From 329edaee8716569407eeb4f11768791403af31f9 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Mon, 28 Jan 2019 14:09:18 +0200
Subject: [PATCH] roles/common: Rate limit SSH connections in firewalld

I think 5 connections per minute is more than enough. Any over this
and it will be logged to the systemd journal as a warning.

See: https://www.win.tue.nl/~vincenth/ssh_rate_limit_firewalld.htm
See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/configuring_complex_firewall_rules_with_the_rich-language_syntax
---
 roles/common/templates/public.xml.j2 | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/roles/common/templates/public.xml.j2 b/roles/common/templates/public.xml.j2
index 192d253..ba24232 100644
--- a/roles/common/templates/public.xml.j2
+++ b/roles/common/templates/public.xml.j2
@@ -7,14 +7,24 @@
     <rule family="ipv4">
         <source address="0.0.0.0/0"/>
         <port protocol="tcp" port="22"/>
-        <accept/>
+        <log prefix="ssh fw limit 5/m " level="warning">
+            <limit value="5/m"/>
+        </log>
+        <accept>
+            <limit value="5/m"/>
+        </accept>
     </rule>
 
     {# ipv6 ssh rules #}
     <rule family="ipv6">
         <source address="::/0"/>
         <port protocol="tcp" port="22"/>
-        <accept/>
+        <log prefix="ssh fw limit 5/m " level="warning">
+            <limit value="5/m"/>
+        </log>
+        <accept>
+            <limit value="5/m"/>
+        </accept>
     </rule>
 
     {# web rules #}