marceloNYC
asked on
Limit linux server SSH connections from outside
Dear experts,
I found out that our mail server can be access from outside via ssh.
It does not know what is from outside and inside basically. A huge problem for me.
I need an idea on how to stop its outside access and keep only from LAN.
I take I need to begin IPTable work.. Anything else?
The Server is in a DMZ.
Thank you!
I found out that our mail server can be access from outside via ssh.
It does not know what is from outside and inside basically. A huge problem for me.
I need an idea on how to stop its outside access and keep only from LAN.
I take I need to begin IPTable work.. Anything else?
The Server is in a DMZ.
Thank you!
Specifically, which distribution and which version?
You should also be running fail2ban with ssh connections.
You should also be running fail2ban with ssh connections.
ASKER
more /etc/*-release
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Some samples will be great.
Thank you!
Thank you!
That's no problem.
I need to know your input chain (you'll get that from an "iptables --list -n").
In CentOS land, it would look like this:
iptables -I INPUT 5 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
This will insert this into line 5 of your iptables rules allowing the subnet 192.168.1.0/24 ssh to the server on any interface.
Either only allow ssh by IP/subnet or install fail2ban. I do both and both work well.
The important data point with these rules is that either iptables isn't running or you have the usual allow all to ssh. So just inserting this rule without considering further rules could be problematic.
I need to know your input chain (you'll get that from an "iptables --list -n").
In CentOS land, it would look like this:
iptables -I INPUT 5 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
This will insert this into line 5 of your iptables rules allowing the subnet 192.168.1.0/24 ssh to the server on any interface.
Either only allow ssh by IP/subnet or install fail2ban. I do both and both work well.
The important data point with these rules is that either iptables isn't running or you have the usual allow all to ssh. So just inserting this rule without considering further rules could be problematic.
ASKER
I like CentOS more but here they are all Debian and want nothing else... :(
I guess what I'm saying is that the default input chain is called "INPUT".
If you do an "iptables --list -n", we can get the accurate chain name.
If you do an "iptables --list -n", we can get the accurate chain name.
Good article is available here:
http://askubuntu.com/questions/115940/how-can-i-setup-ssh-so-that-it-is-restricted-to-my-local-network
This shows you the IP tables and also has information on setting up access with Keys rather than having password protected accounts