Question in the title.
I'm running FBSD version 5.21
Full Version: How do you limit SSH to specific IP subnets?
You could try, and this is just a suggestion, a firewall rule.
Now this depends on your setup of course but something like this in your iptables file (mine is /etc/sysconfig/iptables)
-A RH-Firewall-1-INPUT -p tcp --dport 22 -s 192.168.0.2 -j ACCEPT
As you can see I am running a version of redhat/fedora but there will be existing rules there so you should be able to adapt that to your particular firewall.
That rule basically says to only allow/accpet connections to port 22 (the default port for ssh) from the source ip address of 192.168.0.2.
Restart iptables with /etc/init.d/iptables restart and you should be cooking
The other really good security measure you can use, it not already, is to turn off password authentication and to use the key system. Have a look at
http://www.g-loaded.eu/2005/11/10/ssh-with-keys/
and
http://sial.org/howto/openssh/publickey-auth/
Good luck
Thomas Inglis
Now this depends on your setup of course but something like this in your iptables file (mine is /etc/sysconfig/iptables)
-A RH-Firewall-1-INPUT -p tcp --dport 22 -s 192.168.0.2 -j ACCEPT
As you can see I am running a version of redhat/fedora but there will be existing rules there so you should be able to adapt that to your particular firewall.
That rule basically says to only allow/accpet connections to port 22 (the default port for ssh) from the source ip address of 192.168.0.2.
Restart iptables with /etc/init.d/iptables restart and you should be cooking
The other really good security measure you can use, it not already, is to turn off password authentication and to use the key system. Have a look at
http://www.g-loaded.eu/2005/11/10/ssh-with-keys/
and
http://sial.org/howto/openssh/publickey-auth/
Good luck
Thomas Inglis
QUOTE (tam @ Feb 17 2007, 01:23 PM) 
You could try, and this is just a suggestion, a firewall rule.
Now this depends on your setup of course but something like this in your iptables file (mine is /etc/sysconfig/iptables)
-A RH-Firewall-1-INPUT -p tcp --dport 22 -s 192.168.0.2 -j ACCEPT
As you can see I am running a version of redhat/fedora but there will be existing rules there so you should be able to adapt that to your particular firewall.
That rule basically says to only allow/accpet connections to port 22 (the default port for ssh) from the source ip address of 192.168.0.2.
Restart iptables with /etc/init.d/iptables restart and you should be cooking
The other really good security measure you can use, it not already, is to turn off password authentication and to use the key system. Have a look at
http://www.g-loaded.eu/2005/11/10/ssh-with-keys/
and
http://sial.org/howto/openssh/publickey-auth/
Good luck
Thomas Inglis
Now this depends on your setup of course but something like this in your iptables file (mine is /etc/sysconfig/iptables)
-A RH-Firewall-1-INPUT -p tcp --dport 22 -s 192.168.0.2 -j ACCEPT
As you can see I am running a version of redhat/fedora but there will be existing rules there so you should be able to adapt that to your particular firewall.
That rule basically says to only allow/accpet connections to port 22 (the default port for ssh) from the source ip address of 192.168.0.2.
Restart iptables with /etc/init.d/iptables restart and you should be cooking
The other really good security measure you can use, it not already, is to turn off password authentication and to use the key system. Have a look at
http://www.g-loaded.eu/2005/11/10/ssh-with-keys/
and
http://sial.org/howto/openssh/publickey-auth/
Good luck
Thomas Inglis
yikes, save yourself the trouble and use hosts.allow and hosts.deny.
By the way hes using freebsd, it does not have iptables, it has ipfw. The syntax is completely different.
hosts.(allow|deny) is the easiest way to do it. Keep in mind though that limiting sshd to a certain IP range is a dangerous idea and should only be done under ideal circumstances. The scenario I throw is out is that you get the call that your server is down, but you're on vacation or you're at your grandma's house. That makes it pretty tough to log in and fix things. I wouldn't limit SSH access. If you do it though remember to allow access so we can get to your system from our office netblocks. That way you don't void your SLA and we can fix things if problems arise.
I wouldn't limit SSH access. If you do it though remember to allow access so we can get to your system from our office netblocks. That way you don't void your SLA and we can fix things if problems arise.
Yep, they're right. Just drop the IP into the config files, if you really want to do this.
I personally see a disadvantage because when I'm on the road and I need to SSH in, I'll be screwed. And like Kevin (above) said, support will also be blocked.
And what happens if your home/office IP is dynamic and changes every 30mins or so?
I personally see a disadvantage because when I'm on the road and I need to SSH in, I'll be screwed. And like Kevin (above) said, support will also be blocked.
And what happens if your home/office IP is dynamic and changes every 30mins or so?
A better idea would probably to be to just changed the SSH port to something else.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.