Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] Restricting SSH on RHEL 7

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Restricting SSH on RHEL 7


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Dan Pritts" <>
  • To: "Josh Zenker" <>
  • Cc:
  • Subject: Re: [perfsonar-user] Restricting SSH on RHEL 7
  • Date: Fri, 09 Oct 2020 12:55:20 -0400
  • Embedded-html: [{"HTML":[1381,3164],"plain":[912,1279],"uuid":"67528C1E-3ECC-4ABB-B5A9-52B8F0B47FBA"}]

A sleazy workaround would be to move sshd to its own TCP port, and then use your firewall rules on that port instead. One-line change in /etc/ssh/sshd_config. If you are running selinux, you'll probably also need to modify ssh_port_t or some similar thing ; do "semanage port --list" or maybe "semanage port list" to see what is defined.

I expect but am not sure that the "service name" is from a lookup to /etc/services, so whatever port you choose will have to be listed there with a unique name you can put into your rich rules.

A more elegant workaround, maybe, would be to use a yum plugin to fix it after each update. Also kind of a kludge, but a good technique to know about - not every piece of software has responsive packagers who might just fix it for you.

https://access.redhat.com/solutions/792813

Dan Pritts
ICPSR Computing & Network Services

On 9 Oct 2020, at 11:38, Josh Zenker wrote:

I'm running into an annoying problem on a perfSONAR server running RHEL 7. How can I configure firewalld to only accept SSH connections from a list of allowed networks? My configuration works until perfSONAR installs an update. I read the docs and took the suggestion of adding rich rules.

        rule family="ipv4" source address="172.16.0.0/12" service name="ssh" accept
        rule family="ipv4" source address="155.247.18.0/24" service name="ssh" accept
        rule family="ipv4" source address="155.247.164.0/22" service name="ssh" accept
        rule family="ipv4" source address="155.247.168.0/23" service name="ssh" accept

The trouble is, every time perfSONAR updates, it reinstates the following rule in the chain at a higher priority than my rich rules:

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,UNTRACKED

As a result, all SSH connections are allowed instead of limiting them to the source networks in my rich rules. I'm no firewalld expert so I could use your help. I'd be surprised if no one else has encountered this use case. What did you do?

Josh Zenker
Linux System Administrator
Temple University Network Services
Office: 215-204-1540 | Mobile: 267-507-5296



Archive powered by MHonArc 2.6.19.

Top of Page