[CentOS-docs] firewalld configuration for securing SSH

Tue Apr 30 14:07:47 UTC 2019
Thibaut Perrin <thibaut.perrin at gmail.com>

Thanks for the research and modification



On Tue 30 Apr 2019 at 03:55, Kimberlee Integer Model <
kimee.i.model at gmail.com> wrote:

> Thibaut, I did a little more reading, and according to both
> firewalld.service(5) and firewalld.org the service XML files, can only
> handle source/destination/port, and cannot handle the actions to be
> performed. I will update where possible to use the service files, but
> log/accept limit will still need to be encoded in rich rules.
>
> -- Kimee
>
> On Mon, 2019-04-29 at 20:43 -0400, Kimberlee Integer Model wrote:
> > Ah. I understand now. I was considering roughly the same, but wasn't
> > sure whether that or rich rules was preferable.
> >
> > -- Kimee
> >
> >
> > On Sat, 2019-04-27 at 01:39 +0200, Thibaut Perrin wrote:
> > > No, I think the rules you created might have a better place in a
> > > custom xml file instead of being given to firewall cmd directly :)
> > >
> > > On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model <
> > > kimee.i.model at gmail.com> wrote:
> > > > I'm not sure I follow, you just think the modified one should be
> > > > called
> > > > "ssh-custom", or you think there shouldn't be a modified service
> > > > file
> > > > at all?
> > > >
> > > > -- Kimee
> > > >
> > > > On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote:
> > > > > Hi there,
> > > > >
> > > > > Wouldn't that be a better solution to create a custom xml file
> > > > > to
> > > >
> > > > put
> > > > > in /etc/firewalld and load that "ssh-custom" service instead ?
> > > > >
> > > > > Thanks
> > > > >
> > > > > On 26/04/2019, Kimberlee Integer Model <kimee.i.model at gmail.com
> > > > > >
> > > > > wrote:
> > > > > > Thank you, I've gone in and made the listed changes changed
> > > > > > firewalld
> > > > > > sections to use services instead of just port numbers.
> > > > > >
> > > > > > -- Kimee
> > > > > >
> > > > > >
> > > > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote:
> > > > > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model
> > > > > > > <kimee.i.model at gmail.com> wrote:
> > > > > > > >
> > > > > > > > HI all,
> > > > > > > >
> > > > > > > > 1st time contributor here. I was using the guide on
> > > >
> > > > securing
> > > > > > > > SSH,
> > > > > > > > and
> > > > > > > > noticed that the firewall-cmd snippets for filtering by
> > > > > > > > requests
> > > > > > > > per
> > > > > > > > time seem somewhat outdated. From what I can tell the
> > > > > > > > given
> > > > > > > > snippets,
> > > > > > > > relay arguments directly down to iptables, and do not
> > > > > > > > cover
> > > > > > > > both
> > > > > > > > IPv4
> > > > > > > > and v6. (and in fact when attempting to extend to v6 the
> > > > > > > > firewall
> > > > > > > > would
> > > > > > > > fail to reload). I came up with an "all firewall-cmd"
> > > >
> > > > solution
> > > > > > > > which
> > > > > > > > I'd like to share.
> > > > > > > >
> > > > > > > > It boils down to using rich rules in firewalld instead of
> > > > > > > > direct
> > > > > > > > rules
> > > > > > > > for iptables. The code snippets in section 6 of <
> > > > > > > > https://wiki.centos.org/HowTos/Network/SecuringSSH>;;;;
> > > >
> > > > would be
> > > > > > > > changed to
> > > > > > > >
> > > > > > > > firewall-cmd --permanent --add-rich-rule='rule port
> > > >
> > > > port="22"
> > > > > > > > protocol="tcp" accept limit value="4/m"'
> > > > > > > > firewall-cmd --permanent --remove-service ssh
> > > > > > > > firewall-cmd --permanent --remove-port 22/tcp
> > > > > > > > firewall-cmd --reload
> > > > > > > >
> > > > > > > > newly minted wiki username is "KimeeModel".
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Kimee
> > > > > > >
> > > > > > > You should be able to edit that page. Let us know if you
> > > > > > > find
> > > >
> > > > any
> > > > > > > problem.
> > > > > > >
> > > > > > > Akemi
> > > > > > > _______________________________________________
> > > > > > > CentOS-docs mailing list
> > > > > > > CentOS-docs at centos.org
> > > > > > > https://lists.centos.org/mailman/listinfo/centos-docs
> > > > > >
> > > > > > _______________________________________________
> > > > > > CentOS-docs mailing list
> > > > > > CentOS-docs at centos.org
> > > > > > https://lists.centos.org/mailman/listinfo/centos-docs
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > CentOS-docs mailing list
> > > > > CentOS-docs at centos.org
> > > > > https://lists.centos.org/mailman/listinfo/centos-docs
> > > >
> > > > _______________________________________________
> > > > CentOS-docs mailing list
> > > > CentOS-docs at centos.org
> > > > https://lists.centos.org/mailman/listinfo/centos-docs
> > >
> > > _______________________________________________
> > > CentOS-docs mailing list
> > > CentOS-docs at centos.org
> > > https://lists.centos.org/mailman/listinfo/centos-docs
> >
> >
>
> _______________________________________________
> CentOS-docs mailing list
> CentOS-docs at centos.org
> https://lists.centos.org/mailman/listinfo/centos-docs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20190430/d7c7307b/attachment-0004.html>