Link to home
Start Free TrialLog in
Avatar of marceloNYC
marceloNYCFlag for United States of America

asked on

Limit linux server SSH connections from outside

Dear experts,

I found out that our mail server can be access from outside via ssh.

It does not know what is from outside and inside basically. A huge problem for me.

I need an idea on how to stop its outside access and keep only from LAN.

I take I need to begin IPTable work.. Anything else?

The Server is in a DMZ.

Thank you!
Avatar of ncomper
ncomper

Afternoon,
   Good article is available here:

http://askubuntu.com/questions/115940/how-can-i-setup-ssh-so-that-it-is-restricted-to-my-local-network

This shows you the IP tables and also has information on setting up access with Keys rather than having password protected accounts
Avatar of Jan Bacher
Specifically, which distribution and which version?

You should also be running fail2ban with ssh connections.
Avatar of marceloNYC

ASKER

more /etc/*-release
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
SOLUTION
Avatar of 1ly4me
1ly4me
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Some samples will be great.

Thank you!
That's no problem.

I need to know your input chain (you'll get that from an "iptables --list -n").

In CentOS land, it would look like this:

iptables -I INPUT 5 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

This will insert this into line 5 of your iptables rules allowing the subnet 192.168.1.0/24 ssh to the server on any interface.

Either only allow ssh by IP/subnet or install fail2ban.  I do both and both work well.

The important data point with these rules is that either iptables isn't running or you have the usual allow all to ssh.  So just inserting this rule without considering further rules could be problematic.
I like CentOS more but here they are all Debian and want nothing else... :(
I guess what I'm saying is that the default input chain is called "INPUT".

If you do an "iptables --list -n", we can get the accurate chain name.