Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Suppose I have to harden a server that got compromised via a brute force attack (SSH). What command would I use to block all access to SSH and only allow connections from the IP address 1.2.3.4 to that port ?
You could use your packet filter for that. Which distro, including version, do you have? What you ask is easy but the method varies from distro to distro.
Or you could modify the SSH daemon's configuration to block everything except that one address. Then reload the configuration. See the "Match" and "MaxAuthtries" directives.
Suppose I have to harden a server that got compromised via a brute force attack (SSH). What command would I use to block all access to SSH and only allow connections from the IP address 1.2.3.4 to that port ?
You're posting a lot of questions that don't show any details, nor any effort on your part to solve them. Putting "how to allow ssh from only one address in linux" into Google pulls up a lot of results.
Read the "Question Guidelines" link. We're happy to help with specific questions/problems, but please don't ask us to do research for you.
You're posting a lot of questions that don't show any details, nor any effort on your part to solve them. Putting "how to allow ssh from only one address in linux" into Google pulls up a lot of results.
Read the "Question Guidelines" link. We're happy to help with specific questions/problems, but please don't ask us to do research for you.
You could use your packet filter for that. Which distro, including version, do you have? What you ask is easy but the method varies from distro to distro.
Or you could modify the SSH daemon's configuration to block everything except that one address. Then reload the configuration. See the "Match" and "MaxAuthtries" directives.
Forgive me.Its not home work .I am actually trying to find the answer.If I find any solution I will share it with the members.
Really? Because you were given a solution in post #2, and a search-term in post #3, and EITHER can provide you the solution. However, you are not showing any effort into putting these things into practice, but rather keep posting. Again, we aren't here to do your research for you, do your homework for you, or hand you things.
Posting something like "I found this at <link>, and have put these things in my ssh config file as so. However, things aren't working, does anyone have ideas?" is an example of a good question.
Posting "I need to do this; how do I do it?" isn't. It shows you've done/tried NOTHING, and want people to do it for you.
In our sshd_config, we can add AllowUsers *@1.2.3.4
we should forbid password logins, and use keys only
we should modify the policy on the firewall that sits in front of this host so that only 1.2.3.4 is allowed in
If we use iptables, we can do something like iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT. For firewalld, there's probably already an ssh service defined we can add.
we should forbid root from logging in
we should make sure we're only using Protocol 2 in sshd_config
we can change the default port to something other than 22, although it's not going to do much other than reduce the amount of login attempts we see in our logs.
In our sshd_config, we can add AllowUsers *@1.2.3.4
we should forbid password logins, and use keys only
we should modify the policy on the firewall that sits in front of this host so that only 1.2.3.4 is allowed in
If we use iptables, we can do something like iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT. For firewalld, there's probably already an ssh service defined we can add.
we should forbid root from logging in
we should make sure we're only using Protocol 2 in sshd_config
we can change the default port to something other than 22, although it's not going to do much other than reduce the amount of login attempts we see in our logs.
Does it make sense ?
No. Because there is zero need for IPtables to do anything mentioned above. From root access, disallow/allow access from a particular address, or change the port. ALL of those things are done within sshd_config. Your DMZ firewall rules are separate from whatever machine is running SSH (hopefully), so allowing access there needs to be done with whatever rules/software you're running on it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.