Quote:
Originally Posted by FedoraPete
I have an Ubuntu 17.04 VM server (hosted in Azure) running OpenVPN. The server has a public ip address and a private ip address (10.1.x.x).
sshd has been put behind the VPN by doing the following:
/etc/ssh/sshd_config
ListenAddress <private ip address of server, e.g. 10.1.x.x>
(no other ip addresses are specified)
Restarted the sshd service
netstat shows sshd is only listening on the private ip address.
I can now ssh to the server through the VPN using the private ip address. All is good so far.
The main Issue:
I can also ssh to the server via it's public ip address without using the VPN. This is obviously undesirable. How can I prevent ssh being accessed publicly? ListenAddress has been setup correctly, so I'm confused.
Also a few questions:
Question 1
For the ssh ListenAddress, should I be using the server's private ip address (10.1.x.x) or the tunnel gateway ip address (10.8.x.x)?
I.e. is the comms via the gateway IP encrypted and the comms via the server IP not encrypted? Or comms via either IP are encrypted.
Question 2
Currently my Azure and Ubuntu server firewall rules (which are the same) are:
Allow UDP/1194
Allow TCP/22
Is this correct? I'm trying to close anything that is not needed.
Can I remove the Azure and Ubuntu TCP port 22 rules since I'm going in via the VPN?
PS: Thank you for everyone that helped me get this far with OpenVPN and SSH on the other thread. I still have alot to learn.
|
You want your ssh daemon listening on the
VPN private gateway address. So if OpenVPN uses 10.8.0.1 as its gateway address, then sshd needs to listen there. Your firewall should block all access to SSH, unless a client is connecting from the 10.8.0.0/24 subnet (or whatever ip addressing you chose to use). I assume you set up some sort of DNS service on the server that runs OpenVPN. This should also only be accessible from your VPN subnet after connecting to it.
A TCP connect scan of your server:
Code:
nmap -sT x.x.x.x -p 1-65535
Should not report any open ports or closed port services.
As I recall, your goal was to assure that ssh (and any other network service you install) is only accessible via the VPN network for security purposes. Your firewall and listening services should reflect that model.
UFW should be more specific than just allowing everything to port 22. You need it blocking anything outside of the VPN network towards SSH. The only service that should be accessible is OpenVPN. I would also suggest having OpenVPN listening on a higher, non-standard port for obscurity.
Do not confuse the private and public IP addresses your server is given by your web host with the private
gateway ip address of OpenVPN. This is likely why you are still able to connect to your SSH service even when not connected to OpenVPN.