Cockpit lockdown

Hello Folks,

I’ve got a question regarding the bundeled software package that comes with Fedora Server called Cockpit.
It has been very usefull to me, but I want to lock down access to it to only the local network. Right now the server is running on an internet facing server, and I don’t feel comfortable having port 9090 open for all to see.
How do I go about doing this?

Do you have more than one network interface? I mean, an IP address exposed to the internet, and the other one exposed to the local network?

Sadly I only have 1 interface.

No problem.
If nobody whit better knowledge of Cockpit, you could use a firewall rule, or an SSH tunnel.

Using a firewall rule.
(This is only an example, maybe there are better ways).
Get the zone related to your interface.

$ firewall-cmd --get-active-zones
      interfaces: ens3

Then remove the cockpit service (that was allow from all).

$ sudo firewall-cmd --permanent --zone=FedoraServer --remove-service=cockpit

Then add a rich rule (port 9090 denied by default, but allow from your network)

$ sudo firewall-cmd --permanent --zone=FedoraServer --add-rich-rule=' \
    rule family="ipv4" \
    source address="" \
    port protocol="tcp" port="9090" accept' 

Reload the firewall

$ sudo firewall-cmd --reload

Using an SSH tunnel
In alternative, you could find the way to bind cockpit only on localhost (to listen only on localhost), by following this guide, or by removing the allow rule in the firewall (as seen above): $ sudo firewall-cmd --permanent --zone=FedoraServer --remove-service=cockpit

Then, from your machine connect to the server using something like this:
ssh -L 9090:localhost:9090 username@your.server

Then, open your browser and connect to https://localhost:9090/


This is exactly what I was looking for, Thanks! Case closed!


