LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-07-2007, 10:41 AM   #1
Madone_SL_5.5
Member
 
Registered: Oct 2006
Location: Ogden, Utah
Distribution: Fedora 10
Posts: 66

Rep: Reputation: 15
Restrict ssh attempts with iptables


I am using Fedora 6 for my web server. I frequently use Putty to connect to my server via ssh from home. My server also receives thousands of failed attempts from others to connect per week. I guess I have a good password or something, but there is no need to allow this to continue.

So my question: Is there a way to drop all attempts on port 22 except those from my IP address range? All my home computers use DHCP, but always have an address beginning with 138.190.208.something. So I would like to only allow a corresponding range of IP addresses, and drop the rest. I do need to keep accepting all connections to port 80, of course.

This is what my iptables list looks like now:

Quote:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere server.mydomain.com tcp spt:ssh
ACCEPT tcp -- anywhere server.mydomain.com tcp spt:http
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Suggestions? Thanks.
 
Old 11-07-2007, 11:32 AM   #2
sin
LQ Newbie
 
Registered: Jun 2005
Location: UK
Distribution: Slackware
Posts: 28

Rep: Reputation: 15
You could try somthing along the lines of ;

iptables -A INPUT -p tcp --dport 22 -s ! 192.168.0.1/24 -j DROP

course you'll most likley have to change the subnet
 
Old 11-07-2007, 12:13 PM   #3
JSkywalker
Member
 
Registered: Aug 2007
Distribution: openSUSE
Posts: 102

Rep: Reputation: 24
or you could change

Code:
ACCEPT tcp -- anywhere server.mydomain.com tcp spt:ssh
to

Code:
ACCEPT tcp -- 138.190.208.something server.mydomain.com tcp spt:ssh

Last edited by JSkywalker; 11-07-2007 at 12:28 PM.
 
Old 11-07-2007, 03:22 PM   #4
Madone_SL_5.5
Member
 
Registered: Oct 2006
Location: Ogden, Utah
Distribution: Fedora 10
Posts: 66

Original Poster
Rep: Reputation: 15
Excellent

Thanks for the replies. Those are good ideas. I don't have a ton of experience yet, so ideas like that don't always come to me on my own.

What would be the notation for all IP addresses starting with 138.190.xxx.xxx? I live on a university campus, and I have found that the last two sets of numbers in my IP address are the only ones that vary for me under DHCP. I have seen notation such as xxx.xxx.xxx.xxx/24 used before to denote an IP range, but I don't know what it means.
 
Old 11-07-2007, 06:13 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Madone_SL_5.5 View Post
Thanks for the replies. Those are good ideas. I don't have a ton of experience yet, so ideas like that don't always come to me on my own.

What would be the notation for all IP addresses starting with 138.190.xxx.xxx? I live on a university campus, and I have found that the last two sets of numbers in my IP address are the only ones that vary for me under DHCP. I have seen notation such as xxx.xxx.xxx.xxx/24 used before to denote an IP range, but I don't know what it means.
That's called CIDR notation. Read this link to understand how it works. If you don't want to worry about making subnet calculations, you can specify the ranges you want the rule to apply to in this manner:
Code:
iptables -A INPUT -p TCP --dport 22 -m iprange ! --src-range 138.190.0.1-138.190.255.255 -j DROP
The equivalent CIDR notation way for this range would be:
Code:
iptables -A INPUT -p TCP --dport 22 -s ! 138.190.0.0/16 -j DROP

Last edited by win32sux; 11-07-2007 at 07:35 PM. Reason: Fixed typo.
 
Old 11-09-2007, 04:05 PM   #6
JSkywalker
Member
 
Registered: Aug 2007
Distribution: openSUSE
Posts: 102

Rep: Reputation: 24
i think you need some form of IP Subnet Calculator for that.
see: http://www.subnet-calculator.com/

or google for it....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH login attempts Capt_Caveman Linux - Security 225 11-07-2009 10:55 AM
SSH Access Attempts Verbal Kint Linux - General 13 09-20-2006 05:08 PM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 04:22 PM
numerous ssh attempts archdev Linux - Security 14 08-10-2004 05:14 PM
restrict number of logon attempts depaul Linux - Security 5 07-28-2003 01:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration