Linode Forum :: Limit SSH based on certain State?

Spring the extra $4/month with your ISP and get a Static IP.

IPTABLES to allow whatever IP Range your DHCP pool is (even a /16 will be smaller then allowing all IP's from NY).

Setup/Use OpenVPN and block all non-local SSH access.

Logins from SSH will only come ever from one state.

It's not to keep the log cleaned it's to protect my server since I never travel but have a dynamic ip at home.

One more time,

What about blocking everything but your ISP's DHCP Pool Range.

Do you have any idea how fragmented the IPv4 space is? There isn't a single or simple handful of IP's to block any given geo space.

But better yet, setup OpenVPN, limit your SSH to local (i.e. traffic thru your VPN connection) and block everything else. Problem solved.

I cannot use VPN requirements because of contractual issues between a client.

Blocking everything but my ISP will affect my clients I was just thinking to isolate based on USA.

If it's not worth doing no biggie just wanted to confirm.

Well, are you trying to protect SSH, or everything else? If just SSH, use key-based auth, problem solved. If everything else, country-based IP blocking is much simpler and generally more accurate than narrower stuff, but it's still not perfect.

I seem to recall some sort of DNS-based geolocation service that worked on a country-level, but I can't remember the details. IIRC it was something like you looked up 1.2.3.4.us.foo.com and the nxdomain would let you know if it was in the US or not. I don't remember anymore, unfortunately.

Author:	aot2002 [ Wed Dec 21, 2011 10:30 am ]
Post subject:	Limit SSH based on certain State?
I would like to limit based on a certain state example NY for a white list of SSH IP's allowed. Anyone know where to get the ip range list? Recent attacks today alone are: root (58.254.143.204): 2 Time(s) root (113.105.189.42): 1 Time(s) root (118.97.50.11): 1 Time(s) root (190.2.7.178): 1 Time(s) root (204.191.10.18): 1 Time(s) root (211.144.82.: 1 Time(s) root (221.204.253.107): 1 Time(s) root (58.241.109.134): 1 Time(s) root (62.161.44.45): 1 Time(s) root (78.107.40.168): 1 Time(s) root (91.189.70.228): 1 Time(s) root (93.84.116.216): 1 Time(s) root (chrisign2.nine.ch): 1 Time(s) root (d199-74-179-112.clv.wideopenwest.com): 1 Time(s) root (gw.pn.ac.th): 1 Time(s) root (mail.avasi.hu): 1 Time(s) root (mail.bairesac.com): 1 Time(s) root (mail.ring.hu): 1 Time(s) root (park-klinik-blankenese.de): 1 Time(s) root (s15297823.onlinehome-server.info): 1 Time(s) root (servidor.bebminas.com.br): 1 Time(s) root (srv-l102.esp.mediateam.fi): 1 Time(s) root (static.206.130.40.188.clients.your-server.de): 1 Time(s) root (tg10.internetdsl.tpnet.pl): 1 Time(s) root (virtual8-west.izoox.net): 1 Time(s) root (vs53.ilongo.at): 1 Time(s) root (zux221-015-140.adsl.green.ch): 1 Time(s) unknown (58.241.109.134): 1 Time(s)

Author:	Guspaz [ Wed Dec 21, 2011 11:38 am ]
Post subject:
Using fine-grained geolocation-based limiting just to keep your log file cleaner is a really bad idea. Such things are a natural part of being on the internet.

Author:	aot2002 [ Wed Dec 21, 2011 1:23 pm ]
Post subject:
Logins from SSH will only come ever from one state. It's not to keep the log cleaned it's to protect my server since I never travel but have a dynamic ip at home.

Author:	vonskippy [ Wed Dec 21, 2011 2:22 pm ]
Post subject:
Spring the extra $4/month with your ISP and get a Static IP. -or- IPTABLES to allow whatever IP Range your DHCP pool is (even a /16 will be smaller then allowing all IP's from NY). -or- Setup/Use OpenVPN and block all non-local SSH access.

Author:	aot2002 [ Wed Dec 21, 2011 2:27 pm ]
Post subject:
vonskippy wrote: Spring the extra $4/month with your ISP and get a Static IP. IPTABLES to allow whatever IP Range your DHCP pool is (even a /16 will be smaller then allowing all IP's from NY). Setup/Use OpenVPN and block all non-local SSH access. thanks but it's an extra 100 dollars for my ISP since they consider it business type not residential. I'll figure it out thanks again

Linode Forum https://forum.linode.com/

Limit SSH based on certain State? https://forum.linode.com/viewtopic.php?f=19&t=8212	Page 1 of 2

Author:	Guspaz [ Wed Dec 21, 2011 3:40 pm ]
Post subject:
aot2002 wrote: Logins from SSH will only come ever from one state. It's not to keep the log cleaned it's to protect my server since I never travel but have a dynamic ip at home. Right, except it doesn't offer you any worthwhile protection (hence why people will say the type of restriction you're asking for is just to keep the logfiles clean), and the simple fact is that it can't be done perfectly, and you can't even do it imperfectly for free. IPs and ISPs change, so you can't rely on a static database (or you'll find yourself locked out, one day). That means you're going to have to pay for a service. The problem is that even these services are not perfectly accurate, and there are many cases where it's impossible for the service to geolocate an IP correctly. For example, any ISP that spans more than one state and has any dynamic IP allocation zone that includes more than one state. In my case, my ISP's PoP is the next province over, so any geolocation service will tell you I'm in Toronto, when I'm actually in Montreal. A rather big difference. If you want to properly restrict your server so that only you can log in, and that nobody else could ever guess your password, the correct approach is to use SSH keys, not geolocation. Then, only your specific computer will be able to connect.

