iptables allow / deny ??!!??

skate · 03-09-2007, 03:57 AM

Hey all..

I have a simple quest.

How can I deny the access via ssh to everybody except me...

I mean nobody else will be able to connect via ssh except ip: xx.xx.xx.xx and/or xx.xx.xx.xx

blackhole54 · 03-09-2007, 04:39 AM

It would be a good idea if you did some general review of how iptables/netfilter work (with HOWTOs or something) to get a general feel for this and to make sure you have tailored things to your needs, but to block all but one IP address (assuming ssh is listening on port 22), you can

iptables -A INPUT -s ! xx.xx.xx.xx -p tcp --dport 22 -j DROP

or to allow multiple addresses:

iptables -A INPUT -s xx.xx.xx.xx -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s yy.yy.yy.yy -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s zz.zz.zz.zz -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

If you have other firewall rules to merge with, or if you want to do state tracking and/or logging you might want to do something slightly different.

acid_kewpie · 03-09-2007, 04:57 AM

use /etc/hosts.allow and hosts.deny to specify this at aplication level, or just use a firewall to block those ports before it gets anywhere near ssh. you've given a slightly confusing explanation there though, as "me" and "nobody" imply a user name, but an ip is obviosuly unrelated to a username

timdsmith · 03-09-2007, 04:59 AM

OR....
You could put this in /etc/hosts.deny

Code:

#
# /etc/hosts.deny
#

ALL: ALL: DENY

# End of file

Then add something like this to /etc/hosts.allow

Code:

#
# /etc/hosts.allow
#
sshd:xxx.xxx.xxx.xxx

# End of file

Where xxx.xxx.xxx.xxx is the ip address of the computer you want allowed in.

skate · 03-21-2007, 02:36 AM

Thank you ALL

it worked perfectly

God Bless You

digen · 03-21-2007, 03:25 AM

Glad it's working for you. Just FYI, for making use of Tcp wrappers for any daemon, the daemon needs to be compiled with the library libwrap.so if not already. Or else /etc/hosts.allow and /etc/hosts.deny won't work. You may check whether the daemon is compiled with libwrap.so.0 using the command ldd.

Quote:

root@southcarolina [~]# ldd /usr/sbin/sshd
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00468000)
libpam.so.0 => /lib/libpam.so.0 (0x004b1000)
libdl.so.2 => /lib/libdl.so.2 (0x0038d000)
libaudit.so.0 => /lib/libaudit.so.0 (0x006f9000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x00cc2000)
libutil.so.1 => /lib/libutil.so.1 (0x00111000)
libz.so.1 => /usr/lib/libz.so.1 (0x00115000)
libnsl.so.1 => /lib/libnsl.so.1 (0x008af000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00f87000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00667000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0081d000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00222000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00bd2000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x00344000)
libresolv.so.2 => /lib/libresolv.so.2 (0x007d4000)
libc.so.6 => /lib/tls/libc.so.6 (0x00514000)
/lib/ld-linux.so.2 (0x004f2000)

Do correct me if I'm wrong. Thanks.

jschiwal · 03-21-2007, 03:42 AM

If you are the only user allowed to log into ssh, another layer of security is to use the "AllowUsers" entry in /etc/ssh/sshd_config. Also disable root logins.