On Wed, Sep 23, 2020 at 05:19:17AM +0000, Jason Long wrote:
Thank you for your great info.
By:
# firewall-cmd --zone public --remove-service=ssh
Is you mean to limit the SSH to specific IP addresses?
No. The rich rule I gave will allow SSH for all IPs, but will limit the
connection attempts to 1 per minute.
By default the `public` zone has SSH enabled. So it would catch all the
SSH attempts not allowed by the rich rule. So connection
limiting/throttling would not work as expected. You must remove it to
get the desired results.
On Monday, September 21, 2020, 06:14:10 PM GMT+3:30, Eric Garver
<egarver(a)redhat.com> wrote:
On Fri, Sep 18, 2020 at 06:59:49PM -0000, Jason Long wrote:
> Hello,
> How can I this attack from hping3 by Firewalld:
>
> # hping3 -S -p 22 --flood --rand-source "IP"
>
> Is it possible?
You can use a rich rule and limit new connections for a port/service.
e.g. allow only 1 SSH connection attempt per minute
  # firewall-cmd --zone public --add-rich-rule='rule service name=ssh accept
limit value=1/m'
Keep in mind that some zones (e.g. public) have SSH enabled by default
so you should remove them. Otherwise they'll allow all connection
attempts.
  # firewall-cmd --zone public --remove-service=ssh