From Fedora Project Wiki
(bad section of service file)
(ipv6)
Line 8: Line 8:
# Create a new drop-in service file in <code>/etc/systemd/system/sshd.service.d/filter.conf</code> with the following content: <code><nowiki>\n
# Create a new drop-in service file in <code>/etc/systemd/system/sshd.service.d/filter.conf</code> with the following content: <code><nowiki>\n
[Service]\n
[Service]\n
IPAddressDeny=127.0.0.1
IPAddressDeny=localhost
</nowiki></code>
</nowiki></code>
# Reload the systemd configuration: <code>systemctl daemon-reload</code>
# Reload the systemd configuration: <code>systemctl daemon-reload</code>

Revision as of 13:55, 22 March 2018

Description

Verify that OpenSSH can be limited by systemd eBPF filter

Setup

Make sure OpenSSH packages (client and server) are installed.

rpm -q openssh-server openssh-clients

How to test

  1. Create a new directory for drop-in service files for OpenSSH server: mkdir /etc/systemd/system/sshd.service.d/
  2. Create a new drop-in service file in /etc/systemd/system/sshd.service.d/filter.conf with the following content: \n [Service]\n IPAddressDeny=localhost
  3. Reload the systemd configuration: systemctl daemon-reload
  4. Restart the openssh service: systemct restart sshd
  5. Attempt to connect to localhost using ssh: ssh localhost
  6. Remove the drop-in service file: rm -rf /etc/systemd/system/sshd.service.d/
  7. Reload the systemd configuration: systemctl daemon-reload
  8. Restart the openssh service: systemct restart sshd
  9. Verify that you can connect successfully now: ssh localhost

Expected Results

The following must be true to consider this a successful test run. Be brief ... but explicit.

  1. Step #5 should reject the connection.
  2. Step #9 should connect successfully again (there is either password prompt or you are allowed in by public key authentication)

Optional

If you see some issues, investigate the logs in journal, make sure the services are running.