Managing Linux firewall – ufw and firewall-cmd

 centos, debian, linux, server  No Responses »
Dec 172015
 

Come Back Later

These are just examples to pick your imagination, please do refrain from blindly coping and pasting as you can cut yourself off 😀

UFW quick setup (Debian/Ubuntu)

 

aptitude install ufw
ufw allow 22/tcp
ufw allow from 124.111.0.0/16 to any port 22
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow proto tcp from IP.ADD.Here to any port 3306
ufw allow proto udp from IP.ADD.Here to any port 161
ufw allow proto udp from IP.ADD.Here to any port 161
ufw allow from 10.10.1.0/24
# allow traffic on interface
ufw allow in on em3

ufw enable
ufw status
ufw status numbered
ufw delete 10
# ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. 
# ufw will deny connections if an IP address has attempted to initiate 6 or more connections in the last 30 seconds.
ufw limit ssh
ufw logging off #once it working stop flooding logs!

# ufw on KVM server, edit /etc/ufw/sysctl.conf
# and make sure we don't filter packets to our libvirt guests
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

firewall-cmd quick setup (RedHat/CentOS 7)

firewall-cmd --get-services
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https

# punch a hole for CIFS
firewall-cmd --permanent --add-service=samba

firewall-cmd --permanent --add-port 5989/tcp
firewall-cmd --list-all-zones
firewall-cmd --list-ports

firewall-cmd --get-active-zones
firewall-cmd --zone=public --list-all
firewall-cmd --permanent --remove-service=dhcpv6-client

firewall-cmd --zone=trusted --add-source=10.100.1.18 --permanent
firewall-cmd --reload

Some say firewalld is too complicated for most server type of use, who am I to judge? Alegedly firewalld also requires Network Manager so if Network Manager is disabled then we need to go back. If you want to replace firewalld with good ol’ iptables:

systemctl disable firewalld
systemctl stop firewalld
yum -y install iptables-services
touch /etc/sysconfig/iptables
touch /etc/sysconfig/iptables6
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables

no kex alg

 linux  7 Responses »
Sep 142015
 

If you run ancient operating system with an old version of SSH client then you are going to hit this “No Kex Alg” problem soon.

have u tried

For example Solaris 9

$ ssh -Vxx
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f

So what a hell is it? What’s causing it? Well, modern operating system like Debian Jessie are packaged with OpenSSH 6.7 or newer  – and Openssh 6.7 disables a number of ciphers, as per changelog http://www.openssh.com/txt/release-6.7  As Russel rightly pointed out in comments section below ‘”kex” is “key exchange”.x

So it’s time to upgrade your client! However, if for some bizarre reasons those pesky sysadmins are refusing to upgrade client software then that leaves you with two options:

  • if you have physical access to client simply spill coffee or some other beverage on it (alright, just joking)
  • or edit /etc/ssh/sshd_config on the server, append the following line and restart sshd daemon
KexAlgorithms diffie-hellman-group1-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Now your old client should be able to connect to server plus you have successfully created security vulnerability on your machine. How exciting!

If you’re still dying to know what mechanisms your system supports run:

ssh -Q cipher
ssh -Q mac
ssh -Q kex

I know more about ssh ciphers, macs, kex now that I ever wanted to know.

 Older Entries  Newer Entries