| Linode Forum https://forum.linode.com/ |
|
| firehol issues https://forum.linode.com/viewtopic.php?f=19&t=3620 |
Page 1 of 1 |
| Author: | poetics5 [ Thu Oct 23, 2008 4:23 pm ] |
| Post subject: | firehol issues |
Hi I'm securing my linodes using firehol, only problem is for some reason the rules being setup block my ssh port. I have a ssh definition in the file: server_ssh_ports="tcp/99999" client_ssh_ports="99999" That's not the real port, but you get the idea. here are the rules for eth0 #web interface eth0 public src not "${UNROUTABLE_IPS}" protection strong client all accept server ICMP accept server ping accept server http accept server https accept server ssh accept server mysql accept dst "private.ip.address" Whenever I attempt to login via ssh here is what i see in the console: ''IN-public':'IN=eth0 OUT= MAC=MAC_ADDRESS* SRC=MY_REMOTE_IP* DST=SLICE_IP* LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=16994 DF PROTO=TCP SPT=51438 DPT=SSH_PORT* WINDOW=8192 RES= 0x00 SYN URGP=0 Anyone have any idea why this is being blocked? |
|
| Author: | poetics5 [ Thu Oct 23, 2008 6:56 pm ] |
| Post subject: | |
Found the answer: although the firehol documentation says to setup new servers the above way, this is what actually worked for me: Code: server custom ssh tcp/99999 default accept Also I've done a quick guide for getting basic security in place: http://gregsidberry.com/2008/10/22/building-something-scalable-security/ |
|
| Author: | Bedevere [ Fri Dec 26, 2008 7:26 pm ] |
| Post subject: | |
poetics5 wrote: Code: server custom ssh tcp/99999 default accept When you added the custom line do you remove the regular "server ssh accept" line? Also in the ssh config, you just change the port from 22 to whatever you wanted? Is it advisable to try both ports before commiting? I am asking because that is exactly what I wanted to try by putting "port = 25 99999" (not the real port) and I am not getting a connection after restarting on the huigh port but 22 still works. maybe I need a colon between the ports? I should look that up. |
|
| Author: | poetics5 [ Sat Dec 27, 2008 5:25 am ] |
| Post subject: | |
You have to edit your ssh config to use the port as well, then restart ssh |
|
| Author: | hybinet [ Sat Dec 27, 2008 12:21 pm ] |
| Post subject: | |
I'm not sure if you can make SSH bind to two ports at the same time. Anyway, the whole point of binding SSH to a custom port is to gain some measure of security by obscurity, so you aren't going to get real benefits if SSH is still listening on port 22. Bedevere: the reason you're still connecting on 22 is because you have the regular "server ssh accept" line in your firehol conf. Remove that and you'll only be able to connect through the custom port. (Provided, of course, that your SSH configuration is adjusted accordingly.) It's also a good idea to limit incoming SSH connections to a certain IP range, unless you're giving out shell accounts to random people. This can be done by adding an "src" clause to the appropriate line in your Firehol conf. For example, Code: server custom ssh tcp/99999 default accept src 123.123.123.123 I have a static IP at home, so this directive kicks out everyone except my home computer. If your IP changes from time to time, it might be better to use a broader IP range such as 123.123.0.0/16 This way, nobody in China will be able to connect to your box through SSH, let alone hack it through SSH, even if they happened to know which port to connect to. If you lock yourself out, or you need emergency access from an IP address not listed in your Firehol conf, you can always go into Lish to fix it! |
|
| Author: | Bedevere [ Sat Dec 27, 2008 11:39 pm ] |
| Post subject: | |
Yes I was editing the ssh config...sorry if I wasn't clear on that. OK I wil remove the regular SSH. I actually tried naming the custom one SSH1, but thats not clean. And yeah when I messed it up I used the ajax console. I already did the src as well. Good move there. |
|
| Author: | Internat [ Sun Dec 28, 2008 3:11 am ] |
| Post subject: | |
You can make ssh listen on one or more ports/ips.. I have this as my config in sshd_config so that i can connect in on 443 from some places. Code: # What ports, IPs and protocols we listen for Basicly that says use port 22, and listen on all interfaces (0.0.0.0) for connections, AND listen on <second ip>:443 Let me know if ou have any questions.. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|