The Firewall daemon is a great improvement over iptables.
But here, I'm going to sum up what I feel ought to be part of its makeup.
Yesterday, I configured a system, started/enabled the Firewall daemon. Having configured and whitelisted services and usual/custom ports on all the servers under our control, I completely forgot that the machine I was dealing with, wasn't part of that process.
Assumption .... bad. Real bad when you are dealing with machines.
And then with 3 Terminals open, I absent-mindly & without thinking ran systemctl reboot. Voila ... accessing the machine became impossible. By the way, SELinux is disabled.
That got me thinking.
Now, I know I'm way over my head on this but I know that those of you who we look up to, can assess whether what I'm going to say make sense or not.
If it make sense, please consider adding this a feature to the Firewalld.
If it doesn't, please point out to me, the errors in my thought.
Isn't there is a way to make Firewall daemon to look up authorized keys?
if the local machine wishing to access the remote machine has valid keys, allow it access so he or she can correct whatever mistake was made.
To take stolen machines into consideration,
if such local machine fail to properly authenticate on the remore machine after 7 attempts, lock up as usual.
Regarding my unenviable situation, apart from booting this system into Rescue Mode to see if this can be salvaged in anyway, I may have to rebuilt this machine from scratch because of this carelessness.
I would be more than glad to drink from the fountain of those who are Masters in this craft. Please offer me your wisdom.
Thank you!!!
Is There No Way To Make Firewalld More User-Friendly?
Is There No Way To Make Firewalld More User-Friendly?
I am a Student.
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: Is There No Way To Make Firewalld More User-Friendly?
CentOS does not make changes.
You need to make your suggestions to RHEL.
You need to make your suggestions to RHEL.
Re: Is There No Way To Make Firewalld More User-Friendly?
The openssh daemon already validates openssh keys. Firewalld manages iptables rules and to validate a key it would have to allow the connection, examine the key and only then would it know enough to add a new iptables rule to block the connection. Not impossible but things like fail2ban already do this sort of thing. Better to configure openssh to only accept keys and refuse passwords and then it already does what you want it to do.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke