Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Since I cannot control the access to port 22 via a web interface, I have to permanently leave it open so I can connect via SSH. I am trying to restrict access to that port so that it can only be accessed from my computer.
My IP is dynamic because the ISP changes whenever a new broadband connection is made so I thought I could use the ISP name as an extra safeguard.
What do you mean by an ISP name? How can your ISP change every time??? your IP might change... but your ISP? BT? Sky? O2? PlusNET?
iptables doesn't use DNS entries as it requires an external piece of information to make it's call on whether the line matches. This can be disastrous from the extra latency a reverse DNS lookup would add.
You can obtain lists of ISP client subnets to restrict it so that only an IP from a certain ISP can get in, but that's pretty shitty really, and there and many many much better solutions, like authenticating with a preshared key which you keep on the client PC or on a memory stick.
Also, systems like fail2ban will automatically block any client IP which appears to be trying to break into the system by brute force and the likes.
What do you mean by an ISP name? How can your ISP change every time??? your IP might change... but your ISP? BT? Sky? O2? PlusNET?
iptables doesn't use DNS entries as it requires an external piece of information to make it's call on whether the line matches. This can be disastrous from the extra latency a reverse DNS lookup would add.
You can obtain lists of ISP client subnets to restrict it so that only an IP from a certain ISP can get in, but that's pretty shitty really, and there and many many much better solutions, like authenticating with a preshared key which you keep on the client PC or on a memory stick.
Also, systems like fail2ban will automatically block any client IP which appears to be trying to break into the system by brute force and the likes.
ok.
I have 2 lines in my iptables file which restrict users to 8 login attempts per minute via SSH. That should be enough to stop brute force attacks. The port is left open though...
?
Since I cannot control the access to port 22 via a web interface, I have to permanently leave it open so I can connect via SSH.
With all due respect but please do not confuse using something wizard-like or anything like a webbased server management panel for having the required knowledge. I acknowledge it makes for a steep learning curve with half of the time spent reading documents, but it would be way better to learn how to admin a server properly from the commandline before using a panel because then you know what it can do (and cause) and how to fix fsck-ups properly. Did you read your distributions basic documentation? A generic tutorial like Rute?
Quote:
Originally Posted by qwertyjjj
I am trying to restrict access to that port so that it can only be accessed from my computer. My IP is dynamic because the ISP changes whenever a new broadband connection is made so I thought I could use the ISP name as an extra safeguard.
Multiple things to do here. Make sure you 0) use an unprivileged user account to log in with over SSH (never root), 1) use SSH's public key authentication instead of a password, 2) setup your unprivileged user account to perform admin tasks using Sudo (or add it to the wheel group though Sudo is preferred), 3) disallow root login in /etc/ssh/sshd_config, 4) optionally allow your unprivileged user account to use SSH (see "AllowUsers" and "AllowGroups" directives in 'man sshd_config'), 5) set up iptables rules to allow SSH traffic from and to your ISP's IP range (might be a class B looking like "88.99.0.0/16") and 6) set up fail2ban.
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
This ruleset tells iptables to drop any new SSH connections (regardless of the source IP/range) when it meets certain conditions. While this would exempt your hypothetical ISP IP range "88.99.0.0/16" from subjecting it to the -m recent:
Code:
-A INPUT -i eth0 -p tcp --dport 22 -s ! 88.99.0.0/16 -m state --state NEW -m recent --set --name SSH
-A INPUT -i eth0 -p tcp --dport 22 -s ! 88.99.0.0/16 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
it leaves the machine vulnerable from your hypothetical ISP IP range "88.99.0.0/16". But because you implement multiple layers of security this mitigates the risk.
Quote:
Originally Posted by qwertyjjj
Code:
-A INPUT -d IP.IP.IP.IP -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
This rule tells iptables to allow any new SSH connections if it matches the destination IP. You don't need destination matches unless you have to make certain traffic doesn't cross over between different interfaces.
This ruleset tells iptables to drop any new SSH connections (regardless of the source IP/range) when it meets certain conditions. While this would exempt your hypothetical ISP IP range "88.99.0.0/16" from subjecting it to the -m recent:
Code:
-A INPUT -i eth0 -p tcp --dport 22 -s ! 88.99.0.0/16 -m state --state NEW -m recent --set --name SSH
-A INPUT -i eth0 -p tcp --dport 22 -s ! 88.99.0.0/16 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
it leaves the machine vulnerable from your hypothetical ISP IP range "88.99.0.0/16". But because you implement multiple layers of security this mitigates the risk.
This rule tells iptables to allow any new SSH connections if it matches the destination IP. You don't need destination matches unless you have to make certain traffic doesn't cross over between different interfaces.
I have 2 IP addresses for my server.
1 I use for all the public stuff, squid, apache, etc.
The other I use for SSH and admin only.
Hence the exact IP destination on that IP only.
Does ruleset drop all new SSH connections or only limits it to 8 per minute. Any brute force attacker wouldn't bother if they could only attempt a login 8 times per minute?
However, I will have a look at fail2ban but I was worried about some users forgetting their proxy password and being permanently banned.
I have 2 IP addresses for my server.
1 I use for all the public stuff, squid, apache, etc.
The other I use for SSH and admin only.
Hence the exact IP destination on that IP only.
Thanks for clarifying. That teaches me to not forget to ask for that kind of information before anything else.
Quote:
Originally Posted by qwertyjjj
Does ruleset drop all new SSH connections or only limits it to 8 per minute.
It tallies new connections per IP address and drops them if they reach the "--hitcount 8" threshold.
Quote:
Originally Posted by qwertyjjj
Any brute force attacker wouldn't bother if they could only attempt a login 8 times per minute?
Best not base measures to take on assumptions.
Quote:
Originally Posted by qwertyjjj
I will have a look at fail2ban but I was worried about some users forgetting their proxy password and being permanently banned.
Something is either on or off, and as such computing makes things easy: a condition exists or it doesn't, it either works or it doesn't. Wrt knowledge likewise: you have it or you don't. Luckily reading the fail2ban documentation will fix that.
Quote:
Originally Posted by qwertyjjj
Is the /16 the range?
If you mean notation, yes, you can use "n.n.0.0/16"-type of notation in iptables.
If you mean notation, yes, you can use "n.n.0.0/16"-type of notation in iptables.
So, how would you write the range of IP addresses?
For example 85.xx.xx.00 to 85.xx.xx.999
Someone told me on another post that the /32, ie part after the slash, was for 32 bit computers, etc.
So, how would you write the range of IP addresses? For example 85.xx.xx.00 to 85.xx.xx.999 Someone told me on another post that the /32, ie part after the slash, was for 32 bit computers, etc.
No, 32 bit value as in four bytes meaning the IPv4 address length. Saying 85.86.00.00/16 leaves 0.0.255.255 configurable and so occupies 85.86.00.00 to 85.86.255.255: see the http://en.wikipedia.org/wiki/IPv4_subnetting_reference and the CIDR page for a way better explanation ;-p
So, how would you write the range of IP addresses?
For example 85.xx.xx.00 to 85.xx.xx.999
Someone told me on another post that the /32, ie part after the slash, was for 32 bit computers, etc.
No, I said that /32 identified the machine itself, i.e. one single machine, as it defines a network with only a single IP address in it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.