So I'm trying to figure out what is the best way to go with. I'm trying to secure a production server that will allow SSH from a public IP address. I was also going to go with fail2ban on the back-end. Just wanted to get some ideas from the community. One thing that I learned from "TrevorH" was that if I can get the user's public key that will prevent unauthorized users from connecting into the server.
e.g.
From: 1.2.3.4/26 connect via SSH only
From: 1.2.3.4/26 allow 8080/tcp only
From: 1.2.3.4/26 allow 8081/tcp only
From: 0.0.0.0/0 allow 9729/tcp "this is allow from anywhere"
I was thinking about making a rich rule.
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port port="8080" protocol=tcp source address="1.2.3.4/26" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port port="8081" protocol=tcp source address="1.2.3.4/26" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port port="9729" protocol=tcp source address="0.0.0.0/0" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" service name="sshd" source address="10.0.0.1/32" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" service name="sshd" source address="1.2.3.4/26" accept'
Allow some IP via ssh trought firewall-cmd reject all others.
Re: Allow some IP via ssh trought firewall-cmd reject all others.
The "firewalld way" is not rich rules, but to define two zones:
* Zone A allows access to ports ssh, 8080, 8081, and 9729. Traffic from 1.2.3.4/26 belongs to zone A
* Zone B allows access to port 9729. Traffic from interface belongs to zone B
* Zone A allows access to ports ssh, 8080, 8081, and 9729. Traffic from 1.2.3.4/26 belongs to zone A
* Zone B allows access to port 9729. Traffic from interface belongs to zone B
Re: Allow some IP via ssh trought firewall-cmd reject all others.
Thank you. I'll for the advice. I'll look into it a bit further.