[CentOS] firewall questions

Sun Jun 21 20:46:51 UTC 2020
Pete Biggs <pete at biggs.org.uk>

On Sun, 2020-06-21 at 14:33 -0500, Chuck Campbell wrote:
> I'm running Centos 7.8.2003, with firewalld.
> 
> I was getting huge numbers of ssh attempts per day from a few specific 
> ip blocks.
> 
> The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 
> and 118.0.0.0/24, and they amounted to a multiple thousands of attempts 
> per day.

It seems oddly coincidental that they are all x.0.0.y addresses - the
netblocks they belong to are all much bigger than /24.  I can
understand getting attacks from a range of IPs from an ISP or the like,
but the 51.0.0.0/24 is part of a UK government network and I think they
would be all over it if a range of their network was being used for
naughty purposes.

> 
> I did some more research, and decided to use a few rich rules to block 
> these attempts. I currently have these in place:
> 
> #firewall-cmd --list-all
> public (active)
>    target: default
>    icmp-block-inversion: no
>    interfaces: p3p1
>    sources:
>    services: dhcpv6-client ftp http https imap imaps pop3 pop3s 
> smtp-submission smtps ssh
>    ports: 110/tcp 995/tcp 143/tcp 993/tcp 25/tcp 21/tcp
>    protocols:
>    masquerade: no
>    forward-ports:
>    source-ports:
>    icmp-blocks:
>    rich rules:
>          rule family="ipv4" source address="49.0.0.0/24" reject
>          rule family="ipv4" source address="51.0.0.0/24" reject
>          rule family="ipv4" source address="111.0.0.0/24" reject

Is that the correct interface referred to in the zone?  Can you see the
rich rules implemented properly in the output of 'iptables -L'? (They
should be in the chain IN_public_deny.)

> 
> But I still get hundreds of attempts reported in my fail2ban logs from 
> these ip blocks. How is it that the rich rules don't drop these packets 
> before pam/ssh/fail2ban ever get to see them?

Is fail2ban stopping the individual hosts? Do you have the recidive
rule enabled to permaban them?

Do you get legitimate SSH connections from anywhere?  Can you remove
the ssh service and add rich rules to allow certain hosts or netblocks
to connect via port 22?

Finally, do you have a network firewall that can be used to block the
connections?

> There must be some precedence in the firewalling I don't understand.

Yes, there is a precedence, but it should be working in your favour -
the chain 'IN_public' contains the public inbound chain and it should
contain:

   # iptables -L IN_public
   Chain IN_public (2 references)
   target     prot opt source               destination         
   IN_public_log  all  --  anywhere             anywhere            
   IN_public_deny  all  --  anywhere             anywhere            
   IN_public_allow  all  --  anywhere             anywhere            
   ACCEPT     icmp --  anywhere             anywhere            

So it should be denying packets before the allowing them (and
the IN_public_allow chain is what contains your ssh service
definition).

P.