Saw this while investigating RHEL 6 security benchmarks, etc.
Andrew Gilmore (1): Fixed typo in example iptables network/netmask pair for limiting ssh port to trusted networks.
RHEL6/input/services/ssh.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
Signed-off-by: Andrew Gilmore agilmore2@gmail.com --- RHEL6/input/services/ssh.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index 4370eb8..93427ac 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -369,7 +369,7 @@ Edit the files <tt>etc/sysconfig/iptables</tt> and <tt>/etc/sysconfig/ip6tables< (if IPv6 is in use). In each file, locate the line: <pre>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT</pre> and replace it with: -<pre>-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 22 -j ACCEPT</pre> +<pre>-A RH-Firewall-1-INPUT -s netwk/mask -m state --state NEW -p tcp --dport 22 -j ACCEPT</pre> </description> <rationale> Restricting SSH access to only trusted network segments reduces exposure of the SSH
On 9/28/12 1:21 PM, Andrew Gilmore wrote:
-<pre>-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 22 -j ACCEPT</pre> +<pre>-A RH-Firewall-1-INPUT -s netwk/mask -m state --state NEW -p tcp --dport 22 -j ACCEPT</pre>
Thanks for the catch! Ack
Please push (or indicate you need someone to do so for you).
scap-security-guide@lists.fedorahosted.org