Subject: | |
From: | |
Reply To: | |
Date: | Mon, 2 Jan 2017 01:24:49 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 2017-01-01 14:24, David Sommerseth wrote:
> On 01/01/17 01:28, jdow wrote:
>>
>> Obviously I really do NOT want firewalld to run. This is, apparently,
>> usually done using "systemctl mask firewalld". Unfortunately this leaves
>> divots all over the logs about systemctl not being able to bring up
>> /dev/null er firewalld. That seems "unfriendly" to say the least. (And
>> it seems there is no "friendly" way to undo the "systemctl mask"
>> command, at least for firewalld.
>
> # yum erase firewalld
> # yum install iptables-services
Did the second half. The first half had a large collection of dependencies that
would be removed as well, little things like "anaconda-core". Erm, that might
not be a good thing. I'm not interested in throwing the system into the dark
ages. I just want to use some iptables features that it firewalld doesn't seem
to be able to approach. It's gui doesn't even seem to have a way to turn SOME
logging on leaving most logging off. That's rude. (I find I am even eschewing
the iptables-services tools. I'm using the dhclient script capability to reset
the firewall when a new address is assigned. The actual firewall design right
now closely resembles that produced by firewalld. It was useful for a template
for retuning the firewall's features.)
This little stanza is one I've been using since my first iptables setup:
$IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name
ssh_attack --rcheck --seconds 90 --hitcount 1 -j LOG --log-prefix 'SSH2 REJECT:
' --log-level info
$IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name
ssh_attack --rcheck --seconds 90 --hitcount 1 -j REJECT --reject-with tcp-reset
$IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name
ssh_attack --set
A given site cannot feed a SYN packet to the ssh port more often than once every
90 seconds. It makes password guessing rather time consuming. Firewalld
documentation was not clear how I'd add that into its firewall via the gui,
especially if it is conditional to a tiny configuration file in /etc to disable
all ingress ports or open them up and how to open them up. Open when traveling.
Close when home.
But remove Anaconda? EEEEK!
{o.o}
|
|
|