Question about Whitelisting and Blacklisting

[Mike_Rochefort]

At my university I'm going to be managing some servers that will be used as licensing servers, version control, and render nodes. As I want to restrict these to on campus access only, what would be the best course of action?

One of my biggest questions comes from the idea of whitelisting and blacklisting. In the few desktops I've been testing on I've had to repeatedly blacklist IP's that were attempting to SSH into the machines before completely disabling SSH. Will whitelisting the CIDR ranges that the campus is registered with blacklist all other IP's automatically, or is there a rule I need to add to blacklist all IP's on top of the whitelisted IP's?

Thanks in advance!

[Mike_Rochefort]

I now realize what a dumb question this was due to a misunderstanding with whitelists and blacklists.

As a broader question, do I need to worry about the work, home, etc subsections of the firewall rules or will public work just fine?

[TrevorH]

Mostly the recommendation for securing ssh is to leave it open to as few ip addressees as possible but to disable password logins and require key nased access. That stops password brute forcing bots in their tracks.

[Mike_Rochefort]

Thank you for the response Trevor, always appreciate what you do!

For the IP limiting in ssh, I take it you mean something like this?

https://coderwall.com/p/yz-2_a/limit-ss ... ip-address


As for the key management, how would you go about doing that? I've only ever used keys for GitHub/GitLab, so managing them for access is something I've never done before.

[TrevorH]

I'd use iptables to restrict you can reach your machine. Pretty sure there is an article in the wiki about securing ssh.

[Mike_Rochefort]

I've used firewalld to set up global rich rules in the past, as I thought it was the intended way forward for CentOS/RHEL. I thought you were saying to setup a second set of IP's specific to ssh on top of this.

Is there any advantage of iptables over firewalld, or is it just more common / user friendly? I'll take a look in the wiki for the SSH topic.

[TrevorH]

Pretty sure firewalld is just a wrapper on top of iptables. Personally I'm not a fan but it probably has its use cases. The idea I think was to make iptables more use friendly which it sort of does do if you only want to do basic things. Unfortunately, if you want to do something more complicated than just basics then firewalld rapidly becomes more complex than doing the same task manually with ordinary iptables rules.