Secure server with Firewalld

-
Recently we have issue reported by development team that there one of the backend cache server went to production without firewall. Although server was not expose to internet but it can be accessible from every IP in intranet.

We decided to use firewalld for this. Main problem was once we start service it stop all access other than ssh which can be impact service accessing to our server. Also we can't run firewall-cmd command to apply rule before staring service.

Fortunately firewalld provide option to apply rules by updating config xml files.  Its makes our task easy.  Steps to be perform task
  1. Generate xml rules in test machine.
  2. Copy xml rules file in target host
  3.  update rules in XML file then start service.


## Login to any test VM
$ ssh  

## Verify there is no custom added rule exist
$ cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>
## start firewalld service
$ systemctl restart firewalld
## Add rules to allow mysql port 3301
$ firewall-cmd --zone=public --add-rich-rule "rule family="ipv4" source address="192.168.1.2" port port=3301 protocol=tcp accept"
$ firewall-cmd --runtime-to-permanent

## Verify if rules added
cat /etc/firewalld/zones/public.xml

## Copy rules to target host
$ scp /etc/firewalld/zones/public.xml root@192.168.1.1:/etc/firewalld/zones/public.xml

# Login to targer host
$ ssh root@192.168.1.1
# Verify XML file
$ /etc/firewalld/zones/public.xml
# start service
$ systemctl start firewalld

Comments

Post a Comment

Popular posts from this blog

Mysql to CSV

-
Yesterday we have requirement to send report to our senior in excel format by retrieving data from database . Since there are only 10 rows so we can also manually create excel. But like other programmers, I am also very lazy, so that we create this script to export values from Mysql in csv format. mysql -u mysqlusername -p mysqlpass databsename -B -e "select * from \` tabalename \`;" | sed 's/\t/","/g;s/^/"/;s/$/"/;s/\n//g' > mysql_exported_table.csv After that we fount that there are many other programming methods to perform this task.
Read more

Setup K8s cluster via kubeadm

-
Kubernetes is an open source software tool for managing containerised workloads. It enables development teams to automate the deployment, scaling and management of applications. The kubeadm tool helps bootstrap a minimum viable Kubernetes cluster that conforms to best practices. This guide will walk you through how to install Kubernetes on Ubuntu 16.04. Prerequisites 3 Linux servers running Ubuntu 16.04 Access to a user account on each system with sudo or root privileges The apt package manager, included by default Command-line/terminal window (Ctrl-Alt-T) Steps to Install Kubernetes on Ubuntu Setup repository Get the Docker gpg key: $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - Add the Docker repository: $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" Get the Kubernetes gpg key: $ curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add - Add the...
Read more