LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Adventures with 7.2
From:	jdow <[log in to unmask]>
Reply To:	jdow <[log in to unmask]>
Date:	Mon, 2 Jan 2017 01:24:49 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (44 lines)

On 2017-01-01 14:24, David Sommerseth wrote:
> On 01/01/17 01:28, jdow wrote:
>>
>> Obviously I really do NOT want firewalld to run. This is, apparently,
>> usually done using "systemctl mask firewalld". Unfortunately this leaves
>> divots all over the logs about systemctl not being able to bring up
>> /dev/null er firewalld. That seems "unfriendly" to say the least. (And
>> it seems there is no "friendly" way to undo the "systemctl mask"
>> command, at least for firewalld.
>
> # yum erase firewalld
> # yum install iptables-services

Did the second half. The first half had a large collection of dependencies that 
would be removed as well, little things like "anaconda-core". Erm, that might 
not be a good thing. I'm not interested in throwing the system into the dark 
ages. I just want to use some iptables features that it firewalld doesn't seem 
to be able to approach. It's gui doesn't even seem to have a way to turn SOME 
logging on leaving most logging off. That's rude. (I find I am even eschewing 
the iptables-services tools. I'm using the dhclient script capability to reset 
the firewall when a new address is assigned. The actual firewall design right 
now closely resembles that produced by firewalld. It was useful for a template 
for retuning the firewall's features.)

This little stanza is one I've been using since my first iptables setup:
$IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name 
ssh_attack --rcheck --seconds 90 --hitcount 1 -j LOG --log-prefix 'SSH2 REJECT: 
' --log-level info
$IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name 
ssh_attack --rcheck --seconds 90 --hitcount 1 -j REJECT --reject-with tcp-reset
$IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name 
ssh_attack --set

A given site cannot feed a SYN packet to the ssh port more often than once every 
90 seconds. It makes password guessing rather time consuming. Firewalld 
documentation was not clear how I'd add that into its firewall via the gui, 
especially if it is conditional to a tiny configuration file in /etc to disable 
all ingress ports or open them up and how to open them up. Open when traveling. 
Close when home.

But remove Anaconda? EEEEK!

{o.o}

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV