LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-24-2004, 08:47 AM   #1
krilen
Member
 
Registered: Mar 2004
Distribution: CentOS, FreeBSD
Posts: 42

Rep: Reputation: 15
IPtables: close ssh for all except one IP


Hi.

Are a beginner at iptables.

I have a server with DNS and mail, I want to make sure that only I can access the machine with ssh. How do I drop every attempt to access ssh except mine (192.168.100.158).

Have tried, tested an searched for an awnser but can't find it.

I'am runing Fedora and this is a copy of iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -s 192.168.100.158 -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Thank you in advanced

Regards
Krister

Last edited by krilen; 03-24-2004 at 09:05 AM.
 
Old 03-24-2004, 09:15 AM   #2
dominant
Member
 
Registered: Jan 2004
Posts: 409

Rep: Reputation: 30
Use tcp wrapper to do the job.
in your /etc/hosts.allow add

sshd: ALL@yourIP
 
Old 03-24-2004, 09:49 AM   #3
krilen
Member
 
Registered: Mar 2004
Distribution: CentOS, FreeBSD
Posts: 42

Original Poster
Rep: Reputation: 15
Hi.

It didn't work.

I removed the DROP line and -s 192.168.100.158 in the ACCept line.

I even rebooted the machine, I can still log in to it from another IP. Have I forgotten something else?

Regards
Krister
 
Old 03-24-2004, 10:06 AM   #4
dominant
Member
 
Registered: Jan 2004
Posts: 409

Rep: Reputation: 30
hosts.allow
sshd: ALL@YourIP

hosts.deny
#http-rman : ALL EXCEPT LOCAL
ALL : ALL


Check it again
 
Old 03-24-2004, 10:10 AM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
You could use the ! (not) in your rules. So get rid of the following two lines:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -s 192.168.100.158 -m tcp -p tcp --dport 22 -j ACCEPT


And replace them with

iptables -A INPUT -s !192.168.100.158 -p tcp --dport 22 -j DROP


Essentially, any IP address that is NOT 192.168.100.158 isn't allowed to connect to port 22.

By the way, your original set of rules probably didn't work because they were in the wrong order. The packet hit the rule to drop all new traffic heading for port 22 and was dropped. It never saw the rule to accept from your IP address. Remember, iptables executes the rules in order and stops once it has a rule that matches the packet.

Last edited by Hangdog42; 03-24-2004 at 10:11 AM.
 
Old 03-25-2004, 05:24 AM   #6
krilen
Member
 
Registered: Mar 2004
Distribution: CentOS, FreeBSD
Posts: 42

Original Poster
Rep: Reputation: 15
Hi.

Thank you both for your help.

I didn't get the firewall solution to work, but I got the tcp wrapper to work when I changed the deny to sshd: ALL (I didn't want to close for smtp and dns).

Regards
Krister
 
Old 03-25-2004, 07:50 AM   #7
dominant
Member
 
Registered: Jan 2004
Posts: 409

Rep: Reputation: 30
put in your hosts.allow

sendmail : ALL
 
Old 03-25-2004, 08:24 AM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
You know Krister, that really isn't much of a firewall. If I'm reading it correctly, the ONLY things that don't get through are packets heading to port 22 and anything matching the --icmp-host-prohibited rule. It is a much better idea to DROP everything and then open only the ports you need.

Just my
 
Old 03-26-2004, 10:26 AM   #9
krilen
Member
 
Registered: Mar 2004
Distribution: CentOS, FreeBSD
Posts: 42

Original Poster
Rep: Reputation: 15
Hi Hangdog42,

What should I add to the iptables to drop all package but for ports 22, 25, 53 and samba. I know that I shoud have a rule after the other but what.

My IPtables looks like this now (the rukes):

-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 22 -s 192.168.100.158 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited


Got the firewall working after I removed the "crape" that the system automaticly added.

/Krister
 
Old 03-26-2004, 11:16 AM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Well, the biggest weakness in your original firewall is that the defaults are set to ACCEPT. Set them to DROP

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Now that everything is locked down, start allowing the stuff you want. For starters, allow loopback

iptables -A INPUT -i lo -j ACCEPT

Then allow specific ports to be open

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Decorate these rules with any limitations you need, such as -s flags

Also allow ESTABLISHED and RELATED packets

iptables -A INPUT -m state --state ESTABLISHED,RELATED - j ACCEPT

Then on your ouptut chain, you can allow NEW as well as ESTABLISHED and RELATED

iptables -A OUTPUT -m state --state NEW,ESTABLISHED, RELATED - j ACCEPT

You are going to want to all some logging rules so you can see what things are being dropped.

Please note that this is a very simple firewall. You certainly need to do a more reading in the security forum and get a good understanding of what else may be useful to have. You are also going to want to install an IDS like Snort and a file monitor like Aide or Tripwire.
 
Old 03-26-2004, 02:05 PM   #11
J.W.
LQ Veteran
 
Registered: Mar 2003
Location: Milwaukee, WI
Distribution: Mint
Posts: 6,642

Rep: Reputation: 69
Hangdog - I'm an extreme novice when it comes to security but I'm trying to read up on it and I definitely appreciate your clear descriptive comments on this topic. I know I have a long way to go and a lot of reading still to do, but posts such as yours definitely are a huge assist. Thanks -- J.W.
 
Old 03-26-2004, 02:25 PM   #12
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Thanks for the compliment J.W. Of course, people like unSpawn, chort and Capt. Caveman have forgotten more about security than I'll ever know so don't take my musings as anything more than another newbie trying to learn......
 
Old 03-26-2004, 02:37 PM   #13
krilen
Member
 
Registered: Mar 2004
Distribution: CentOS, FreeBSD
Posts: 42

Original Poster
Rep: Reputation: 15
Hi Hangdog42,

Thanks for your help I will try it as soon as possible. As I said in the beginnig I am a beginner with IPtables, I have better understand now than before. But I have no know idea what IDS, Snort, Aide or Tripwire is. Do you know where I could get some information so I don't fly in the dark.

And once more, thanks for your help.

Regards
Krister
 
Old 03-26-2004, 06:07 PM   #14
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
One of the best starting points is unSpawn's sticky thread at the top of the forum. The amount of information he's collected there is amazing.

But just to define a few terms for you

Snort is an Intrusion Detection System (IDS). Basically it monitors your network interface for traffic that looks like an attack. It won't stop the attack, but it can warn you and (hopefully) preserve a record of what happened in case a hacker got through.

Both Aide and Tripwire are programs that monitor file integrity. If I understand them correctly, they take a "snapshot" of the files on your disk and then can use that snapshot at later times to see if any of the files have been altered. Again, if the worst happens, these programs could tell you what files were changed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Perl: Wait for ssh connection to close kenneho Programming 9 10-29-2005 10:19 AM
Shut down entire ssh-deamon and close xorg's listen mode jasone Slackware 3 07-01-2005 08:33 PM
what happens if I close ssh terminal ? juanb Linux - General 1 09-17-2004 06:15 PM
How do you close port 22 SSH? Linux~Powered Linux - Security 7 03-17-2004 12:13 AM
Game server shutting down when I close my SSH connection jader9920 Linux - Software 7 01-05-2004 08:38 PM


All times are GMT -5. The time now is 04:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration