> On Sep 8, 2019, at 8:46 PM, Michael Knill <michael.kn...@ipcsolutions.com.au>
> wrote:
>
> Hi Group
>
> I am seeing lots of hacking attempts on my systems as they have found my non
> standard SSH port. Although there is no issue as I have SSH Key access only,
> I'm sick of the long list of addresses in the Adaptive Ban list and I'm
> thinking I should be adding another line of defence in my security anyway.
> As such, along with implementing Geoblocking Netset files (next release), I
> also want to use a Jump box for management. This server would connect to each
> system via Wireguard VPN allowing management also when in a failover
> condition through NAT e.g. 4G backup, firewall managed by others.
>
> With this architecture in mind, I was wondering how I would go about
> restricting access to a single port only from this Wireguard VPN tunnel to
> the local interface e.g. wg0 address. I think is completely open currently.
>
> Is it easy to do?
>
> Regards
> Michael Knill
If SSH access can only occur within a WireGuard tunnel, no port filtering is
required since access is secured by WireGuard.
As such, only allow remote user access to the management VPN via a WireGuard
tunnel.
But, if you want to filter SSH from wg0 to the local device by source IP
address, try
Firewall Rules:
Action: [ Deny LAN->Local ]
keeping in mind that the wg0 interface is treated as an isolated LAN subnet
from any other LAN subnet.
Lonnie
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
