Hello;

I want to allow SSH to be used only for some IPs but I want them to add like 100.15.25.*

Can I do that? Can you give me an example of how this can be done?

I've not set any firewall rules yet by manually and only 5 or 6 ports are listening from by services. Does it cause a problem to leave other ports accessible? Or If no services listen a port, does that port still accessible? Should I close them? And how?

Thanks.

SSH is too insecure. It allows access, and terminal level control.
However, if you want this. There´s scripting. Where you can easily enter the IP in the script, and define the ip range directly, also; within that very script.

That´s what I would go with.

You can use iptables to deny IPs outside of a given range, like:A port is only open if something is listening on it. There's nothing wrong per se with only making sure you don't have any unwanted ports open, but using a firewall to make sure is a good idea. A firewall lets you set up access restrictions (such as the iptables example above) and it can protect you from certain configuration mistakes.

SSH is fairly secure as it requires a login and you can control the logins by keys or passwords. For input, I'd suggest this:
These inserts put it at the front of your iptables. To control output you need a different code set. see man iptables

Dave

So closing ports which are not listening is not necessary?

I wanted this to prevent attacks. I thought if a blocked port gets an attack it may use less CPU.

Whatever, thanks for the solutions

Well, without seeing your iptables (and I don't suggest posting them here), it's hard to say. You should have a DROP policy or declare a final DROP rule after you open the ports you want.
I'm not really sure what you want do do: allow your list to ssh in or ssh out as the rules are different in each case. Are you protecting or limiting an internal net behind your machine?

If it is a single machine then I'd assume you are interested in allowing only a certain group of sources in. And assuming you already have a few set up, then inserting a specific rule BEFORE all your other rules would be effective. (iptables -I INPUT -p tcp --dport 22 -s 100.15.25.0/24 -j ACCEPT) does it. But then you might want to put a general DROP just after it. You could do that by inserting the general DROP rule first and then insert the specific ACCEPT. -I (insert) without a rule number just inserts it at the front of the chain, so inserting DROP first and then ACCEPT sets then up in the correct order at the front of the chain.

I think it is bad policy to assume that nothing is listening on a port and generally give explicit DROP rules.

You can look at what is set up by issuing the iptables list command like this as sudo or root. I use a sudo. $ sudo /sbin/iptables -L -v -n --line-numbers
This gives the rule numbers by chain.


Dave

What happens if you block all ports and after enter those:
iptables -I INPUT -p tcp --dport 22 -s 100.15.25.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -s 59.45.123.57 -j ACCEPT

Do I allow the first IP range and second IP both, or the second one rewrite the first one?


Also I have a web server and I just realized that my server got attacked from SSH by brute force. I moved SSH port to another port but I want to close all ports except 80, 21 etc... But if a non-listened port doesn't cause any security risk, I don't need to do it. Just want it for the security and attack blocking reasons.

When you say you block all ports first and then ACCEPT, I am assuming you meant DROP all and then ACCEPT. That will not work as once they are DROPed, the ACCEPT rule will never see them as processing stops on a packet that is dropped. And yes you can have as many ACCEPT rules as you need. Once a packet is accepted, processing on that packet depends on what is listening on that socket (port). The rules are processed in order and processing is determined by the -j target.

Another early rule should be iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT to accept established connections.

Just ACCEPT the ports you want first and finish up with a DROP rule. This one is general: iptables -A INPUT -j DROP

Be sure to list the rules to see it they execute in the order you desired. You may need to flush existing rules before you set up the table.


Dave

Thanks david the things are more clear now

Hi again;

I used
After that when I write
Everything perfect.

But after restarting iptables service, iptables -L -n returns empty lists for rules.

Do I need to do something more?

Solved. My /etc/init.d/iptables script supports "save" command so I'm able to use "service iptables save" and this solved the problem

Even you can stright away edit the iptables file, it has located in /etc/sysconfig/iptables

In relation to the OP post #1, you can also use /etc/hosts.allow, instead of or in addition to iptables.

Another thing you might want to consider is running fail2ban, which scans your logs for failed logons and dynamically updates your firewall to ban the offending ip address. It works not only for SSH, but a variety of other services.

I use it because a few of the branch offices I work out of have dynamically assigned ip addresses, which opens up a quite large ip range that is able to SSH in.