how to limit ssh connections to my isp only

gruntwerk · 12-10-2006, 01:43 PM

I cant help but think that there is an easy way to do this.
I want to limit ssh (*and vnc*) connections to those originating from my isp only. I would like the packets from other sources to be dropped.

Did I miss something in the config files? Is there a simple iptables rule for this? Or is there something simple I can put in hosts.allow?
tanks
rog

acid_kewpie · 12-10-2006, 01:52 PM

depends what you mean by "my isp".... you mean the various world routable networks that they own??

gruntwerk · 12-10-2006, 02:01 PM

yes, I mean connections from people who use myisp.net, nobody else.

acid_kewpie · 12-10-2006, 02:47 PM

well you need to just identify what those potential networks are then. once you have those subnets, e.g. 217.120.34.0/24 then that subnet just becomes a parameter to the -s option in iptables.

amitsharma_26 · 12-12-2006, 12:40 PM

And for knowing the potential subnets belonging to my isp... I'd rather make a call to my isp & ask them about their network.

gruntwerk · 12-12-2006, 02:43 PM

hosts.allow seems to be doing the trick for SSH. The major problem which was people trying to logon using dictionaries. now they get connection refused and go on to the next box. Maybe its time to look into TightVNC?

acid_kewpie · 12-12-2006, 04:18 PM

the next box? how many do you have? there are certainly plenty of ways to guard against dictionary attacks. say if you have 10 logon failures within 5 minutes, block connections from that source address for 1 hour etc... all simple iptables rules really, if you check the iptables howto.

Also in general i'd advise against using hosts.allow (tcpwrappers) as the front line of security. whilst it's very useful and should be used where possible, having a more generic iptables firewall sitting in fornt of that stopping most sources ever even being allowed to open a connection to the server is generally preferable.

and i'm really not sure how tightvnc will help you here... i'd be much much more comfortable exposing ssh to the net than vnc...

gruntwerk · 12-12-2006, 05:30 PM

Agreed iptables can and WILL do a lot, when I get around to it.

But, the only one wanting to connect to this particular box should be on my isp, seemed like that would be a quick and easy way to ignore the rest if i could just specify ignore all but myisp.net, which hosts.allow does.

vnc however doesnt use tcpwrappers, so ill have to get down and dirty with thatone or force vnc to go thru ssh.

acid_kewpie · 12-13-2006, 02:05 AM

well i'd certainly recommend an ssh tunnel for that, because if nothing else there is only a single service (ssh) being exposed to the internet. so you can enable whatever insecure services you wish and all the while you only connect via an ssh tunnel you'll just just as secure as if they weren't running.