Fedora 20 - How do I use firewalld to only allow ssh from a range?

Question

I have been seeing a lot of brute force attempts on a fedora box. How do I use firewalld to block all ssh traffic outside of a given range? I'm looking for something like the iptables:

iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

To handle ssh brute force there is also [fail2ban](http://www.fail2ban.org/). — hlovdal, Feb 16 '16 at 19:51

score 2 · Accepted Answer · answered Jul 28 '14 at 15:24

2

Also just as an alternative to Iptables. You can control the ssh access as followed

Edit your /etc/ssh/sshd_config

AllowUsers admin@192.169.1.100 admin@192.168.1.200 testadmin

--OR--

AllowUsers *@192.168.1.100 *@192.168.1.200

Restart sshd services.

answered Jul 28 '14 at 15:24

Chakri

1,070
6
8

Ha! I forgot you could do this. Thanks for the reminder. This is working for me for now. – satori7 Jul 28 '14 at 16:04

score 1 · Answer 2 · answered Jul 28 '14 at 15:19

1

You should be able to do this via the rich language interface of firewalld :

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100/25" service name="ssh" reject'

This is just written by what I found and had in memory, not tested. But it might be a starting point for you to play.

answered Jul 28 '14 at 15:19

liquidat

510
4
3

1

You want to reject the traffic? – Michael Hampton Jul 28 '14 at 15:30
I was able to use this before to block the offending IP, but about 10 minutes later they started again from another IP. I chased them around like this for a while. – satori7 Jul 28 '14 at 16:00

Fedora 20 - How do I use firewalld to only allow ssh from a range?

2 Answers2