Restrict SSH to one IP on VPS with firewalld

[weslowsk]

I've got a CentOS 7 VPS set up in the cloud and I'm tired of seeing it being bombarded by SSH login attempts. I secured SSH, but I want to stop them before they get to SSH. I want to close the door using firewalld. I looked around and the closest I found was this:

http://serverfault.com/questions/680780 ... -firewalld

but that assumes that I have multiple interfaces on my VPS and, therefore, using multiple zones. I don't...I have one firewalld zone bound to one interface (eth0).

Any suggestions for how to configure my firewall to only allow SSH traffic from just my home public IP address?

[aks]

An obvious way to do this is with the rich rules.
If you create the correct XML file in /etc/firewalld/zones/public.xml (where public matches the zone public), you could have something like:
?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ntp"/>
<icmp-block name="redirect"/>
<icmp-block name="router-solicitation"/>
<icmp-block name="source-quench"/>
<icmp-block name="router-advertisement"/>
<rule family="ipv4">
<source address="<CIDR>"/>
<service name="ssh"/>
<log prefix="sshd " level="info">
<limit value="1/m"/>
</log>
<accept/>
</rule>
<rule family="ipv4">
<source address="<CIDR>"/>
<service name="ssh"/>
<log prefix="sshd " level="info">
<limit value="1/m"/>
</log>
<accept/>
</rule>
</zone>

Where CIDR is the subnet or node you want to allow (like say 192.168.0.0/24 or 192.168.0.1/32). The other bits I've left in are:

1) Allow NTP anywhere (which is the default).
2) Block some ICMP (just as an example).

There are more things you can do with rich rules.

The limk you posted suggests doing this with the add-source command line. That may work but am not sure if it'll "tie" the source with the service (as in ssh only from IP_ADDR). You could try it and see if it does. I did the above and it worked really well for me.

Also I think sshd is tcp-wrapper wrapped (although something at the back of my mind suggests that depreciated). So you could use the /etc/hosts.allow and /etc/hosts.deny mechanism. Finally sshd can also be configured to only allow a subnet/ip address in itself (beyond the firewall), but can not quite recall the syntax, but doubtless it'll be in the man page and/or somewhere on Google.

[weslowsk]

Thanks...the rich rules guidance worked great for me.

In my opinion, rich rules are the right tool for the problem I was attempting to solve.

Thanks again.

[My3CentOS's]

I am pretty new to CentOS but the most logical way (at least to me) seemed to be to add your ip address (in my case 192.168.0.22 (static)) to the trusted zone and remove ssh from the public zone:

Code: Select all

firewall-cmd --permanent --add-source=192.168.0.22 --zone=trusted
firewall-cmd --permanent --add-service=ssh --zone trusted
firewall-cmd --permanent --remove-service=ssh --zone-public

firewall-cmd --reload

My thoughts were that you only add ports and services like http and https to 'public' and keep the risky stuff on 'trusted' tied to the (static) ip address of the computer you use for access. So if your ip is 192.16.0.22 you can access all services listed in trusted and if your ip is anything other than 192.168.0.22 then you can only access the restricted set of services in the public zone e.g. http and https. This seems incredibly simple compared to other solutions but worked great for my tests and keeps everything neat - isn't that the whole purpose of zones or have I completely misunderstood?

[weslowsk]

I think I tried something similar to your idea, but I found out that I couldn't assign more than one zone to an interface...which is why I abandoned it.
Maybe I did something wrong, though.

Do you have more than 1 interface for your system?

[TrevorH]

Also, the best way to secure ssh is to turn off password authorization completely and just use key based logins. No key, no access. It doesn't cut down the log noise since they can stil try but you do know for sure that they're not going to guess the password!

[My3CentOS's]

I have just one interface on my test server and also on my VPS.

I vaguely remember getting a conflict error when trying to assign an interface to the trusted zone on a previous attempt. I believe it checks the incoming interface on the default zone before checking the ip address of the source and routing the request to the appropriate zone - so there is no need to specify the interface on trusted (at least with a single interface).

I think that the convoluted solutions on the net have been passed from previous versions of CentOS and are not necessarily the best way to do it on this version as it uses a completely different system. CentOS 7 seems to have a much improved and more intuitive firewall control.

[My3CentOS's]

@TrevorH
- Agreed.

Disabling root login over ssh and using a different account via sudo and su to administer the server will remove the noise in your logs - you need to fully test this account before disabling root or you will lock yourself out. Also don't use common predictable names like admin for such an account.