Ssh – Firewalld not blocking SSH requests

I have following configuration on centos 7.7.
Looking for allowing only limited IP set and blocking rest.
Going the rich rule way on public zone sounded simple. Removed ssh service and added required ip using rich rule. It seems to have started working fine. Most of spam ssh stopped. But when I restart the server, for a brief period IPs outside of the allowed list are able to reach the server. I restarted server multiple times and I could see the pattern repeated. The blocked IPs are able to reach for a period of around 2-3 minutes after reboot and then stops.

[root@ABC ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

[root@ABC ~]# firewall-cmd --get-default-zone
public

[root@ABC ~]# firewall-cmd --get-active-zones
(Nothing)

[root@ABC ~]# firewall-cmd --list-all-zones 
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source address="1.2.3.4" service name="ssh" accept

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

How the blocked IPs are able to reach with firewalld running ?

Best Answer

Your firewall doesn't look properly configured. I would add a new zone called trusted. Then add service ssh and the source IPs that need to access the server on SSH. Then in the zone public add all your services that need to be public and add the interface eth0 to that zone. I believe this is the the proper way to configure a zone based firewall.

Path	Permission
.ssh directory (code)	0700 (drwx------)
private keys (ex: `id_rsa`) (code)	0600 (-rw-------)
`config`	0600 (-rw-------)
public keys (*.pub ex: `id_rsa.pub`)	0644 (-rw-r--r--)
`authorized_keys` (code)	0644 (-rw-r--r--)
`known_hosts`	0644 (-rw-r--r--)

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

SSH – Bad Owner or Permissions on ~/.ssh/config

Related Topic