perfsonar-user - Re: [perfsonar-user] Restricting SSH on RHEL 7
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: "David J. Chaffin" <>
- To: Josh Zenker <>, Dan Pritts <>
- Cc: "" <>
- Subject: Re: [perfsonar-user] Restricting SSH on RHEL 7
- Date: Fri, 9 Oct 2020 18:01:56 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uark.edu; dmarc=pass action=none header.from=uark.edu; dkim=pass header.d=uark.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y1FBMMg69y+SnWd6gHh252UGRkZeKm+wpZN9MhPbP1k=; b=AgzWz1A4SMD5tfTL/Uub6Z0JTYl6o0O8eSIYWmyiNUoS327P234aQ4WBcwsbyZpjz/BSPAglJUbGbiXP8t6cWfFT2KcqSZBrkE/Yeb1q0n6kfeDBrQXRXPy6JNvjq3xK2uSU7EUHr7nlrsRTOHN425DJsWFI0Jdnl1ZsK4gXN9i6Ct6ejEWAselFmTYxsWimYVVfDC/4sONCI8EbV8NXWtJZ64iijSljJrxRtx6pSFc2FYC9wl5QirLuH8WMYUdaTnF2XNUDXxpbH/6mWOm0WSdh1PDA5mjxYbFixQDEro/Cdj4nhUPpp6iA1P8UbtlTwg6DbxkGBzfsu1dLfnALzQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dy/Oj+LmMotep7vcV3MoJ/qzSV3M/MchR+D1Zuzd1mV5okd8NnN5t9aVBsXDemGzPzNsAayJGvHo8g3QPAmeRBp2cn6ueJbFqM4YKurltY/P5m8O5mX90lPNo2vG/9nkUvg5JyDtHichaCFoPhzYu1r8S4QReXVkMpv7U9fzUUYKbjzCbV1VFyHcLfgHPlsYEwWSKgeEvG9o+/88eMp8AFM8ua7LAL3Lh3R3ydYb/fwQzC9l9xLBPCeq/e/Yzj78nsBWZeHHSShTMFtX2INqdyl2JOm7traAaNcJ+aDIIw6H6XjeNT0Qy5PPwzeBGuhZv/dYXgxSslsLPu1ZdRYZrA==
Sent: Friday, October 9, 2020 11:55 AM
To: Josh Zenker <>
Cc: <>
Subject: Re: [perfsonar-user] Restricting SSH on RHEL 7
A sleazy workaround would be to move sshd to its own TCP port, and then use your firewall rules on that port instead. One-line change in /etc/ssh/sshd_config. If you are running selinux, you'll probably also need to modify ssh_port_t or some similar thing ; do "semanage port --list" or maybe "semanage port list" to see what is defined.
I expect but am not sure that the "service name" is from a lookup to /etc/services, so whatever port you choose will have to be listed there with a unique name you can put into your rich rules.
A more elegant workaround, maybe, would be to use a yum plugin to fix it after each update. Also kind of a kludge, but a good technique to know about - not every piece of software has responsive packagers who might just fix it for you.
https://access.redhat.com/solutions/792813
Dan Pritts
ICPSR Computing & Network Services
On 9 Oct 2020, at 11:38, Josh Zenker wrote:
I'm running into an annoying problem on a perfSONAR server running RHEL 7. How can I configure firewalld to only accept SSH connections from a list of allowed networks? My configuration works until perfSONAR installs an update. I read the docs and took the suggestion of adding rich rules.
rule family="ipv4" source address="172.16.0.0/12" service name="ssh" acceptrule family="ipv4" source address="155.247.18.0/24" service name="ssh" acceptrule family="ipv4" source address="155.247.164.0/22" service name="ssh" acceptrule family="ipv4" source address="155.247.168.0/23" service name="ssh" accept
The trouble is, every time perfSONAR updates, it reinstates the following rule in the chain at a higher priority than my rich rules:
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
As a result, all SSH connections are allowed instead of limiting them to the source networks in my rich rules. I'm no firewalld expert so I could use your help. I'd be surprised if no one else has encountered this use case. What did you do?
Josh Zenker
Linux System Administrator
Temple University Network Services
Office: 215-204-1540 | Mobile: 267-507-5296
--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user
- [perfsonar-user] Restricting SSH on RHEL 7, Josh Zenker, 10/09/2020
- Re: [perfsonar-user] Restricting SSH on RHEL 7, Dan Pritts, 10/09/2020
- Re: [perfsonar-user] Restricting SSH on RHEL 7, David J. Chaffin, 10/09/2020
- Re: [perfsonar-user] Restricting SSH on RHEL 7, Dan Pritts, 10/09/2020
Archive powered by MHonArc 2.6.19.