Kimberlee Integer Model
2019-Apr-24 07:13 UTC
[CentOS-docs] firewalld configuration for securing SSH
HI all, 1st time contributor here. I was using the guide on securing SSH, and noticed that the firewall-cmd snippets for filtering by requests per time seem somewhat outdated. From what I can tell the given snippets, relay arguments directly down to iptables, and do not cover both IPv4 and v6. (and in fact when attempting to extend to v6 the firewall would fail to reload). I came up with an "all firewall-cmd" solution which I'd like to share. It boils down to using rich rules in firewalld instead of direct rules for iptables. The code snippets in section 6 of < https://wiki.centos.org/HowTos/Network/SecuringSSH> would be changed to firewall-cmd --permanent --add-rich-rule='rule port port="22" protocol="tcp" accept limit value="4/m"' firewall-cmd --permanent --remove-service ssh firewall-cmd --permanent --remove-port 22/tcp firewall-cmd --reload newly minted wiki username is "KimeeModel". Regards, Kimee
-=[X.L.O.R.D]=-
2019-Apr-24 14:12 UTC
[CentOS-docs] firewalld configuration for securing SSH
Kimee, Using "--add-rich-rule" does helps, thank for sharing! Xlord -----Original Message----- From: CentOS-docs [mailto:centos-docs-bounces at centos.org] On Behalf Of Kimberlee Integer Model Sent: Wednesday, 24 April 2019 3:14 PM To: centos-docs at centos.org Subject: [CentOS-docs] firewalld configuration for securing SSH HI all, 1st time contributor here. I was using the guide on securing SSH, and noticed that the firewall-cmd snippets for filtering by requests per time seem somewhat outdated. From what I can tell the given snippets, relay arguments directly down to iptables, and do not cover both IPv4 and v6. (and in fact when attempting to extend to v6 the firewall would fail to reload). I came up with an "all firewall-cmd" solution which I'd like to share. It boils down to using rich rules in firewalld instead of direct rules for iptables. The code snippets in section 6 of < https://wiki.centos.org/HowTos/Network/SecuringSSH> would be changed to firewall-cmd --permanent --add-rich-rule='rule port port="22" protocol="tcp" accept limit value="4/m"' firewall-cmd --permanent --remove-service ssh firewall-cmd --permanent --remove-port 22/tcp firewall-cmd --reload newly minted wiki username is "KimeeModel". Regards, Kimee _______________________________________________ CentOS-docs mailing list CentOS-docs at centos.org https://lists.centos.org/mailman/listinfo/centos-docs
On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model <kimee.i.model at gmail.com> wrote:> > HI all, > > 1st time contributor here. I was using the guide on securing SSH, and > noticed that the firewall-cmd snippets for filtering by requests per > time seem somewhat outdated. From what I can tell the given snippets, > relay arguments directly down to iptables, and do not cover both IPv4 > and v6. (and in fact when attempting to extend to v6 the firewall would > fail to reload). I came up with an "all firewall-cmd" solution which > I'd like to share. > > It boils down to using rich rules in firewalld instead of direct rules > for iptables. The code snippets in section 6 of < > https://wiki.centos.org/HowTos/Network/SecuringSSH> would be changed to > > firewall-cmd --permanent --add-rich-rule='rule port port="22" > protocol="tcp" accept limit value="4/m"' > firewall-cmd --permanent --remove-service ssh > firewall-cmd --permanent --remove-port 22/tcp > firewall-cmd --reload > > newly minted wiki username is "KimeeModel". > > Regards, > KimeeYou should be able to edit that page. Let us know if you find any problem. Akemi
Kimberlee Integer Model
2019-Apr-26 17:22 UTC
[CentOS-docs] firewalld configuration for securing SSH
Thank you, I've gone in and made the listed changes changed firewalld sections to use services instead of just port numbers. -- Kimee On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote:> On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model > <kimee.i.model at gmail.com> wrote: > > > > HI all, > > > > 1st time contributor here. I was using the guide on securing SSH, > > and > > noticed that the firewall-cmd snippets for filtering by requests > > per > > time seem somewhat outdated. From what I can tell the given > > snippets, > > relay arguments directly down to iptables, and do not cover both > > IPv4 > > and v6. (and in fact when attempting to extend to v6 the firewall > > would > > fail to reload). I came up with an "all firewall-cmd" solution > > which > > I'd like to share. > > > > It boils down to using rich rules in firewalld instead of direct > > rules > > for iptables. The code snippets in section 6 of < > > https://wiki.centos.org/HowTos/Network/SecuringSSH>; would be > > changed to > > > > firewall-cmd --permanent --add-rich-rule='rule port port="22" > > protocol="tcp" accept limit value="4/m"' > > firewall-cmd --permanent --remove-service ssh > > firewall-cmd --permanent --remove-port 22/tcp > > firewall-cmd --reload > > > > newly minted wiki username is "KimeeModel". > > > > Regards, > > Kimee > > You should be able to edit that page. Let us know if you find any > problem. > > Akemi > _______________________________________________ > CentOS-docs mailing list > CentOS-docs at centos.org > https://lists.centos.org/mailman/listinfo/centos-docs