On Tue, Oct 13, 2020 at 03:24:06PM +0000, Jason Long wrote:
But, "rule service name="ssh" accept limit
value="1/m"" doesn't protecting my SSH? its limited attempts!!!
I think you have a basic misunderstanding of how firewalls work. In most
implementations firewalls block traffic by default. The user the
_selectively_ allows services, e.g. "ssh". This limits the attack
surface to the host running firewalld.
For protecting the SSH service itself.. maybe you're looking for
something like fail2ban. Or maybe you'd be better served googling "ssh
hardening".
On Tuesday, October 13, 2020, 05:27:51 PM GMT+3:30, Eric Garver
<egarver(a)redhat.com> wrote:
On Tue, Oct 13, 2020 at 10:49:52AM +0000, Jason Long wrote:
> Thank you.If IÂ remove "SSH" from services section then no security
problem? The rich rule protecting my service?
The rich rule is _allowing_ the service. "protecting" is the wrong word.
> On Monday, October 12, 2020, 04:51:55 PM GMT+3:30, Eric Garver
<egarver(a)redhat.com> wrote:
>
> On Sat, Oct 10, 2020 at 09:43:01AM +0000, Jason Long wrote:
> > Thank you.
> > Then, I must remove "SSH" from services section
>
> Yes.
>
> > and open port 22?
>
> No. That's already done with the rich rule.
>
> >
> >
> >
> >
> >
> >
> > On Monday, October 5, 2020, 04:37:52 PM GMT+3:30, Eric Garver
<egarver(a)redhat.com> wrote:
> >
> >
> >
> >
> >
> > On Sun, Oct 04, 2020 at 11:23:37AM -0000, Jason Long wrote:
> > > My current configuration is:
> > >
> > > public (active)
> > > target: default
> > > icmp-block-inversion: no
> > > interfaces: ens192
> > > sources:
> > > services: http https ssh
> >
> > "ssh" here conflicts with your rich rule below. Here "ssh"
is _always_
> > accepted. The rich rule will limit as intended, but that's not useful if
> > you have "ssh" in service as well, because it always accepts (i.e.
no
> > limit).
> >
> > > ports: 990/tcp 40000-50000/tcp
> > > protocols:
> > > masquerade: no
> > > forward-ports:
> > > source-ports:
> > > icmp-blocks:
> > > rich rules:
> > >    rule service name="ssh" accept limit
value="1/m"
> > >
> > > Any rich rules that improve protection?
> > _______________________________________________
> > firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>
>
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...