LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-21-2009, 02:40 PM   #1
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Rep: Reputation: 16
Some Firewall Helps


Hello;

I want to allow SSH to be used only for some IPs but I want them to add like 100.15.25.*

Can I do that? Can you give me an example of how this can be done?

I've not set any firewall rules yet by manually and only 5 or 6 ports are listening from by services. Does it cause a problem to leave other ports accessible? Or If no services listen a port, does that port still accessible? Should I close them? And how?

Thanks.
 
Old 05-21-2009, 02:49 PM   #2
cloud9repo
Member
 
Registered: Oct 2008
Location: Middle TN
Posts: 134

Rep: Reputation: 19
Quote:
Originally Posted by Seregwethrin View Post
Hello;

I want to allow SSH to be used only for some IPs but I want them to add like 100.15.25.*

Can I do that? Can you give me an example of how this can be done?

I've not set any firewall rules yet by manually and only 5 or 6 ports are listening from by services. Does it cause a problem to leave other ports accessible? Or If no services listen a port, does that port still accessible? Should I close them? And how?

Thanks.
SSH is too insecure. It allows access, and terminal level control.
However, if you want this. Thereīs scripting. Where you can easily enter the IP in the script, and define the ip range directly, also; within that very script.

Thatīs what I would go with.
 
Old 05-21-2009, 03:06 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Seregwethrin View Post
Hello;

I want to allow SSH to be used only for some IPs but I want them to add like 100.15.25.*

Can I do that? Can you give me an example of how this can be done?
You can use iptables to deny IPs outside of a given range, like:
Code:
iptables -A INPUT -p TCP --dport 22 -m iprange ! --src-range 100.15.25.1-100.15.25.254 -j DROP
Quote:
I've not set any firewall rules yet by manually and only 5 or 6 ports are listening from by services. Does it cause a problem to leave other ports accessible? Or If no services listen a port, does that port still accessible? Should I close them? And how?
A port is only open if something is listening on it. There's nothing wrong per se with only making sure you don't have any unwanted ports open, but using a firewall to make sure is a good idea. A firewall lets you set up access restrictions (such as the iptables example above) and it can protect you from certain configuration mistakes.

Last edited by win32sux; 05-21-2009 at 03:07 PM.
 
Old 05-21-2009, 03:06 PM   #4
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 267

Rep: Reputation: 57
SSH is fairly secure as it requires a login and you can control the logins by keys or passwords. For input, I'd suggest this:
Code:
 iptables -I INPUT -p tcp --dport 22 -j DROP -m comment --comment "All other ssh"
iptables -I INPUT -p tcp --dport 22 -d 100.15.25.0/24 -j ACCEPT -m comment --comment "Our open ssh"
These inserts put it at the front of your iptables. To control output you need a different code set. see man iptables

Dave

Last edited by david1941; 05-21-2009 at 03:14 PM. Reason: correct code
 
Old 05-21-2009, 03:37 PM   #5
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
So closing ports which are not listening is not necessary?

I wanted this to prevent attacks. I thought if a blocked port gets an attack it may use less CPU.

Whatever, thanks for the solutions
 
Old 05-21-2009, 04:04 PM   #6
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 267

Rep: Reputation: 57
Well, without seeing your iptables (and I don't suggest posting them here), it's hard to say. You should have a DROP policy or declare a final DROP rule after you open the ports you want.
I'm not really sure what you want do do: allow your list to ssh in or ssh out as the rules are different in each case. Are you protecting or limiting an internal net behind your machine?

If it is a single machine then I'd assume you are interested in allowing only a certain group of sources in. And assuming you already have a few set up, then inserting a specific rule BEFORE all your other rules would be effective. (iptables -I INPUT -p tcp --dport 22 -s 100.15.25.0/24 -j ACCEPT) does it. But then you might want to put a general DROP just after it. You could do that by inserting the general DROP rule first and then insert the specific ACCEPT. -I (insert) without a rule number just inserts it at the front of the chain, so inserting DROP first and then ACCEPT sets then up in the correct order at the front of the chain.

