From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.62)
	(envelope-from <gentoo-user+bounces-59360-garchives=archives.gentoo.org@gentoo.org>)
	id 1HCOzQ-0006nt-GA
	for garchives@archives.gentoo.org; Wed, 31 Jan 2007 23:35:44 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.8/8.13.8) with SMTP id l0VNXcpA027269;
	Wed, 31 Jan 2007 23:33:38 GMT
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189])
	by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id l0VNQATJ014980
	for <gentoo-user@lists.gentoo.org>; Wed, 31 Jan 2007 23:26:10 GMT
Received: by nf-out-0910.google.com with SMTP id c31so1316019nfb
        for <gentoo-user@lists.gentoo.org>; Wed, 31 Jan 2007 15:26:10 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id;
        b=ZKmBgiOr7tHH2KARrtrb63Yaimpg38gjCOl7ztfF+CZUO2/dPKtZchdsLid9rD0XCq8dtT40fiRN/rXkVjOFgkr5Prz2Vol4UTWZ5Eho/3fD7f7YBbBWnJGQT/rEx9gs697RFPEqSGtZDyLZjVQ6Rk9YZCC1UTtJQpYQEoA5tas=
Received: by 10.49.13.14 with SMTP id q14mr1652349nfi.1170285969828;
        Wed, 31 Jan 2007 15:26:09 -0800 (PST)
Received: from lappy.study ( [213.162.120.196])
        by mx.google.com with ESMTP id i39sm2109261ugd.2007.01.31.15.26.08;
        Wed, 31 Jan 2007 15:26:09 -0800 (PST)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] IPtables question
Date: Wed, 31 Jan 2007 23:25:38 +0000
User-Agent: KMail/1.9.5
References: <c001995e0701311236g51b7c4cdubcd71e51b1ddd3a3@mail.gmail.com> <1170276978.31556.3.camel@blackwidow.nbk>
In-Reply-To: <1170276978.31556.3.camel@blackwidow.nbk>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart2422244.DbrNBYWFBh";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200701312325.49328.michaelkintzios@gmail.com>
X-Archives-Salt: ff76ab52-2602-47d8-b4c0-617aee9701f9
X-Archives-Hash: 5cf3e1677d338354031684d67d590daf

--nextPart2422244.DbrNBYWFBh
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 31 January 2007 20:56, Albert Hopkins wrote:
> On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote:
> > List members -
> >
> > I have a small home server that I have connected to the internet
> > through a linksys router and cable modem.  The linksys router is
> > currently forwarding all ssh traffic to my gentoo box.  What I would
> > like to do is set up iptables to only allow ssh logins from a small
> > number of internet hosts, and to reject and log all other ssh
> > attempts.  Can someone please help me out with this.  All of the
> > tutorials and documentation that I have found are setting up a fully
> > functioning firewall / NAT / proxy, and I think that is a little
> > overkill for my needs.s
>
> If you don't want the whole iptables suite you might want to consider
> good ole hosts.allow/hosts.deny as an alternative.  They work fine with
> sshd if you have tcpwrappers enabled.

It depends how secure you want your set up to be.  I always suggest to disa=
ble=20
passwd authentication and enable public key authentication, after you copy =
&=20
paste each client's public key in the file ~/.ssh/authorized_keys.  Any=20
passwd cracking attacks will simply fail.  I would also suggest that you mo=
ve=20
your sshd port from 22 to a higher number.  All/most of these bots scanning=
=20
port 22 will now leave you alone.  Finally, you can set up additional layer=
s=20
like allow/deny users, MAC addresses, etc.  While you're at it, don't forge=
t=20
disabling root logins.

If you want to introduce diverse protection then iptables (and as previousl=
y=20
suggested hosts.allow/hosts.deny) is an option.  In your iptables script (o=
r=20
saved set of iptables rules) add something like:

iptables -A INPUT -i eth0 -p tcp -s <client_ip_address> -m tcp --dport 22 -=
d=20
<server_LAN_ip_address> -j ACCEPT

Of course, I suggest that you change port 22 in the line above to a higher=
=20
number 'free' port.  Your final catch-all rule at the bottom of your iptabl=
es=20
will drop any packets (on any port) from hosts other than the clients you=20
specified in my line above.

=46inally, you can repeat this in your router's firewall rules, assuming th=
at=20
you can specify WAN ip addresses (I know that you can in my hardware router=
,=20
but don't know in yours).

If any one manages to break in to the server through such a sshd setup, the=
n=20
they bl**dy well deserve it!

HTH.
=2D-=20
Regards,
Mick

--nextPart2422244.DbrNBYWFBh
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBFwSV95Fp0QerLYPcRAjXCAKDJP++c5n1DkJiM3RBA/bUGLnPjKACfSzAG
tD35UDY6fNtlOtA/8ZkkUi4=
=U8/u
-----END PGP SIGNATURE-----

--nextPart2422244.DbrNBYWFBh--
-- 
gentoo-user@gentoo.org mailing list