[CentOS-docs] firewalld configuration for securing SSH

Fri Apr 26 17:46:17 UTC 2019
Thibaut Perrin <thibaut.perrin at gmail.com>

Hi there,

Wouldn't that be a better solution to create a custom xml file to put
in /etc/firewalld and load that "ssh-custom" service instead ?

Thanks

On 26/04/2019, Kimberlee Integer Model <kimee.i.model at gmail.com> wrote:
> Thank you, I've gone in and made the listed changes changed firewalld
> sections to use services instead of just port numbers.
>
> -- Kimee
>
>
> On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote:
>> On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model
>> <kimee.i.model at gmail.com> wrote:
>> >
>> > HI all,
>> >
>> > 1st time contributor here. I was using the guide on securing SSH,
>> > and
>> > noticed that the firewall-cmd snippets for filtering by requests
>> > per
>> > time seem somewhat outdated. From what I can tell the given
>> > snippets,
>> > relay arguments directly down to iptables, and do not cover both
>> > IPv4
>> > and v6. (and in fact when attempting to extend to v6 the firewall
>> > would
>> > fail to reload). I came up with an "all firewall-cmd" solution
>> > which
>> > I'd like to share.
>> >
>> > It boils down to using rich rules in firewalld instead of direct
>> > rules
>> > for iptables. The code snippets in section 6 of <
>> > https://wiki.centos.org/HowTos/Network/SecuringSSH>; would be
>> > changed to
>> >
>> > firewall-cmd --permanent --add-rich-rule='rule port port="22"
>> > protocol="tcp" accept limit value="4/m"'
>> > firewall-cmd --permanent --remove-service ssh
>> > firewall-cmd --permanent --remove-port 22/tcp
>> > firewall-cmd --reload
>> >
>> > newly minted wiki username is "KimeeModel".
>> >
>> > Regards,
>> > Kimee
>>
>> You should be able to edit that page. Let us know if you find any
>> problem.
>>
>> Akemi
>> _______________________________________________
>> CentOS-docs mailing list
>> CentOS-docs at centos.org
>> https://lists.centos.org/mailman/listinfo/centos-docs
>
> _______________________________________________
> CentOS-docs mailing list
> CentOS-docs at centos.org
> https://lists.centos.org/mailman/listinfo/centos-docs
>