Author:	aot2002 [ Wed Dec 21, 2011 3:54 pm ]
Post subject:
What about blocking certain country ip ranges?

Author:	vonskippy [ Wed Dec 21, 2011 4:05 pm ]
Post subject:
One more time, What about blocking everything but your ISP's DHCP Pool Range. Do you have any idea how fragmented the IPv4 space is? There isn't a single or simple handful of IP's to block any given geo space. But better yet, setup OpenVPN, limit your SSH to local (i.e. traffic thru your VPN connection) and block everything else. Problem solved.

Author:	aot2002 [ Wed Dec 21, 2011 4:10 pm ]
Post subject:
vonskippy wrote: One more time, What about blocking everything but your ISP's DHCP Pool Range. Do you have any idea how fragmented the IPv4 space is? There isn't a single or simple handful of IP's to block any given geo space. But better yet, setup OpenVPN, limit your SSH to local (i.e. traffic thru your VPN connection) and block everything else. Problem solved. I cannot use VPN requirements because of contractual issues between a client. Blocking everything but my ISP will affect my clients I was just thinking to isolate based on USA. If it's not worth doing no biggie just wanted to confirm.

Author:	db3l [ Wed Dec 21, 2011 5:42 pm ]
Post subject:
aot2002 wrote: I cannot use VPN requirements because of contractual issues between a client. If they're all your direct clients, couldn't you could grant them their own VPN keys as part of any deliverable? I suppose there could be a platform issue, but OpenVPN connections are possible from all the major platforms. Though if you're building something for a client to then have their own clients, I can see where the final service needs to be generally accessible. Quote: Blocking everything but my ISP will affect my clients I was just thinking to isolate based on USA. If it's not worth doing no biggie just wanted to confirm. I agree with the others that it's probably not worth the effort as opposed to more traditional security measures, especially given the hassle it will be to try to keep it up to date and the general imprecision of any geo-location data in the first place or connections coming through proxies that have no geographic relation to the original location. Though at least at the country level the geo-data itself may be a bit more stable/accurate. If you want a rough feel, take a peek at https://www.maxmind.com/app/geolitecountry which is a freely available geo-ip database aggregated to the country level. There's also a free version down to the city level though both free versions are less accurate than the paid versions. But at the country level that's not much difference (estimated 99.5% vs. 99.8%). Looks like there are 22545 individual network blocks to cover US assignments. (Though note the caveat about AOL users in the free country data) That's too much for direct entry into iptables, though there's also a geoip iptables add-on that can reference the data (http://xtables-addons.sourceforge.net/geoip.php). The MaxMind resources page (https://www.maxmind.com/app/geoip_resources) has other wrappers and integrations. -- David

Author:	Guspaz [ Wed Dec 21, 2011 5:46 pm ]
Post subject:
Well, are you trying to protect SSH, or everything else? If just SSH, use key-based auth, problem solved. If everything else, country-based IP blocking is much simpler and generally more accurate than narrower stuff, but it's still not perfect. I seem to recall some sort of DNS-based geolocation service that worked on a country-level, but I can't remember the details. IIRC it was something like you looked up 1.2.3.4.us.foo.com and the nxdomain would let you know if it was in the US or not. I don't remember anymore, unfortunately.

Author:	aot2002 [ Wed Dec 21, 2011 5:59 pm ]
Post subject:
Guspaz wrote: Well, are you trying to protect SSH, or everything else? If just SSH, use key-based auth, problem solved. If everything else, country-based IP blocking is much simpler and generally more accurate than narrower stuff, but it's still not perfect. I seem to recall some sort of DNS-based geolocation service that worked on a country-level, but I can't remember the details. IIRC it was something like you looked up 1.2.3.4.us.foo.com and the nxdomain would let you know if it was in the US or not. I don't remember anymore, unfortunately. Thanks

Author:	aot2002 [ Wed Dec 21, 2011 8:02 pm ]
Post subject:
For anyone looking for the lists of IP's http://www.okean.com/sinokorea.txt and http://mark.koli.ch/2008/11/giving-up-o ... dress.html

Author:	vonskippy [ Wed Dec 21, 2011 8:19 pm ]
Post subject:
Those are only China and Korea. For a full list, use: http://www.countryipblocks.net/country- ... ge-format/

Page 1 of 2	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/

Author:	aot2002 [ Wed Dec 21, 2011 8:32 pm ]
Post subject:
perfect thank you