Re: [gentoo-user] IPtables question

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2422 bytes --]

On Wednesday 31 January 2007 20:56, Albert Hopkins wrote:
> On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote:
> > List members -
> >
> > I have a small home server that I have connected to the internet
> > through a linksys router and cable modem.  The linksys router is
> > currently forwarding all ssh traffic to my gentoo box.  What I would
> > like to do is set up iptables to only allow ssh logins from a small
> > number of internet hosts, and to reject and log all other ssh
> > attempts.  Can someone please help me out with this.  All of the
> > tutorials and documentation that I have found are setting up a fully
> > functioning firewall / NAT / proxy, and I think that is a little
> > overkill for my needs.s
>
> If you don't want the whole iptables suite you might want to consider
> good ole hosts.allow/hosts.deny as an alternative.  They work fine with
> sshd if you have tcpwrappers enabled.

It depends how secure you want your set up to be.  I always suggest to disable 
passwd authentication and enable public key authentication, after you copy & 
paste each client's public key in the file ~/.ssh/authorized_keys.  Any 
passwd cracking attacks will simply fail.  I would also suggest that you move 
your sshd port from 22 to a higher number.  All/most of these bots scanning 
port 22 will now leave you alone.  Finally, you can set up additional layers 
like allow/deny users, MAC addresses, etc.  While you're at it, don't forget 
disabling root logins.

If you want to introduce diverse protection then iptables (and as previously 
suggested hosts.allow/hosts.deny) is an option.  In your iptables script (or 
saved set of iptables rules) add something like:

iptables -A INPUT -i eth0 -p tcp -s <client_ip_address> -m tcp --dport 22 -d 
<server_LAN_ip_address> -j ACCEPT

Of course, I suggest that you change port 22 in the line above to a higher 
number 'free' port.  Your final catch-all rule at the bottom of your iptables 
will drop any packets (on any port) from hosts other than the clients you 
specified in my line above.

Finally, you can repeat this in your router's firewall rules, assuming that 
you can specify WAN ip addresses (I know that you can in my hardware router, 
but don't know in yours).

If any one manages to break in to the server through such a sshd setup, then 
they bl**dy well deserve it!

HTH.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]