| Linode Forum https://forum.linode.com/ |
|
| SSH to only allow logins from specific IPs and block all oth https://forum.linode.com/viewtopic.php?f=19&t=11227 |
Page 1 of 1 |
| Author: | vchaudha [ Mon Aug 11, 2014 10:51 pm ] |
| Post subject: | SSH to only allow logins from specific IPs and block all oth |
This is the second time I am posting on the Linode forum, and my first experience was really great. Thank you to all who respond, in advance! We use a Linode with Ubuntu 12.04. I went through the basics to install RSA encryption for SSH logins, and setup fail2ban, but I am not sure how to do the following. I want to only allow specific IP addresses (or ranges of IP addresses) to be able to SSH. In other words, I want to turn away ALL others from SSH. This way, I will be able to SSH from my office, and from home, and so will 1 other administrator. And block everybody else. With my rudimentary unix sysadm knowledge - really, so rudimentary - I don't know how to configure fail2ban to enforce such a ban. Is this a normal thing to do, or is there a different way to achieve what I want - make it really restrictive for the world to access our servers, but allow a handful of known administrators only. Any advice appreciated! Thanks, Vik |
|
| Author: | Ox- [ Tue Aug 12, 2014 12:37 am ] |
| Post subject: | Re: SSH to only allow logins from specific IPs and block all |
This is the job of your firewall, not fail2ban. fail2ban just watches your kernel logs for probes on your SSH and then sends commands to the firewall to start blocking those IP addresses. If you want to whitelist specific IP addresses then you have no need for fail2ban... because all (non-whitelisted) IP addresses will already be blocked by the firewall. On Ubuntu the easiest firewall choice for admins with rudimentary knowledge is Uncomplicated Firewall or "ufw". The guide I linked there will give you a few quick lines you can use to setup ufw, but in particular you are interested in is example 6: Code: sudo ufw allow proto tcp from 192.168.0.2 to any port 22 ... where you replace 192.168.0.2 with an ip address you want to whitelist. The Linode Iptables Guide also has an example of whitelisting IP addresses for SSH, but uses iptables directly instead of a beginner friendly syntax like ufw. |
|
| Author: | jebblue [ Tue Aug 12, 2014 12:44 pm ] |
| Post subject: | Re: SSH to only allow logins from specific IPs and block all |
For ssh I use AllowUsers lines in /etc/ssh/sshd_config. |
|
| Author: | vchaudha [ Tue Aug 12, 2014 1:21 pm ] |
| Post subject: | Re: SSH to only allow logins from specific IPs and block all |
Ox - I will read up on UFW, thanks for the information. I thought fail2ban was a firewall, but I guess I didn't read the Linode article properly (https://www.linode.com/docs/security/se ... our-server). I presume I can configure UFW to only block SSH traffic, but it will let all users to my web server (of course, I don't mind blocking bots from my web server). Jebblue - That sounds like a very good thing for me to try. I appreciate the new solution! You guys are great for helping, thank you! |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|