How to allow limited access to ssh and limit also log messages
by Freek de Kruijf
I tried the rich rule:
firewall-cmd --permanent --add-rich-rule='rule service name="ssh" log prefix="PREFIX-SSH-PORT" level="info" limit value="6/m" accept limit value="3/m"'
This is to limit access to the ssh service from one source to 3 per minute, but allow 6 log lines per minute to syslog.
However this does not limit access to 3 per minute, in fact I experience unlimited access and only limited, more than 6, log lines in the log.
4 years, 6 months
Best way to block IPv6 on a physical interface
by Scott A. Wozny
Working on a new CentOS 7 image, I was warned off completely disabling the IPv6 stack for three main categories of reasons I've come to identify as "it breaks other stuff somewhat unpredictably", "a whole bunch of stuff in the OS relies on IPv6 in ways that are nearly unpredictable" (which I consider a superset of category 1, but sounds less like a scary bedtime story / an excuse for bad programming) and "IPv6 is the future; get with it". However, as I need to also exist in the present time, and I do not intend to make active use of IPv6, I want to secure my server against speaking or hearing IPv6 on the physical interface in any way I reasonably can. I used sysctl to disable IPv6 on all physical interfaces, but it still leaves a link-local address bound to the physical interface and as this machine is going into a colocation facility, I don't trust my neighbours so my next stop is the firewall.
In my firewalld configuration, I have been trying to add the broadest rich rule to drop IPv6 traffic I can. My initial attempt was:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” drop’
But I got back:
Error: INVALID_RULE: no element, no source, no destination
I then tried:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” protocol value=”ipv6” drop’
Which was successfully added, but when I took a closer look at /etc/protocols, it appears that protocol is actually only for IPv6 tunneling over IPv4 so while the firewall accepts the rich rule, I don't think it's going to do what I want it to do. If it was IPv4 I would do a source restriction of 0.0.0.0/0 and Google / Server Fault tells me the IPv6 equivalent is ::0/0 so when I run:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” source address="::0/0" drop’
It leaves me with an ip6tables -S rule of:
-A IN_myserverzone_deny -p ipv6 -m conntrack --ctstate NEW -j DROP
Which LOOKS like what I want, but I almost just mistook the IPv6 over IPv4 tunneling protocol for IPv6 so I'm asking the gurus on here if this is how they deafen their interfaces to IPv6 or if I've missed something due to my lack of understanding of the protocol.
Any suggestions would be appreciated.
Thanks,
Scott
4 years, 6 months