Re: Friday Superboss: The "Panic Room" Lockdown

TudorRaduta

Cut all connections. Keep one lifeline

Happy Friday! Today’s Superboss challenge is about Defensive Architecture.

We’ve all run --add-service=http. That’s easy. But today, we are simulating an active breach.

You need to lock down the server so that NO ONE can talk to it, except you. And you have to do it without knowing which physical interface you are using.

The Scenario: The "Panic Room"

Your web server is under a massive attack. You need to cut off all access immediately to stop the bleeding, but you must keep an SSH line open for yourself to fix the damage.

The Requirements:

The Black Hole: The default behavior for any packet arriving at any interface must be to DROP it silently. No ICMP unreachable, just silence.
The Lifeline: Your specific Management Station IP (192.168.10.55) must be allowed full SSH access.
The Trick: You cannot assign the interface eth0 to a "trusted" zone because the attack traffic is coming in on eth0 too. You must separate your traffic based on Source IP, not Interface.

️ The Map:

You are using the hidden power of Firewalld: Zone Dispatch Order. Firewalld checks requests in this order:

Source Zone: (Does the incoming IP match a zone?) <-- This is your key!
Interface Zone: (Does the incoming interface match a zone?)
Default Zone: (If nothing else matches.)

Your Architect Challenge:

To build this Panic Room, you need 4 commands. Be careful—if you run step 4 before step 3, you disconnect yourself!

Step 1: The VIP Zone

Create a new zone named admin_rescue.

Step 2: The Invite

How do you add ONLY the source IP 192.168.10.55/32 to this new zone? (This tells Firewalld: "If you see this IP, send it here, regardless of the interface").

Step 3: The Service

Add the ssh service to the admin_rescue zone.

Step 4: The Lockdown (The Dangerous Part)

Now that your IP is safe in its own custom zone, how do you set the Global Default Zone to drop, instantly cutting off everyone else?

This is how you survive a siege. Let's see your firewall configs!

Architect_005

Hi
Please find the details.

Step 1: The VIP Zone

Create a new zone named admin_rescue.
# sudo firewall-cmd --permanent --new-zone=admin_rescue
# sudo firewall-cmd --reload

Step 2: The Invite

How do you add ONLY the source IP 192.168.10.55/32 to this new zone? (This tells Firewalld: "If you see this IP, send it here, regardless of the interface").

# sudo firewall-cmd --permanent --zone=admin_rescue --add-source=192.168.10.55/32

Step 3: The Service
Add the ssh service to the admin_rescue zone.

# sudo firewall-cmd --permanent --zone=admin_rescue --add-service=ssh
# sudo firewall-cmd --reload

Step 4: The Lockdown (The Dangerous Part)
Now that your IP is safe in its own custom zone, how do you set the Global Default Zone to drop, instantly cutting off everyone else?

# sudo firewall-cmd --set-default-zone=drop

Trevor

Well Tudor, you gave us the instructions on the steps to bake the cake,
so here's my ingredients:

Step 1:

$ sudo firewall-cmd --permanent --new-zone=admin_rescue

Step 2:

$ sudo firewall-cmd --zone=admin_rescue --add-source=192.168.10.55/32

Step 3:

$ sudo firewall-cmd --zone=admin_rescue --add-service=http

Step 4:

$ sudo firewall-cmd --set-default-zone=drop

Based on the manpage for the firewall-cmd command,
along with the steps that you provided, this is how I
would accomplish the task.

Trevor "Red Hat Evangelist" Chandler