Temporarily locking down server.

Support for security such as Firewalls and securing linux
Post Reply
Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Temporarily locking down server.

Post by Spork Schivago » 2018/02/08 19:01:19

Hello,

For the time being, until I finish hardening my server, which is running CentOS 7 (7.4.1708 Core), I'd like to limit incoming access to the local area network only, except for a certain program or two (such as QBittorrent).

For the SSH server, I've modified /etc/ssh/sshd_config and changed the ListenAddress to the private IP address of my brbond1 interface, 192.168.2.16.

I then restarted sshd be running systemctl restart sshd

systemctl status sshd shows that it's listening on 192.168.2.16.

I run iptables -L and see:

Code: Select all

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51413 ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:51413 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:<custom SSH port> ctstate NEW
Where <custom SSH port> is the SSH port I picked for the SSH server to run on. This should be okay though, right? Because even though the firewall is allowing traffic through on the SSH port, the SSH server isn't listening to it....

I've been using the firewall GUI in Gnome to configure the firewall, but I wonder if the iptable should be configured differently to state that it should only accept from the local area network right now...

How would I go about using that firewall GUi in Gnome to tell it I only want it to allow SSH connections from the local network? I see for Configuration: Permanent -> Services, there's a Destination tab, which states:

Code: Select all

If you specify destination addresses, the service entry will be limited to the destination address and type.   If both entries are empty, there is no limitation.
But that doesn't sound quite what I'm looking for, unless I'm misunderstanding it. If I set an IPv4 destination address of 192.168.2.0/24 for the SSH server, will that change iptables so it's only listening on the local network for incoming traffic? Or would that prevent me from ssh'ing out to other servers on the public internet?

Thanks!
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Temporarily locking down server.

Post by TrevorH » 2018/02/08 19:06:46

If you change the port that sshd listens on the you probably also need to tell selinux that it's ok for it to bind to that port - use semanage port to do that. The ssh server will not start if it's denied access to the port.

Firewalld has nothing to do with what ports a daemon listens on. You may need to configure firewalld to allow the port to be accessed but it doesn't affect whether things can listen on the port.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: Temporarily locking down server.

Post by Spork Schivago » 2018/02/08 19:12:32

TrevorH wrote:If you change the port that sshd listens on the you probably also need to tell selinux that it's ok for it to bind to that port - use semanage port to do that. The ssh server will not start if it's denied access to the port.

Firewalld has nothing to do with what ports a daemon listens on. You may need to configure firewalld to allow the port to be accessed but it doesn't affect whether things can listen on the port.
I should have provided more information. I have used semanage to tell selinux that it's okay for ssh to bind to that port.

The SSH server can start and I can successfully ssh into the machine from the local area network. Eventually, I want to provide SSH access to certain IPs from the outside world. I figured iptables would be the way to go for that. I'd like to open up multiple ports to certain IPs only, eventually.

So maybe I should change how I worded my question.

**EDIT: I want to know if there's a way, using the firewall GUI (firewall-config), to allow certain internal and / or external IP addresses access to certain ports through iptables. I know I can do this using iptables directly, but should I be using iptables directly or using the firewalld programs?

I understand that something will need to be bound to those ports and configured to listen for traffic on those ports and my gateway and switch will need to be properly configured as well. Assuming that is all taken care of though, how does one go about "white listing" certain IPs / network addresses through the firewall in CentOS? I'll head back to Google and use the search feature here to see if I can find an answer. Maybe I didn't search hard enough earlier.

Thank you.
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Temporarily locking down server.

Post by TrevorH » 2018/02/08 21:02:53

If you used firewalld then you probably have to use rich rules - no idea how that's done as I think firewalld is a bloated pig. Using ordinary iptables rules is easy and you can do whatever you want with them.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: Temporarily locking down server.

Post by Spork Schivago » 2018/02/08 21:09:38

Maybe something like this:

Code: Select all

firewall-cmd --permanent --zone=public --add-source=192.168.2.0/24   # White-list the whole local network
firewall-cmd --permanent --zone=public --add-source=8.8.8.8/32       # White-list Google's Public DNS server

firewall-cmd --permanent --zone=public --add-port=22/tcp        # Open port 22-TCP to the source addresses added above.
firewall-cmd --permanent --zone=public --add-port=22/udp        # Open port 22-UDP to the source addresses added above.
I think that would allow me to white-list IP addresses, although, I'd still like iptables -L to show the SSH server port only opened for certain IP addresses.

I guess it doesn't really matter that much, it'd just make me feel more comfortable. There's some IT people working that are fairly new to Linux and I cannot baby sit them 24/7, so I try to make them record anything they do on the server or their machines, but sometimes they forget or take "short cuts" without realizing why the documents they're provided on how to setup or configure something don't list those "short cuts".

**EDIT:
I've been reading about rich rules and came across something on serverfault.

I think the best route is to create a new zone, special for this server. Then I can use:

Code: Select all

firewall-cmd --new-zone=my_special_zone --permanent
firewall-cmd --zone=my_special_zone --add-service=ssh --permanent
firewall-cmd --zone=my_special_zone --add-source=192.168.2.4/32 --permanent     # white-list my CentOS workstation
firewall-cmd --zone=my_special_zone --add-source=8.8.8.8/32 --permanent     # white-list Google's Public DNS Server
firewall-cmd --reload
That would change the zone for all interfaces to my_special_zone, and allow incoming traffic for the ssh server, but only from those IP addresses, right? I'm reading the man pages for the firewall-cmd, and various other firewall programs, but I think this restricts ALL traffic, just not for the SSH port, but any port, only to those two IP addresses, right? I cannot combine parameters so they only apply to the SSH service, can I? Something like:

Code: Select all

firewall-cmd --zone=my_special_zone --add-service=ssh --add-source 192.168.2.4/32 --add-source=8.8.8.8/32 --permanent
firewall-cmd --reload
wouldn't be valid, would it?

There's certain services we want open to the world (Apache for example), but other ones we want closed to certain IP addresses (gitlab, for example). Maybe I'll have to use a richrule.
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: Temporarily locking down server.

Post by Spork Schivago » 2018/02/08 21:38:42

TrevorH wrote:If you used firewalld then you probably have to use rich rules - no idea how that's done as I think firewalld is a bloated pig. Using ordinary iptables rules is easy and you can do whatever you want with them.
I would prefer to use just iptables. But I figured firewalld was the "CentOS way". I will just use iptables and disable firewalld then, that should make things much easier.

Thank you TrevorH.
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

Post Reply