I read this http://library.linode.com/networking/configuring-static-ip-interfaces/ and set up two IP addresses on my linode.
But now what? is it possible to set up firewall rules based on incoming IP address?

is it possible to dedicate a service to an ip? so if you port scanned one IP only certain ports would appear open?[/url]

Yes you can set a service to run on a particular IP - apache, mysql and SSH all spring to mind. Check their config files to set which IP they listen on.

As you mention firewall you could do port-forwarding from 1 ip address to another, but I'd personally configure the service to run on a certain IP address instead as mentioned above.

Yes, iptables supports IP-specific firewall rules. It's possible some frontends don't, but most do.

As for your application question, most do support binding to specific IPs. Check the configuration documentation. Some software doesn't have that feature, of course, in which case it would probably be easiest to let it listen on whatever it wants to but firewall off the other IPs, knowing that the service would be accessible on the other IP if something happened to your firewall.

Why do you care about running different services on different IPs, though?

_________________
Matt Nordhoff (aka Peng on IRC)

The reason I am interested in this is because having a webserver opens you up to a ton of break in attempts daily. It would be great if I could have a special IP that only appeared to have a webserver running, and another IP for everything else such as ssh, etc.

does anybody know if it can be done with UFW, or a good document on how to do it with iptables? i am missing some of the search vocabulary to locate the document myself.

Being on the Internet opens a server up to compromise attempts. Botnets routinely perform service scans against very large IP ranges, which costs the controllers nothing (since they aren't paying for the resources anyhow). If you're concerned about such attempts, you may wish to investigate using SSH keys and disabling password access, or using something like DenyHosts or fail2ban.

1, 2, or 20 IP's it's still the SAME box.

Don't waste public IP's on something as useless as "security thru obscurity".

While I do agree that by itself, splitting services like this is a "security thru obscurity" argument, it does have a certain merit if used as described above.

Assume my box has 2 IPs. I setup my web server on one IP, setup DNS to point all my domains at that IP. Then, I limit my ssh server to only listen on the other IP. The SSH server is still locked down to only allow key-based auth, not allow root login, etc etc.

With a setup like that, you are just as vulnerable to the random IP sweeping, but your vulnerability to those sweeps, since your ssh is key only, and you keep your web server up to date, is pretty close to zero.

The benefit to splitting the services is that Mr. Angry Hacker, having been offended by your inflammatory blog posts, has almost zero chance at discovering your second IP, cutting in half the number of services he can attempt to exploit as a method of harming your box.

Or you could just ensure you have a static ip and use iptables to block ssh connections from all but that ip.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Except I admin my server from my house, and from my netbook or phone on the go.

Drop all external SSH access and use a VPN. Lets see the mean old hacker bypass that.

I have a separate Linode for remote access. Allows SSH access on port 443 (to bypass firewalls) with port tunneling directed to a local instance of Squid. All my servers have SSH bound to the private 192 address and the firewall blocks access that isn't from my remote access server. Then I tell PuTTy to use a proxy and SSH to the private address. I remove the extra service from the public IP and can still access my server from anywhere.

Forgive me if I'm wrong, but if you're using key-based authentication, aren't the chances of someone hacking into your Linode via SSH extremely low?

+1

I'd be a lot more worried about the bad guys hacking a webserver than a decently-configured sshd. Wasting a second IP for this is silly at best.

It's always a good idea to configure your services so that they only listen on the IP address they're supposed to listen on in the first place, rather than having them listen on all IPs and using a firewall to block them.

If you want to use Ubuntu's UFW (which is one of the easiest firewall tools out there), just apt-get install it and run the following commands:

sudo ufw allow from any to 12.34.56.78 port 22
sudo ufw allow from any to 98.76.54.32 port 80
sudo ufw allow from any to 98.76.54.32 port 443
sudo ufw default deny
sudo ufw enable

The first line allows SSH on 12.34.56.78. The next two lines allow HTTP and HTTPS on 98.76.54.32. The fourth line disallows everything else, and the fifth line activates the firewall. Change to fit your needs. If you accidentally lock yourself out, go to Lish and try again.

I am not using public private key authentication, I must just use regular passwords.
I host a subversion server via svn+ssh://
and it is very difficult to configure the subversion clients to use the keys.

Right now I am filtering IP addresses.
And I just got the multiple IP address thing working by binding IP addresses within the config of each service. It works pretty well.

Its really cool, now somebody can't ping my domain and look at the IP address, then try and tamper with my ssh because they don't like my website. I'll be monitoring the number of ssh brute force attempts and see how much less it is then before.