Temporarily locking down server.
Posted: 2018/02/08 19:01:19
Hello,
For the time being, until I finish hardening my server, which is running CentOS 7 (7.4.1708 Core), I'd like to limit incoming access to the local area network only, except for a certain program or two (such as QBittorrent).
For the SSH server, I've modified /etc/ssh/sshd_config and changed the ListenAddress to the private IP address of my brbond1 interface, 192.168.2.16.
I then restarted sshd be running systemctl restart sshd
systemctl status sshd shows that it's listening on 192.168.2.16.
I run iptables -L and see:
Where <custom SSH port> is the SSH port I picked for the SSH server to run on. This should be okay though, right? Because even though the firewall is allowing traffic through on the SSH port, the SSH server isn't listening to it....
I've been using the firewall GUI in Gnome to configure the firewall, but I wonder if the iptable should be configured differently to state that it should only accept from the local area network right now...
How would I go about using that firewall GUi in Gnome to tell it I only want it to allow SSH connections from the local network? I see for Configuration: Permanent -> Services, there's a Destination tab, which states:
But that doesn't sound quite what I'm looking for, unless I'm misunderstanding it. If I set an IPv4 destination address of 192.168.2.0/24 for the SSH server, will that change iptables so it's only listening on the local network for incoming traffic? Or would that prevent me from ssh'ing out to other servers on the public internet?
Thanks!
For the time being, until I finish hardening my server, which is running CentOS 7 (7.4.1708 Core), I'd like to limit incoming access to the local area network only, except for a certain program or two (such as QBittorrent).
For the SSH server, I've modified /etc/ssh/sshd_config and changed the ListenAddress to the private IP address of my brbond1 interface, 192.168.2.16.
I then restarted sshd be running systemctl restart sshd
systemctl status sshd shows that it's listening on 192.168.2.16.
I run iptables -L and see:
Code: Select all
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:51413 ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:51413 ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:<custom SSH port> ctstate NEW
I've been using the firewall GUI in Gnome to configure the firewall, but I wonder if the iptable should be configured differently to state that it should only accept from the local area network right now...
How would I go about using that firewall GUi in Gnome to tell it I only want it to allow SSH connections from the local network? I see for Configuration: Permanent -> Services, there's a Destination tab, which states:
Code: Select all
If you specify destination addresses, the service entry will be limited to the destination address and type. If both entries are empty, there is no limitation.
Thanks!