From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HCOzQ-0006nt-GA for garchives@archives.gentoo.org; Wed, 31 Jan 2007 23:35:44 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id l0VNXcpA027269; Wed, 31 Jan 2007 23:33:38 GMT Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id l0VNQATJ014980 for ; Wed, 31 Jan 2007 23:26:10 GMT Received: by nf-out-0910.google.com with SMTP id c31so1316019nfb for ; Wed, 31 Jan 2007 15:26:10 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=ZKmBgiOr7tHH2KARrtrb63Yaimpg38gjCOl7ztfF+CZUO2/dPKtZchdsLid9rD0XCq8dtT40fiRN/rXkVjOFgkr5Prz2Vol4UTWZ5Eho/3fD7f7YBbBWnJGQT/rEx9gs697RFPEqSGtZDyLZjVQ6Rk9YZCC1UTtJQpYQEoA5tas= Received: by 10.49.13.14 with SMTP id q14mr1652349nfi.1170285969828; Wed, 31 Jan 2007 15:26:09 -0800 (PST) Received: from lappy.study ( [213.162.120.196]) by mx.google.com with ESMTP id i39sm2109261ugd.2007.01.31.15.26.08; Wed, 31 Jan 2007 15:26:09 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPtables question Date: Wed, 31 Jan 2007 23:25:38 +0000 User-Agent: KMail/1.9.5 References: <1170276978.31556.3.camel@blackwidow.nbk> In-Reply-To: <1170276978.31556.3.camel@blackwidow.nbk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2422244.DbrNBYWFBh"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200701312325.49328.michaelkintzios@gmail.com> X-Archives-Salt: ff76ab52-2602-47d8-b4c0-617aee9701f9 X-Archives-Hash: 5cf3e1677d338354031684d67d590daf --nextPart2422244.DbrNBYWFBh Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 31 January 2007 20:56, Albert Hopkins wrote: > On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote: > > List members - > > > > I have a small home server that I have connected to the internet > > through a linksys router and cable modem. The linksys router is > > currently forwarding all ssh traffic to my gentoo box. What I would > > like to do is set up iptables to only allow ssh logins from a small > > number of internet hosts, and to reject and log all other ssh > > attempts. Can someone please help me out with this. All of the > > tutorials and documentation that I have found are setting up a fully > > functioning firewall / NAT / proxy, and I think that is a little > > overkill for my needs.s > > If you don't want the whole iptables suite you might want to consider > good ole hosts.allow/hosts.deny as an alternative. They work fine with > sshd if you have tcpwrappers enabled. It depends how secure you want your set up to be. I always suggest to disa= ble=20 passwd authentication and enable public key authentication, after you copy = &=20 paste each client's public key in the file ~/.ssh/authorized_keys. Any=20 passwd cracking attacks will simply fail. I would also suggest that you mo= ve=20 your sshd port from 22 to a higher number. All/most of these bots scanning= =20 port 22 will now leave you alone. Finally, you can set up additional layer= s=20 like allow/deny users, MAC addresses, etc. While you're at it, don't forge= t=20 disabling root logins. If you want to introduce diverse protection then iptables (and as previousl= y=20 suggested hosts.allow/hosts.deny) is an option. In your iptables script (o= r=20 saved set of iptables rules) add something like: iptables -A INPUT -i eth0 -p tcp -s -m tcp --dport 22 -= d=20 -j ACCEPT Of course, I suggest that you change port 22 in the line above to a higher= =20 number 'free' port. Your final catch-all rule at the bottom of your iptabl= es=20 will drop any packets (on any port) from hosts other than the clients you=20 specified in my line above. =46inally, you can repeat this in your router's firewall rules, assuming th= at=20 you can specify WAN ip addresses (I know that you can in my hardware router= ,=20 but don't know in yours). If any one manages to break in to the server through such a sshd setup, the= n=20 they bl**dy well deserve it! HTH. =2D-=20 Regards, Mick --nextPart2422244.DbrNBYWFBh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBFwSV95Fp0QerLYPcRAjXCAKDJP++c5n1DkJiM3RBA/bUGLnPjKACfSzAG tD35UDY6fNtlOtA/8ZkkUi4= =U8/u -----END PGP SIGNATURE----- --nextPart2422244.DbrNBYWFBh-- -- gentoo-user@gentoo.org mailing list