LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-24-2018, 10:47 AM   #1
LEON71
Member
 
Registered: May 2018
Location: Canada
Distribution: Fedora 28 Workstation Edition
Posts: 45

Rep: Reputation: Disabled
How to Block All Access to SSH


Suppose I have to harden a server that got compromised via a brute force attack (SSH). What command would I use to block all access to SSH and only allow connections from the IP address 1.2.3.4 to that port ?
 
Old 06-24-2018, 10:54 AM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,521
Blog Entries: 3

Rep: Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567
You could use your packet filter for that. Which distro, including version, do you have? What you ask is easy but the method varies from distro to distro.

Or you could modify the SSH daemon's configuration to block everything except that one address. Then reload the configuration. See the "Match" and "MaxAuthtries" directives.
 
Old 06-24-2018, 10:55 AM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,713

Rep: Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090
Quote:
Originally Posted by LEON71 View Post
Suppose I have to harden a server that got compromised via a brute force attack (SSH). What command would I use to block all access to SSH and only allow connections from the IP address 1.2.3.4 to that port ?
You're posting a lot of questions that don't show any details, nor any effort on your part to solve them. Putting "how to allow ssh from only one address in linux" into Google pulls up a lot of results.

Read the "Question Guidelines" link. We're happy to help with specific questions/problems, but please don't ask us to do research for you.
 
Old 06-24-2018, 10:55 AM   #4
LEON71
Member
 
Registered: May 2018
Location: Canada
Distribution: Fedora 28 Workstation Edition
Posts: 45

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
You're posting a lot of questions that don't show any details, nor any effort on your part to solve them. Putting "how to allow ssh from only one address in linux" into Google pulls up a lot of results.

Read the "Question Guidelines" link. We're happy to help with specific questions/problems, but please don't ask us to do research for you.
Sorry about that. My bad
 
Old 06-24-2018, 11:02 AM   #5
LEON71
Member
 
Registered: May 2018
Location: Canada
Distribution: Fedora 28 Workstation Edition
Posts: 45

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
You could use your packet filter for that. Which distro, including version, do you have? What you ask is easy but the method varies from distro to distro.

Or you could modify the SSH daemon's configuration to block everything except that one address. Then reload the configuration. See the "Match" and "MaxAuthtries" directives.
I am using fedora 27 Workstation
 
Old 06-24-2018, 11:15 AM   #6
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,521
Blog Entries: 3

Rep: Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567
Quote:
Originally Posted by LEON71 View Post
I am using fedora 27 Workstation
Thanks. Then the filtering would be controlled by firewalld which is a little overly complex but usable.
 
Old 06-24-2018, 11:31 AM   #7
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 1,998

Rep: Reputation: 626Reputation: 626Reputation: 626Reputation: 626Reputation: 626Reputation: 626
Homework, again?
Please try to do your own work.
 
Old 06-24-2018, 11:34 AM   #8
LEON71
Member
 
Registered: May 2018
Location: Canada
Distribution: Fedora 28 Workstation Edition
Posts: 45

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scasey View Post
Homework, again?
Please try to do your own work.
Forgive me.Its not home work .I am actually trying to find the answer.If I find any solution I will share it with the members.

Thanks
 
Old 06-24-2018, 11:43 AM   #9
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 1,998

Rep: Reputation: 626Reputation: 626Reputation: 626Reputation: 626Reputation: 626Reputation: 626
Ok. See post #2. Turbocapitolist already gave you the answer.
 
Old 06-24-2018, 11:44 AM   #10
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 257
Blog Entries: 1

Rep: Reputation: 122Reputation: 122
Here's another hint..Try doing a
Quote:
man hosts_access

Last edited by Honest Abe; 06-24-2018 at 11:50 AM. Reason: a=another
 
Old 06-24-2018, 12:40 PM   #11
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,713

Rep: Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090
Quote:
Originally Posted by LEON71 View Post
Forgive me.Its not home work .I am actually trying to find the answer.If I find any solution I will share it with the members.
Really? Because you were given a solution in post #2, and a search-term in post #3, and EITHER can provide you the solution. However, you are not showing any effort into putting these things into practice, but rather keep posting. Again, we aren't here to do your research for you, do your homework for you, or hand you things.

Posting something like "I found this at <link>, and have put these things in my ssh config file as so. However, things aren't working, does anyone have ideas?" is an example of a good question.

Posting "I need to do this; how do I do it?" isn't. It shows you've done/tried NOTHING, and want people to do it for you.
 
Old 06-24-2018, 06:59 PM   #12
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 9,923
Blog Entries: 7

Rep: Reputation: 2442Reputation: 2442Reputation: 2442Reputation: 2442Reputation: 2442Reputation: 2442Reputation: 2442Reputation: 2442Reputation: 2442Reputation: 2442Reputation: 2442
Quote:
Originally Posted by LEON71 View Post
Sorry about that. My bad
...and yet they keep on doing it...
 
1 members found this post helpful.
Old 06-24-2018, 07:03 PM   #13
LEON71
Member
 
Registered: May 2018
Location: Canada
Distribution: Fedora 28 Workstation Edition
Posts: 45

Original Poster
Rep: Reputation: Disabled
How about this solution :

In our sshd_config, we can add AllowUsers *@1.2.3.4
we should forbid password logins, and use keys only
we should modify the policy on the firewall that sits in front of this host so that only 1.2.3.4 is allowed in

If we use iptables, we can do something like iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT. For firewalld, there's probably already an ssh service defined we can add.
we should forbid root from logging in
we should make sure we're only using Protocol 2 in sshd_config
we can change the default port to something other than 22, although it's not going to do much other than reduce the amount of login attempts we see in our logs.


Does it make sense ?
 
Old 06-25-2018, 08:34 AM   #14
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 20,713

Rep: Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090Reputation: 5090
Quote:
Originally Posted by LEON71 View Post
How about this solution :

In our sshd_config, we can add AllowUsers *@1.2.3.4
we should forbid password logins, and use keys only
we should modify the policy on the firewall that sits in front of this host so that only 1.2.3.4 is allowed in

If we use iptables, we can do something like iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT. For firewalld, there's probably already an ssh service defined we can add.
we should forbid root from logging in
we should make sure we're only using Protocol 2 in sshd_config
we can change the default port to something other than 22, although it's not going to do much other than reduce the amount of login attempts we see in our logs.


Does it make sense ?
No. Because there is zero need for IPtables to do anything mentioned above. From root access, disallow/allow access from a particular address, or change the port. ALL of those things are done within sshd_config. Your DMZ firewall rules are separate from whatever machine is running SSH (hopefully), so allowing access there needs to be done with whatever rules/software you're running on it.
 
Old 06-25-2018, 05:27 PM   #15
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,344
Blog Entries: 36

Rep: Reputation: Disabled
for comparison:
https://help.ubuntu.com/community/SS...dvancedOpenSSH
https://help.ubuntu.com/community/StricterDefaults

All access to ssh?
Don't run openssh-server
 
  


Reply

Tags
security, security breach, security recommendations


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bash script to block SSH access... /dev/random Programming 6 12-08-2013 06:15 AM
How to block a specific user to run SSH and leave him the access to FTP ? frenchn00b Linux - General 3 06-20-2010 12:18 AM
LXer: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh LXer Syndicated Linux News 0 01-02-2008 01:40 PM
LXer: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh LXer Syndicated Linux News 0 01-02-2008 01:00 PM
LXer: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh LXer Syndicated Linux News 0 01-02-2008 11:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration