom xml file instead of being given to firewall cmd directly :) On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model < kimee.i.model at gmail.com> wrote: > I'm not sure I follow, you just think the modified one should be called > "ssh-custom", or you think there shouldn't be a modified service file > at all? > > -- Kimee > > On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote: > > Hi there, > > > > Wouldn't that be a better solution to create a custom xml file to put > > in /etc/firewalld and load that "ssh-custom" service instead ? > > > > Thanks > > > > On 26/04/2019, Kimberlee Integer Model <kimee.i.model at gmail.com> > > wrote: > > > Thank you, I've gone in and made the listed changes changed > > > firewalld > > > sections to use services instead of just port numbers. > > > > > > -- Kimee > > > > > > > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote: > > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model > > > > <kimee.i.model at gmail.com> wrote: > > > > > > > > > > HI all, > > > > > > > > > > 1st time contributor here. I was using the guide on securing > > > > > SSH, > > > > > and > > > > > noticed that the firewall-cmd snippets for filtering by > > > > > requests > > > > > per > > > > > time seem somewhat outdated. From what I can tell the given > > > > > snippets, > > > > > relay arguments directly down to iptables, and do not cover > > > > > both > > > > > IPv4 > > > > > and v6. (and in fact when attempting to extend to v6 the > > > > > firewall > > > > > would > > > > > fail to reload). I came up with an "all firewall-cmd" solution > > > > > which > > > > > I'd like to share. > > > > > > > > > > It boils down to using rich rules in firewalld instead of > > > > > direct > > > > > rules > > > > > for iptables. The code snippets in section 6 of < > > > > > https://wiki.centos.org/HowTos/Network/SecuringSSH>;; would be > > > > > changed to > > > > > > > > > > firewall-cmd --permanent --add-rich-rule='rule port port="22" > > > > > protocol="tcp" accept limit value="4/m"' > > > > > firewall-cmd --permanent --remove-service ssh > > > > > firewall-cmd --permanent --remove-port 22/tcp > > > > > firewall-cmd --reload > > > > > > > > > > newly minted wiki username is "KimeeModel". > > > > > > > > > > Regards, > > > > > Kimee > > > > > > > > You should be able to edit that page. Let us know if you find any > > > > problem. > > > > > > > > Akemi > > > > _______________________________________________ > > > > CentOS-docs mailing list > > > > CentOS-docs at centos.org > > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > _______________________________________________ > > > CentOS-docs mailing list > > > CentOS-docs at centos.org > > > https://lists.centos.org/mailman/listinfo/centos-docs > > > > > > > _______________________________________________ > > CentOS-docs mailing list > > CentOS-docs at centos.org > > https://lists.centos.org/mailman/listinfo/centos-docs > > _______________________________________________ > CentOS-docs mailing list > CentOS-docs at centos.org > https://lists.centos.org/mailman/listinfo/centos-docs > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20190427/1d138ace/attachment-0002.html>
- Previous message: [CentOS-docs] firewalld configuration for securing SSH
- Next message: [CentOS-docs] firewalld configuration for securing SSH
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS-docs mailing list