Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] Restricting SSH on RHEL 7

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Restricting SSH on RHEL 7


Chronological Thread 
  • From: "David J. Chaffin" <>
  • To: Josh Zenker <>, Dan Pritts <>
  • Cc: "" <>
  • Subject: Re: [perfsonar-user] Restricting SSH on RHEL 7
  • Date: Fri, 9 Oct 2020 18:01:56 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uark.edu; dmarc=pass action=none header.from=uark.edu; dkim=pass header.d=uark.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y1FBMMg69y+SnWd6gHh252UGRkZeKm+wpZN9MhPbP1k=; b=AgzWz1A4SMD5tfTL/Uub6Z0JTYl6o0O8eSIYWmyiNUoS327P234aQ4WBcwsbyZpjz/BSPAglJUbGbiXP8t6cWfFT2KcqSZBrkE/Yeb1q0n6kfeDBrQXRXPy6JNvjq3xK2uSU7EUHr7nlrsRTOHN425DJsWFI0Jdnl1ZsK4gXN9i6Ct6ejEWAselFmTYxsWimYVVfDC/4sONCI8EbV8NXWtJZ64iijSljJrxRtx6pSFc2FYC9wl5QirLuH8WMYUdaTnF2XNUDXxpbH/6mWOm0WSdh1PDA5mjxYbFixQDEro/Cdj4nhUPpp6iA1P8UbtlTwg6DbxkGBzfsu1dLfnALzQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dy/Oj+LmMotep7vcV3MoJ/qzSV3M/MchR+D1Zuzd1mV5okd8NnN5t9aVBsXDemGzPzNsAayJGvHo8g3QPAmeRBp2cn6ueJbFqM4YKurltY/P5m8O5mX90lPNo2vG/9nkUvg5JyDtHichaCFoPhzYu1r8S4QReXVkMpv7U9fzUUYKbjzCbV1VFyHcLfgHPlsYEwWSKgeEvG9o+/88eMp8AFM8ua7LAL3Lh3R3ydYb/fwQzC9l9xLBPCeq/e/Yzj78nsBWZeHHSShTMFtX2INqdyl2JOm7traAaNcJ+aDIIw6H6XjeNT0Qy5PPwzeBGuhZv/dYXgxSslsLPu1ZdRYZrA==

You could also use iptables-save to save the iptables config from firewalld to /etc/sysconfig/iptables, disable firewalld, add your firewall rules to the text file above the ssh rule instead of using guis and xml, and enable/start iptables.  Maybe do it on reboot so it would pick up actual firewall updates from perfsonar.

Related: Aren't nftables and/or bpf supposed to be faster than iptables?  If so, are there plans to incorporate one of these into perfsonar?

--
David Chaffin
UArk

From: <> on behalf of Dan Pritts <>
Sent: Friday, October 9, 2020 11:55 AM
To: Josh Zenker <>
Cc: <>
Subject: Re: [perfsonar-user] Restricting SSH on RHEL 7
 

A sleazy workaround would be to move sshd to its own TCP port, and then use your firewall rules on that port instead. One-line change in /etc/ssh/sshd_config. If you are running selinux, you'll probably also need to modify ssh_port_t or some similar thing ; do "semanage port --list" or maybe "semanage port list" to see what is defined.

I expect but am not sure that the "service name" is from a lookup to /etc/services, so whatever port you choose will have to be listed there with a unique name you can put into your rich rules.

A more elegant workaround, maybe, would be to use a yum plugin to fix it after each update. Also kind of a kludge, but a good technique to know about - not every piece of software has responsive packagers who might just fix it for you.

https://access.redhat.com/solutions/792813

Dan Pritts
ICPSR Computing & Network Services

On 9 Oct 2020, at 11:38, Josh Zenker wrote:

I'm running into an annoying problem on a perfSONAR server running RHEL 7. How can I configure firewalld to only accept SSH connections from a list of allowed networks? My configuration works until perfSONAR installs an update. I read the docs and took the suggestion of adding rich rules.

        rule family="ipv4" source address="172.16.0.0/12" service name="ssh" accept
        rule family="ipv4" source address="155.247.18.0/24" service name="ssh" accept
        rule family="ipv4" source address="155.247.164.0/22" service name="ssh" accept
        rule family="ipv4" source address="155.247.168.0/23" service name="ssh" accept

The trouble is, every time perfSONAR updates, it reinstates the following rule in the chain at a higher priority than my rich rules:

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,UNTRACKED

As a result, all SSH connections are allowed instead of limiting them to the source networks in my rich rules. I'm no firewalld expert so I could use your help. I'd be surprised if no one else has encountered this use case. What did you do?

Josh Zenker
Linux System Administrator
Temple University Network Services
Office: 215-204-1540 | Mobile: 267-507-5296





Archive powered by MHonArc 2.6.19.

Top of Page