Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-09-2007, 04:57 AM
|
#1
|
Member
Registered: Aug 2003
Location: Bulgaria
Distribution: OpenSuse 10.3, Debian 4.0r3 "Etch", FreeBSD 7.1, Ubuntu
Posts: 210
Rep:
|
iptables allow / deny ??!!??
Hey all..
I have a simple quest.
How can I deny the access via ssh to everybody except me...
I mean nobody else will be able to connect via ssh except ip: xx.xx.xx.xx and/or xx.xx.xx.xx
|
|
|
03-09-2007, 05:39 AM
|
#2
|
Senior Member
Registered: Mar 2006
Posts: 1,896
Rep:
|
It would be a good idea if you did some general review of how iptables/netfilter work (with HOWTOs or something) to get a general feel for this and to make sure you have tailored things to your needs, but to block all but one IP address (assuming ssh is listening on port 22), you can
iptables -A INPUT -s ! xx.xx.xx.xx -p tcp --dport 22 -j DROP
or to allow multiple addresses:
iptables -A INPUT -s xx.xx.xx.xx -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s yy.yy.yy.yy -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s zz.zz.zz.zz -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
If you have other firewall rules to merge with, or if you want to do state tracking and/or logging you might want to do something slightly different.
|
|
|
03-09-2007, 05:57 AM
|
#3
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
use /etc/hosts.allow and hosts.deny to specify this at aplication level, or just use a firewall to block those ports before it gets anywhere near ssh. you've given a slightly confusing explanation there though, as "me" and "nobody" imply a user name, but an ip is obviosuly unrelated to a username
|
|
|
03-09-2007, 05:59 AM
|
#4
|
Member
Registered: Nov 2003
Location: The Colony, TX
Distribution: Slackware, Debian Etch, FreeBSD, MicroSh*t free.
Posts: 209
Rep:
|
OR....
You could put this in /etc/hosts.deny
Code:
#
# /etc/hosts.deny
#
ALL: ALL: DENY
# End of file
Then add something like this to /etc/hosts.allow
Code:
#
# /etc/hosts.allow
#
sshd:xxx.xxx.xxx.xxx
# End of file
Where xxx.xxx.xxx.xxx is the ip address of the computer you want allowed in.
|
|
|
03-21-2007, 03:36 AM
|
#5
|
Member
Registered: Aug 2003
Location: Bulgaria
Distribution: OpenSuse 10.3, Debian 4.0r3 "Etch", FreeBSD 7.1, Ubuntu
Posts: 210
Original Poster
Rep:
|
Thank you ALL it worked perfectly
God Bless You
|
|
|
03-21-2007, 04:25 AM
|
#6
|
Member
Registered: Dec 2005
Location: India
Distribution: Ubuntu Feisty Fawn
Posts: 107
Rep:
|
Glad it's working for you. Just FYI, for making use of Tcp wrappers for any daemon, the daemon needs to be compiled with the library libwrap.so if not already. Or else /etc/hosts.allow and /etc/hosts.deny won't work. You may check whether the daemon is compiled with libwrap.so.0 using the command ldd.
Quote:
root@southcarolina [~]# ldd /usr/sbin/sshd
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00468000)
libpam.so.0 => /lib/libpam.so.0 (0x004b1000)
libdl.so.2 => /lib/libdl.so.2 (0x0038d000)
libaudit.so.0 => /lib/libaudit.so.0 (0x006f9000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x00cc2000)
libutil.so.1 => /lib/libutil.so.1 (0x00111000)
libz.so.1 => /usr/lib/libz.so.1 (0x00115000)
libnsl.so.1 => /lib/libnsl.so.1 (0x008af000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00f87000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00667000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0081d000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00222000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00bd2000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x00344000)
libresolv.so.2 => /lib/libresolv.so.2 (0x007d4000)
libc.so.6 => /lib/tls/libc.so.6 (0x00514000)
/lib/ld-linux.so.2 (0x004f2000)
|
Do correct me if I'm wrong. Thanks.
|
|
|
03-21-2007, 04:42 AM
|
#7
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
If you are the only user allowed to log into ssh, another layer of security is to use the "AllowUsers" entry in /etc/ssh/sshd_config. Also disable root logins.
|
|
|
All times are GMT -5. The time now is 07:38 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|