[CentOS-docs] firewalld configuration for securing SSH

Fri Apr 26 23:39:47 UTC 2019
Thibaut Perrin <thibaut.perrin at gmail.com>

No, I think the rules you created might have a better place in a custom xml
file instead of being given to firewall cmd directly :)

On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model <
kimee.i.model at gmail.com> wrote:

> I'm not sure I follow, you just think the modified one should be called
> "ssh-custom", or you think there shouldn't be a modified service file
> at all?
>
> -- Kimee
>
> On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote:
> > Hi there,
> >
> > Wouldn't that be a better solution to create a custom xml file to put
> > in /etc/firewalld and load that "ssh-custom" service instead ?
> >
> > Thanks
> >
> > On 26/04/2019, Kimberlee Integer Model <kimee.i.model at gmail.com>
> > wrote:
> > > Thank you, I've gone in and made the listed changes changed
> > > firewalld
> > > sections to use services instead of just port numbers.
> > >
> > > -- Kimee
> > >
> > >
> > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote:
> > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model
> > > > <kimee.i.model at gmail.com> wrote:
> > > > >
> > > > > HI all,
> > > > >
> > > > > 1st time contributor here. I was using the guide on securing
> > > > > SSH,
> > > > > and
> > > > > noticed that the firewall-cmd snippets for filtering by
> > > > > requests
> > > > > per
> > > > > time seem somewhat outdated. From what I can tell the given
> > > > > snippets,
> > > > > relay arguments directly down to iptables, and do not cover
> > > > > both
> > > > > IPv4
> > > > > and v6. (and in fact when attempting to extend to v6 the
> > > > > firewall
> > > > > would
> > > > > fail to reload). I came up with an "all firewall-cmd" solution
> > > > > which
> > > > > I'd like to share.
> > > > >
> > > > > It boils down to using rich rules in firewalld instead of
> > > > > direct
> > > > > rules
> > > > > for iptables. The code snippets in section 6 of <
> > > > > https://wiki.centos.org/HowTos/Network/SecuringSSH>;; would be
> > > > > changed to
> > > > >
> > > > > firewall-cmd --permanent --add-rich-rule='rule port port="22"
> > > > > protocol="tcp" accept limit value="4/m"'
> > > > > firewall-cmd --permanent --remove-service ssh
> > > > > firewall-cmd --permanent --remove-port 22/tcp
> > > > > firewall-cmd --reload
> > > > >
> > > > > newly minted wiki username is "KimeeModel".
> > > > >
> > > > > Regards,
> > > > > Kimee
> > > >
> > > > You should be able to edit that page. Let us know if you find any
> > > > problem.
> > > >
> > > > Akemi
> > > > _______________________________________________
> > > > CentOS-docs mailing list
> > > > CentOS-docs at centos.org
> > > > https://lists.centos.org/mailman/listinfo/centos-docs
> > >
> > > _______________________________________________
> > > CentOS-docs mailing list
> > > CentOS-docs at centos.org
> > > https://lists.centos.org/mailman/listinfo/centos-docs
> > >
> >
> > _______________________________________________
> > CentOS-docs mailing list
> > CentOS-docs at centos.org
> > https://lists.centos.org/mailman/listinfo/centos-docs
>
> _______________________________________________
> CentOS-docs mailing list
> CentOS-docs at centos.org
> https://lists.centos.org/mailman/listinfo/centos-docs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20190427/1d138ace/attachment-0006.html>