Skip to content

Enable SSH Server firewalld Firewall Exception

An XCCDF Rule

Description

If the SSH server is in use, inbound connections to SSH's port should be allowed to permit remote access through SSH. In more restrictive firewalld settings, the SSH port should be added to the proper firewalld zone in order to allow SSH remote access.

To configure firewalld to allow ssh access, run the following command(s):

firewall-cmd --permanent --add-service=ssh
Then run the following command to load the newly created rule(s):
firewall-cmd --reload

warning alert: Warning

The remediation for this rule uses firewall-cmd and nmcli tools. Therefore, it will only be executed if firewalld and NetworkManager services are running. Otherwise, the remediation will be aborted and a informative message will be shown in the remediation report. These respective services will not be started in order to preserve any intentional change in network components related to firewall and network interfaces.

warning alert: Warning

This rule also checks if the SSH port was modified by the administrator in the firewalld services definitions and is reflecting the expected port number. Although this is checked, fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it is not in the scope of the remediation since there is no reliable way to manually change the respective file. If the default SSH port is modified, it is on the administrator responsibility to ensure the firewalld customizations in the service port level are properly configured.

Rationale

If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone will allow remote access through the SSH port.

ID
xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
Severity
Medium
References
Updated



Remediation - Ansible

- name: XCCDF Value firewalld_sshd_zone # promote to variable
  set_fact:
    firewalld_sshd_zone: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_firewalld_sshd_zone" use="legacy"/>
  tags:
    - always


Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "firewalld" ; then
    yum install -y "firewalld"
fi