From f5337fc7dc757769eeee66aafc7fc60667e19bc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torbj=C3=B6rn=20L=C3=B6nnemark?= <tobbez@ryara.net>
Date: Mon, 1 Jul 2024 15:39:01 +0200
Subject: [PATCH] CVE-2024-6387 ("regreSSHion"): Block ssh from outside lysator
 on system server

---
 manifests/system.pp | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/manifests/system.pp b/manifests/system.pp
index fa8bce6..cf02efb 100644
--- a/manifests/system.pp
+++ b/manifests/system.pp
@@ -41,6 +41,27 @@ class analysator::system::nat {
     }
   }
 
+  # CVE-2024-6387 ("regreSSHion")
+  # https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
+  firewall { '000 block ssh outside lysator (v4)':
+    chain => 'INPUT',
+    dport => '22',
+    source => '! 130.236.254.0/24',
+    proto => 'tcp',
+    action => 'reject',
+  }
+
+  # CVE-2024-6387 ("regreSSHion")
+  # https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
+  firewall { '000 block ssh outside lysator (v6)':
+    chain => 'INPUT',
+    dport => '22',
+    source => '! 2001:6b0:17:f0a0::/64',
+    proto => 'tcp',
+    action => 'reject',
+    provider => 'ip6tables',
+  }
+
   firewall { '200 forward internal':
     chain    => 'FORWARD',
     iniface  => $analysator::system::internal_iface,
-- 
GitLab