Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to allow SSH to be used only for some IPs but I want them to add like 100.15.25.*
Can I do that? Can you give me an example of how this can be done?
I've not set any firewall rules yet by manually and only 5 or 6 ports are listening from by services. Does it cause a problem to leave other ports accessible? Or If no services listen a port, does that port still accessible? Should I close them? And how?
I want to allow SSH to be used only for some IPs but I want them to add like 100.15.25.*
Can I do that? Can you give me an example of how this can be done?
I've not set any firewall rules yet by manually and only 5 or 6 ports are listening from by services. Does it cause a problem to leave other ports accessible? Or If no services listen a port, does that port still accessible? Should I close them? And how?
Thanks.
SSH is too insecure. It allows access, and terminal level control.
However, if you want this. Thereīs scripting. Where you can easily enter the IP in the script, and define the ip range directly, also; within that very script.
I want to allow SSH to be used only for some IPs but I want them to add like 100.15.25.*
Can I do that? Can you give me an example of how this can be done?
You can use iptables to deny IPs outside of a given range, like:
Code:
iptables -A INPUT -p TCP --dport 22 -m iprange ! --src-range 100.15.25.1-100.15.25.254 -j DROP
Quote:
I've not set any firewall rules yet by manually and only 5 or 6 ports are listening from by services. Does it cause a problem to leave other ports accessible? Or If no services listen a port, does that port still accessible? Should I close them? And how?
A port is only open if something is listening on it. There's nothing wrong per se with only making sure you don't have any unwanted ports open, but using a firewall to make sure is a good idea. A firewall lets you set up access restrictions (such as the iptables example above) and it can protect you from certain configuration mistakes.
Well, without seeing your iptables (and I don't suggest posting them here), it's hard to say. You should have a DROP policy or declare a final DROP rule after you open the ports you want.
I'm not really sure what you want do do: allow your list to ssh in or ssh out as the rules are different in each case. Are you protecting or limiting an internal net behind your machine?
If it is a single machine then I'd assume you are interested in allowing only a certain group of sources in. And assuming you already have a few set up, then inserting a specific rule BEFORE all your other rules would be effective. (iptables -I INPUT -p tcp --dport 22 -s 100.15.25.0/24 -j ACCEPT) does it. But then you might want to put a general DROP just after it. You could do that by inserting the general DROP rule first and then insert the specific ACCEPT. -I (insert) without a rule number just inserts it at the front of the chain, so inserting DROP first and then ACCEPT sets then up in the correct order at the front of the chain.
I think it is bad policy to assume that nothing is listening on a port and generally give explicit DROP rules.
You can look at what is set up by issuing the iptables list command like this as sudo or root. I use a sudo. $ sudo /sbin/iptables -L -v -n --line-numbers
This gives the rule numbers by chain.
What happens if you block all ports and after enter those:
iptables -I INPUT -p tcp --dport 22 -s 100.15.25.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -s 59.45.123.57 -j ACCEPT
Do I allow the first IP range and second IP both, or the second one rewrite the first one?
Also I have a web server and I just realized that my server got attacked from SSH by brute force. I moved SSH port to another port but I want to close all ports except 80, 21 etc... But if a non-listened port doesn't cause any security risk, I don't need to do it. Just want it for the security and attack blocking reasons.
When you say you block all ports first and then ACCEPT, I am assuming you meant DROP all and then ACCEPT. That will not work as once they are DROPed, the ACCEPT rule will never see them as processing stops on a packet that is dropped. And yes you can have as many ACCEPT rules as you need. Once a packet is accepted, processing on that packet depends on what is listening on that socket (port). The rules are processed in order and processing is determined by the -j target.
Another early rule should be iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT to accept established connections.
Just ACCEPT the ports you want first and finish up with a DROP rule. This one is general: iptables -A INPUT -j DROP
Be sure to list the rules to see it they execute in the order you desired. You may need to flush existing rules before you set up the table.
Dave
Last edited by david1941; 05-21-2009 at 03:30 PM.
Reason: correct spelling
Another thing you might want to consider is running fail2ban, which scans your logs for failed logons and dynamically updates your firewall to ban the offending ip address. It works not only for SSH, but a variety of other services.
I use it because a few of the branch offices I work out of have dynamically assigned ip addresses, which opens up a quite large ip range that is able to SSH in.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.