| 1 |
On Wednesday 31 January 2007 20:56, Albert Hopkins wrote: |
| 2 |
> On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote: |
| 3 |
> > List members - |
| 4 |
> > |
| 5 |
> > I have a small home server that I have connected to the internet |
| 6 |
> > through a linksys router and cable modem. The linksys router is |
| 7 |
> > currently forwarding all ssh traffic to my gentoo box. What I would |
| 8 |
> > like to do is set up iptables to only allow ssh logins from a small |
| 9 |
> > number of internet hosts, and to reject and log all other ssh |
| 10 |
> > attempts. Can someone please help me out with this. All of the |
| 11 |
> > tutorials and documentation that I have found are setting up a fully |
| 12 |
> > functioning firewall / NAT / proxy, and I think that is a little |
| 13 |
> > overkill for my needs.s |
| 14 |
> |
| 15 |
> If you don't want the whole iptables suite you might want to consider |
| 16 |
> good ole hosts.allow/hosts.deny as an alternative. They work fine with |
| 17 |
> sshd if you have tcpwrappers enabled. |
| 18 |
|
| 19 |
It depends how secure you want your set up to be. I always suggest to disable |
| 20 |
passwd authentication and enable public key authentication, after you copy & |
| 21 |
paste each client's public key in the file ~/.ssh/authorized_keys. Any |
| 22 |
passwd cracking attacks will simply fail. I would also suggest that you move |
| 23 |
your sshd port from 22 to a higher number. All/most of these bots scanning |
| 24 |
port 22 will now leave you alone. Finally, you can set up additional layers |
| 25 |
like allow/deny users, MAC addresses, etc. While you're at it, don't forget |
| 26 |
disabling root logins. |
| 27 |
|
| 28 |
If you want to introduce diverse protection then iptables (and as previously |
| 29 |
suggested hosts.allow/hosts.deny) is an option. In your iptables script (or |
| 30 |
saved set of iptables rules) add something like: |
| 31 |
|
| 32 |
iptables -A INPUT -i eth0 -p tcp -s <client_ip_address> -m tcp --dport 22 -d |
| 33 |
<server_LAN_ip_address> -j ACCEPT |
| 34 |
|
| 35 |
Of course, I suggest that you change port 22 in the line above to a higher |
| 36 |
number 'free' port. Your final catch-all rule at the bottom of your iptables |
| 37 |
will drop any packets (on any port) from hosts other than the clients you |
| 38 |
specified in my line above. |
| 39 |
|
| 40 |
Finally, you can repeat this in your router's firewall rules, assuming that |
| 41 |
you can specify WAN ip addresses (I know that you can in my hardware router, |
| 42 |
but don't know in yours). |
| 43 |
|
| 44 |
If any one manages to break in to the server through such a sshd setup, then |
| 45 |
they bl**dy well deserve it! |
| 46 |
|
| 47 |
HTH. |
| 48 |
-- |
| 49 |
Regards, |
| 50 |
Mick |
Archives