Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a server with DNS and mail, I want to make sure that only I can access the machine with ssh. How do I drop every attempt to access ssh except mine (192.168.100.158).
Have tried, tested an searched for an awnser but can't find it.
I'am runing Fedora and this is a copy of iptables:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -s 192.168.100.158 -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
You could use the ! (not) in your rules. So get rid of the following two lines:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -s 192.168.100.158 -m tcp -p tcp --dport 22 -j ACCEPT
And replace them with
iptables -A INPUT -s !192.168.100.158 -p tcp --dport 22 -j DROP
Essentially, any IP address that is NOT 192.168.100.158 isn't allowed to connect to port 22.
By the way, your original set of rules probably didn't work because they were in the wrong order. The packet hit the rule to drop all new traffic heading for port 22 and was dropped. It never saw the rule to accept from your IP address. Remember, iptables executes the rules in order and stops once it has a rule that matches the packet.
I didn't get the firewall solution to work, but I got the tcp wrapper to work when I changed the deny to sshd: ALL (I didn't want to close for smtp and dns).
You know Krister, that really isn't much of a firewall. If I'm reading it correctly, the ONLY things that don't get through are packets heading to port 22 and anything matching the --icmp-host-prohibited rule. It is a much better idea to DROP everything and then open only the ports you need.
Well, the biggest weakness in your original firewall is that the defaults are set to ACCEPT. Set them to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Now that everything is locked down, start allowing the stuff you want. For starters, allow loopback
iptables -A INPUT -i lo -j ACCEPT
Then allow specific ports to be open
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Decorate these rules with any limitations you need, such as -s flags
Also allow ESTABLISHED and RELATED packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED - j ACCEPT
Then on your ouptut chain, you can allow NEW as well as ESTABLISHED and RELATED
iptables -A OUTPUT -m state --state NEW,ESTABLISHED, RELATED - j ACCEPT
You are going to want to all some logging rules so you can see what things are being dropped.
Please note that this is a very simple firewall. You certainly need to do a more reading in the security forum and get a good understanding of what else may be useful to have. You are also going to want to install an IDS like Snort and a file monitor like Aide or Tripwire.
Hangdog - I'm an extreme novice when it comes to security but I'm trying to read up on it and I definitely appreciate your clear descriptive comments on this topic. I know I have a long way to go and a lot of reading still to do, but posts such as yours definitely are a huge assist. Thanks -- J.W.
Thanks for the compliment J.W. Of course, people like unSpawn, chort and Capt. Caveman have forgotten more about security than I'll ever know so don't take my musings as anything more than another newbie trying to learn......
Thanks for your help I will try it as soon as possible. As I said in the beginnig I am a beginner with IPtables, I have better understand now than before. But I have no know idea what IDS, Snort, Aide or Tripwire is. Do you know where I could get some information so I don't fly in the dark.
One of the best starting points is unSpawn's sticky thread at the top of the forum. The amount of information he's collected there is amazing.
But just to define a few terms for you
Snort is an Intrusion Detection System (IDS). Basically it monitors your network interface for traffic that looks like an attack. It won't stop the attack, but it can warn you and (hopefully) preserve a record of what happened in case a hacker got through.
Both Aide and Tripwire are programs that monitor file integrity. If I understand them correctly, they take a "snapshot" of the files on your disk and then can use that snapshot at later times to see if any of the files have been altered. Again, if the worst happens, these programs could tell you what files were changed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.