Hello Folks,
I’ve got a question regarding the bundeled software package that comes with Fedora Server called Cockpit.
It has been very usefull to me, but I want to lock down access to it to only the local network. Right now the server is running on an internet facing server, and I don’t feel comfortable having port 9090 open for all to see.
How do I go about doing this?
Hello.
Do you have more than one network interface? I mean, an IP address exposed to the internet, and the other one exposed to the local network?
Sadly I only have 1 interface.
No problem.
If nobody whit better knowledge of Cockpit, you could use a firewall rule, or an SSH tunnel.
Using a firewall rule.
(This is only an example, maybe there are better ways).
Get the zone related to your interface.
$ firewall-cmd --get-active-zones
FedoraServer
interfaces: ens3
Then remove the cockpit service (that was allow from all).
$ sudo firewall-cmd --permanent --zone=FedoraServer --remove-service=cockpit
Then add a rich rule (port 9090 denied by default, but allow from your network)
$ sudo firewall-cmd --permanent --zone=FedoraServer --add-rich-rule=' \
rule family="ipv4" \
source address="your.local.network/netmask" \
port protocol="tcp" port="9090" accept'
Reload the firewall
$ sudo firewall-cmd --reload
Using an SSH tunnel
In alternative, you could find the way to bind cockpit only on localhost (to listen only on localhost), by following this guide https://cockpit-project.org/guide/133/listen.html, or by removing the allow rule in the firewall (as seen above): $ sudo firewall-cmd --permanent --zone=FedoraServer --remove-service=cockpit
Then, from your machine connect to the server using something like this:
ssh -L 9090:localhost:9090 username@your.server
Then, open your browser and connect to https://localhost:9090/
This is exactly what I was looking for, Thanks! Case closed!
If you think that the answer solves your issue, please mark it as “Solution”. 