1 |
On Wednesday 31 January 2007 20:56, Albert Hopkins wrote: |
2 |
> On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote: |
3 |
> > List members - |
4 |
> > |
5 |
> > I have a small home server that I have connected to the internet |
6 |
> > through a linksys router and cable modem. The linksys router is |
7 |
> > currently forwarding all ssh traffic to my gentoo box. What I would |
8 |
> > like to do is set up iptables to only allow ssh logins from a small |
9 |
> > number of internet hosts, and to reject and log all other ssh |
10 |
> > attempts. Can someone please help me out with this. All of the |
11 |
> > tutorials and documentation that I have found are setting up a fully |
12 |
> > functioning firewall / NAT / proxy, and I think that is a little |
13 |
> > overkill for my needs.s |
14 |
> |
15 |
> If you don't want the whole iptables suite you might want to consider |
16 |
> good ole hosts.allow/hosts.deny as an alternative. They work fine with |
17 |
> sshd if you have tcpwrappers enabled. |
18 |
|
19 |
It depends how secure you want your set up to be. I always suggest to disable |
20 |
passwd authentication and enable public key authentication, after you copy & |
21 |
paste each client's public key in the file ~/.ssh/authorized_keys. Any |
22 |
passwd cracking attacks will simply fail. I would also suggest that you move |
23 |
your sshd port from 22 to a higher number. All/most of these bots scanning |
24 |
port 22 will now leave you alone. Finally, you can set up additional layers |
25 |
like allow/deny users, MAC addresses, etc. While you're at it, don't forget |
26 |
disabling root logins. |
27 |
|
28 |
If you want to introduce diverse protection then iptables (and as previously |
29 |
suggested hosts.allow/hosts.deny) is an option. In your iptables script (or |
30 |
saved set of iptables rules) add something like: |
31 |
|
32 |
iptables -A INPUT -i eth0 -p tcp -s <client_ip_address> -m tcp --dport 22 -d |
33 |
<server_LAN_ip_address> -j ACCEPT |
34 |
|
35 |
Of course, I suggest that you change port 22 in the line above to a higher |
36 |
number 'free' port. Your final catch-all rule at the bottom of your iptables |
37 |
will drop any packets (on any port) from hosts other than the clients you |
38 |
specified in my line above. |
39 |
|
40 |
Finally, you can repeat this in your router's firewall rules, assuming that |
41 |
you can specify WAN ip addresses (I know that you can in my hardware router, |
42 |
but don't know in yours). |
43 |
|
44 |
If any one manages to break in to the server through such a sshd setup, then |
45 |
they bl**dy well deserve it! |
46 |
|
47 |
HTH. |
48 |
-- |
49 |
Regards, |
50 |
Mick |