[CentOS-docs] firewalld configuration for securing SSH

Thu Apr 25 00:05:11 UTC 2019
Akemi Yagi <amyagi at gmail.com>

On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model
<kimee.i.model at gmail.com> wrote:
> HI all,
> 1st time contributor here. I was using the guide on securing SSH, and
> noticed that the firewall-cmd snippets for filtering by requests per
> time seem somewhat outdated. From what I can tell the given snippets,
> relay arguments directly down to iptables, and do not cover both IPv4
> and v6. (and in fact when attempting to extend to v6 the firewall would
> fail to reload). I came up with an "all firewall-cmd" solution which
> I'd like to share.
> It boils down to using rich rules in firewalld instead of direct rules
> for iptables. The code snippets in section 6 of <
> https://wiki.centos.org/HowTos/Network/SecuringSSH> would be changed to
> firewall-cmd --permanent --add-rich-rule='rule port port="22"
> protocol="tcp" accept limit value="4/m"'
> firewall-cmd --permanent --remove-service ssh
> firewall-cmd --permanent --remove-port 22/tcp
> firewall-cmd --reload
> newly minted wiki username is "KimeeModel".
> Regards,
> Kimee

You should be able to edit that page. Let us know if you find any problem.