Securing SSH using Firewalld on RHEL8 or CentOS8 Replacing TCP_Wrappers

As per Redhat official document titled “”Replacing TCP Wrappers in RHEL 8”  (https://access.redhat.com/solutions/3906701 ), it says:
The TCP Wrappers package has been deprecated in RHEL 7 and therefore it will not be available in RHEL 8 or later RHEL releases.

You won’t be able to see this “/etc/hosts.allow” and  “/etc/hosts.deny” files in your RedHat 8 or CentOS 8 environment even creating it won’t have any effect.

If your remember, this is sample how to allow SSH only coming from these sources (e.g. 192.168.20.100/32, 192.168.20.101/32 and 192.168.15.16/29) and deny all

Sample Config: (/etc/hosts.allow)

[root@freelinuxserver ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See ‘man 5 hosts_options’ and ‘man 5 hosts_access’
# for information on rule syntax.
# See ‘man tcpd’ for information on tcp_wrappers
#
sshd: 192.168.20.100 192.168.20.101 
sshd: 192.168.15.16/29

Sample Config: (/etc/hosts.deny)
[root@freelinuxserver ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a ‘deny’ option instead.
#
# See ‘man 5 hosts_options’ and ‘man 5 hosts_access’
# for information on rule syntax.
# See ‘man tcpd’ for information on tcp_wrappers
#
sshd: ALL except localhost

Solution: There are few ways to manage incoming traffic based on source, and one way of doing this is using firewalld particularly using zones.

  1. Verify if “firewalld” package is installed, if not install it.

yum list installed firewalld

Sample Output:
[root@freelinuxserver~]# yum list installed firewalld
Installed Packages
firewalld.noarch 0.8.2-2.el8 @anaconda

1. 1 If not install the package:

Install firewalld:

yum install -y firewalld

Enable the firewall for starting at boot:

systemctl enable firewalld

Restart the service

systemctl restart firewalld

 

2.  Use the following commands to verify the default config and zones.

  • List the default zone

firewall-cmd –get-default-zone

Sample Output:
[root@freelinuxserver ~]# firewall-cmd –get-default-zone
public

  • List information for all zones

firewall-cmd –list-all-zones

Sample output: (same omitted, highlighted the “public” zone). Notice the services allowed in ssh and sources is blank, meaning accepting all.[root@freelinuxserver~]# firewall-cmd –list-all-zones

public (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

  • List allowed  services:

firewall-cmd –zone=work –list-services

Sample output:
[root@freelinuxserver ~]# firewall-cmd –zone=work –list-services
dhcpv6-client ssh

3.  Remove the SSH service from the default zone ( public). Use the –permanent option to make it persistent even during reboot

firewall-cmd –permanent –remove-service=ssh

Sample Output:
[root@freelinuxserver ~]#firewall-cmd –permanent –remove-service=ssh
success

Verify using “firewall-cmd –list-all-zones” command

Sample Output: (Notice under services that the ssh removed)
[root@freelinuxserver~]# firewall-cmd –list-all-zones

public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

 

4. Create the zone, allow the SSH service and the source IPs.

firewall-cmd –permanent –new-zone=SSHZONE
firewall-cmd –permanent –zone=SSHZONE –add-source=[I.P.]
firewall-cmd –permanent –zone=SSHZONE –add-service=ssh

Sample output:
[root@freelinuxserver ~]# firewall-cmd –permanent –new-zone=SSHZONE
success
[root@freelinuxserver ~]# firewall-cmd –permanent –zone=SSHZONE –add-source=192.168.20.100/32
success
[root@freelinuxserver ~]# firewall-cmd –permanent –zone=SSHZONE –add-source=192.168.20.101/32
success
[root@freelinuxserver ~]# firewall-cmd –permanent –zone=SSHZONE –add-source=192.168.15.16/29
success
[root@freelinuxserver ~]# firewall-cmd –permanent –zone=SSHZONE –add-service=ssh

5. Reload the firewall to take effect and make the zone active.

firewall-cmd –reload

Sample Output:
[root@freelinuxserver~]# firewall-cmd –reload
success

6.  Verify using “firewall-cmd –list-all-zones” command

[root@freelinuxserver~]# firewall-cmd –list-all-zones
SSHZONE (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 192.168.20.100/32 192.168.20.101/32 192.168.15.16/29
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

7. Test the rule. SSH from the allowed and not allowed IPs.

Optional: You can use this command also to see if the firewall is running

systemctl status firewalld.service

About the author

Free Linux Tutorials

View all posts

Leave a Reply