On Wednesday 31 January 2007 20:56, Albert Hopkins wrote: > On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote: > > List members - > > > > I have a small home server that I have connected to the internet > > through a linksys router and cable modem. The linksys router is > > currently forwarding all ssh traffic to my gentoo box. What I would > > like to do is set up iptables to only allow ssh logins from a small > > number of internet hosts, and to reject and log all other ssh > > attempts. Can someone please help me out with this. All of the > > tutorials and documentation that I have found are setting up a fully > > functioning firewall / NAT / proxy, and I think that is a little > > overkill for my needs.s > > If you don't want the whole iptables suite you might want to consider > good ole hosts.allow/hosts.deny as an alternative. They work fine with > sshd if you have tcpwrappers enabled.
It depends how secure you want your set up to be. I always suggest to disable passwd authentication and enable public key authentication, after you copy & paste each client's public key in the file ~/.ssh/authorized_keys. Any passwd cracking attacks will simply fail. I would also suggest that you move your sshd port from 22 to a higher number. All/most of these bots scanning port 22 will now leave you alone. Finally, you can set up additional layers like allow/deny users, MAC addresses, etc. While you're at it, don't forget disabling root logins. If you want to introduce diverse protection then iptables (and as previously suggested hosts.allow/hosts.deny) is an option. In your iptables script (or saved set of iptables rules) add something like: iptables -A INPUT -i eth0 -p tcp -s <client_ip_address> -m tcp --dport 22 -d <server_LAN_ip_address> -j ACCEPT Of course, I suggest that you change port 22 in the line above to a higher number 'free' port. Your final catch-all rule at the bottom of your iptables will drop any packets (on any port) from hosts other than the clients you specified in my line above. Finally, you can repeat this in your router's firewall rules, assuming that you can specify WAN ip addresses (I know that you can in my hardware router, but don't know in yours). If any one manages to break in to the server through such a sshd setup, then they bl**dy well deserve it! HTH. -- Regards, Mick
pgpABfgXYkFTf.pgp
Description: PGP signature
