[CentOS-docs] firewalld configuration for securing SSH

Tue Apr 30 00:43:13 UTC 2019
Kimberlee Integer Model <kimee.i.model at gmail.com>

Ah. I understand now. I was considering roughly the same, but wasn't
sure whether that or rich rules was preferable.

-- Kimee


On Sat, 2019-04-27 at 01:39 +0200, Thibaut Perrin wrote:
> No, I think the rules you created might have a better place in a
> custom xml file instead of being given to firewall cmd directly :)
> 
> On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model <
> kimee.i.model at gmail.com> wrote:
> > I'm not sure I follow, you just think the modified one should be
> > called
> > "ssh-custom", or you think there shouldn't be a modified service
> > file
> > at all?
> > 
> > -- Kimee
> > 
> > On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote:
> > > Hi there,
> > > 
> > > Wouldn't that be a better solution to create a custom xml file to
> > put
> > > in /etc/firewalld and load that "ssh-custom" service instead ?
> > > 
> > > Thanks
> > > 
> > > On 26/04/2019, Kimberlee Integer Model <kimee.i.model at gmail.com>
> > > wrote:
> > > > Thank you, I've gone in and made the listed changes changed
> > > > firewalld
> > > > sections to use services instead of just port numbers.
> > > > 
> > > > -- Kimee
> > > > 
> > > > 
> > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote:
> > > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model
> > > > > <kimee.i.model at gmail.com> wrote:
> > > > > > 
> > > > > > HI all,
> > > > > > 
> > > > > > 1st time contributor here. I was using the guide on
> > securing
> > > > > > SSH,
> > > > > > and
> > > > > > noticed that the firewall-cmd snippets for filtering by
> > > > > > requests
> > > > > > per
> > > > > > time seem somewhat outdated. From what I can tell the given
> > > > > > snippets,
> > > > > > relay arguments directly down to iptables, and do not cover
> > > > > > both
> > > > > > IPv4
> > > > > > and v6. (and in fact when attempting to extend to v6 the
> > > > > > firewall
> > > > > > would
> > > > > > fail to reload). I came up with an "all firewall-cmd"
> > solution
> > > > > > which
> > > > > > I'd like to share.
> > > > > > 
> > > > > > It boils down to using rich rules in firewalld instead of
> > > > > > direct
> > > > > > rules
> > > > > > for iptables. The code snippets in section 6 of <
> > > > > > https://wiki.centos.org/HowTos/Network/SecuringSSH>;;;
> > would be
> > > > > > changed to
> > > > > > 
> > > > > > firewall-cmd --permanent --add-rich-rule='rule port
> > port="22"
> > > > > > protocol="tcp" accept limit value="4/m"'
> > > > > > firewall-cmd --permanent --remove-service ssh
> > > > > > firewall-cmd --permanent --remove-port 22/tcp
> > > > > > firewall-cmd --reload
> > > > > > 
> > > > > > newly minted wiki username is "KimeeModel".
> > > > > > 
> > > > > > Regards,
> > > > > > Kimee
> > > > > 
> > > > > You should be able to edit that page. Let us know if you find
> > any
> > > > > problem.
> > > > > 
> > > > > Akemi
> > > > > _______________________________________________
> > > > > CentOS-docs mailing list
> > > > > CentOS-docs at centos.org
> > > > > https://lists.centos.org/mailman/listinfo/centos-docs
> > > > 
> > > > _______________________________________________
> > > > CentOS-docs mailing list
> > > > CentOS-docs at centos.org
> > > > https://lists.centos.org/mailman/listinfo/centos-docs
> > > > 
> > > 
> > > _______________________________________________
> > > CentOS-docs mailing list
> > > CentOS-docs at centos.org
> > > https://lists.centos.org/mailman/listinfo/centos-docs
> > 
> > _______________________________________________
> > CentOS-docs mailing list
> > CentOS-docs at centos.org
> > https://lists.centos.org/mailman/listinfo/centos-docs
> 
> _______________________________________________
> CentOS-docs mailing list
> CentOS-docs at centos.org
> https://lists.centos.org/mailman/listinfo/centos-docs