From Fedora Project Wiki
Description
Verify that OpenSSH can be limited by systemd eBPF filter
Setup
Make sure OpenSSH packages (client and server) are installed.
rpm -q openssh-server openssh-clients
How to test
- Create a new directory for drop-in service files for OpenSSH server:
mkdir /etc/systemd/system/sshd.service.d/
- Create a new drop-in service file in
/etc/systemd/system/sshd.service.d/filter.conf
with the following content:
[Service]
IPAddressDeny=localhost - Reload the systemd configuration:
systemctl daemon-reload
- Restart the openssh service:
systemctl restart sshd
- Attempt to connect to localhost using ssh:
ssh localhost
- Remove the drop-in service file:
rm -rf /etc/systemd/system/sshd.service.d/
- Reload the systemd configuration:
systemctl daemon-reload
- Restart the openssh service:
systemctl restart sshd
- Verify that you can connect successfully now:
ssh localhost
Expected Results
The following must be true to consider this a successful test run. Be brief ... but explicit.
- Step #5 should reject the connection.
- Step #9 should connect successfully again (there is either password prompt or you are allowed in by public key authentication)
Optional
If you see some issues, investigate the logs in journal, make sure the services are running.