I think it is bad policy to assume that nothing is listening on a port and generally give explicit DROP rules.

You can look at what is set up by issuing the iptables list command like this as sudo or root. I use a sudo. $ sudo /sbin/iptables -L -v -n --line-numbers
This gives the rule numbers by chain.


Dave
 
Old 05-21-2009, 04:10 PM   #7
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
What happens if you block all ports and after enter those:
iptables -I INPUT -p tcp --dport 22 -s 100.15.25.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -s 59.45.123.57 -j ACCEPT

Do I allow the first IP range and second IP both, or the second one rewrite the first one?


Also I have a web server and I just realized that my server got attacked from SSH by brute force. I moved SSH port to another port but I want to close all ports except 80, 21 etc... But if a non-listened port doesn't cause any security risk, I don't need to do it. Just want it for the security and attack blocking reasons.
 
Old 05-21-2009, 04:29 PM   #8
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 267

Rep: Reputation: 57
When you say you block all ports first and then ACCEPT, I am assuming you meant DROP all and then ACCEPT. That will not work as once they are DROPed, the ACCEPT rule will never see them as processing stops on a packet that is dropped. And yes you can have as many ACCEPT rules as you need. Once a packet is accepted, processing on that packet depends on what is listening on that socket (port). The rules are processed in order and processing is determined by the -j target.

Another early rule should be iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT to accept established connections.

Just ACCEPT the ports you want first and finish up with a DROP rule. This one is general: iptables -A INPUT -j DROP

Be sure to list the rules to see it they execute in the order you desired. You may need to flush existing rules before you set up the table.


Dave

Last edited by david1941; 05-21-2009 at 04:30 PM. Reason: correct spelling
 
Old 05-22-2009, 12:08 AM   #9
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
Thanks david the things are more clear now
 
Old 05-24-2009, 08:35 AM   #10
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
Hi again;

I used
Code:
#iptables -I INPUT -s <IP> -j DROP
After that when I write
Code:
#iptables -L -n
Everything perfect.

But after restarting iptables service, iptables -L -n returns empty lists for rules.

Do I need to do something more?
 
Old 05-24-2009, 09:04 AM   #11
Seregwethrin
Member
 
Registered: Feb 2008
Posts: 112

Original Poster
Rep: Reputation: 16
Solved. My /etc/init.d/iptables script supports "save" command so I'm able to use "service iptables save" and this solved the problem
 
Old 05-24-2009, 12:15 PM   #12
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,235

Rep: Reputation: 132Reputation: 132
Even you can stright away edit the iptables file, it has located in /etc/sysconfig/iptables
 
Old 05-26-2009, 08:51 PM   #13
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
In relation to the OP post #1, you can also use /etc/hosts.allow, instead of or in addition to iptables.
 
Old 05-31-2009, 12:53 PM   #14
emgee3
LQ Newbie
 
Registered: May 2009
Posts: 14

Rep: Reputation: 1
Another thing you might want to consider is running fail2ban, which scans your logs for failed logons and dynamically updates your firewall to ban the offending ip address. It works not only for SSH, but a variety of other services.

I use it because a few of the branch offices I work out of have dynamically assigned ip addresses, which opens up a quite large ip range that is able to SSH in.
 
  


Reply

Tags
ports, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple Helps htnakirs Linux - Newbie 6 02-19-2008 03:29 PM
Awk Helps anhtt Programming 2 07-28-2007 04:52 PM
cronjob helps gsrichmo Linux - General 7 11-29-2005 01:54 PM
www helps conm Linux - Software 1 07-08-2005 10:14 PM
Ubuntu helps whiteFang Ubuntu 1 03-31-2005 06:39 PM


All times are GMT -5. The time now is 01:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration