LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 01-20-2010, 01:12 PM   #1
seryi
LQ Newbie
 
Registered: Jan 2010
Posts: 3

Rep: Reputation: 1
I blocked SSH 22 port with IPtables


hi
I get today a server with CentOS.. and someone told me to block access to port 22 for all IP's except my..

so I did
Code:
iptables -A INPUT -p tcp -s my_ip --dport 22 -j ACCEPT
and after
iptables -A INPUT -p tcp --dport 22 -j REJECT
after I try from another IP and i could still connect..
I checked iptable status and after I stopped it
Code:
service iptables stop
and I write again
Code:
iptables -A INPUT -p tcp --dport 22 -j REJECT
after this server kick me out, and now I can't connect more =/


Is there anything I can do about this? or I have to contact support to fix it for me?

thx
 
Old 01-20-2010, 04:15 PM   #2
sunnydrake
Member
 
Registered: Jul 2009
Location: Kiev,Ukraine
Distribution: Ubuntu,Slax,RedHat
Posts: 288
Blog Entries: 1

Rep: Reputation: 41
if you don't have another service running that can remotly reboot pc/start this service or access via phy terminal unfortunently no.
 
Old 01-20-2010, 05:23 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Next time set up an at(1) job before implementing ruleset changes so that if you lock yourself out the rules will be automatically flushed in a couple minutes.

Read here and here.
 
Old 01-20-2010, 06:02 PM   #4
seryi
LQ Newbie
 
Registered: Jan 2010
Posts: 3

Original Poster
Rep: Reputation: 1
ok thx
I already contacted support.. need to set up a vnc server at least next time.. to be able to login somehow
 
Old 01-22-2010, 12:10 AM   #5
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
Quote:
Originally Posted by anomie View Post
Next time set up an at(1) job before implementing ruleset changes so that if you lock yourself out the rules will be automatically flushed in a couple minutes.
Check out iptables-apply (in iptables sources). This is its stated job. Not sure how well it works because I've not tested it.
 
1 members found this post helpful.
Old 01-22-2010, 01:37 AM   #6
rich_c
Member
 
Registered: Apr 2008
Location: UK
Distribution: Mepis; Maemo; openSUSE
Posts: 384
Blog Entries: 74

Rep: Reputation: 81
For an easier solution to the same problem, I'd amend sshd_config to allow specific users & IPs by amending AllowUsers. For example, I only allow one specific user any access and myself from LAN only. (e.g. rich@192.168.1.*) Then install fail2ban to cut down on the regular attack attempts.

Not quite as elegant, but effective and easier none the less.
 
Old 01-27-2010, 11:37 AM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Duly noted about iptables-apply. I will give it a run sometime.

The nice thing about using an AllowUsers (or AllowGroups) pattern, or using tcp wrappers, or using pam_access is that changes to their rulesets will not kick you out immediately -- unlike iptables. So, you can make a change, leave your ssh session open, and then try to ssh in from a different terminal to confirm that you didn't accidentally lock yourself out.

All three of these options will result in lots of log noise from crackers, though. Using iptables (and dropping their connection request before it ever reaches sshd) spares you from that noise.
 
Old 02-02-2010, 08:43 PM   #8
sunnydrake
Member
 
Registered: Jul 2009
Location: Kiev,Ukraine
Distribution: Ubuntu,Slax,RedHat
Posts: 288
Blog Entries: 1

Rep: Reputation: 41
most effective in my case to shakeoff ssh attackers proved to be changing of default ssh port. also you can keep different copy of ssh service on another port in case of emergency.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH over internet local port blocked konqi Linux - Networking 19 12-09-2009 07:23 AM
Port Forwarding with iptables or ssh linker3000 Linux - Software 11 07-07-2008 09:41 AM
iptables help! DROP ssh port, but allow to connect to ssh if from 2222 port kandzha Linux - Networking 4 09-13-2006 10:10 AM
SSH help/blocked port YellowFin Linux - Networking 2 09-29-2005 05:25 PM
iptables/SSH port forarding problem tpe Linux - Networking 6 11-01-2004 05:59 AM


All times are GMT -5. The time now is 08:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration