I am not an expert in linux security but will it be a good practice to allow only my country IP to have SSH and SFTP access ?

If so; how to achieve anything like this ?

It's definitely better than nothing - though the best would be to just allow your own IP. You can do this with iptables. Or you can use CSF Firewall which also has some extra features.

Yes but won't work for dynamic IPs.

This isn't the recommended way to do things. If you have a dynamic IP address just disable password authentication and use key-based authentication. If for some reason you absolutely need password authentication, use a strong password and limit the ability of people to try and brute force your system by installing something like Fail2Ban.

- http://library.linode.com/security/ssh-keys
- http://library.linode.com/security/fail2ban

Going back to your original inquiry, there isn't a reliable way to do this unfortunately. You could potentially get it down to blocks operated by your country's RIR. In theory these should all be delegated out, and I don't personally see them changing much. But you should have a script that runs periodically to make sure you have the right exceptions in your firewall. You could even go a level lower and only add firewall exceptions for your ISP, but they may get a few more blocks of IP addresses moving forward so you'll need a script to check this. And if you are not connecting via your ISP, you would need to use Lish to add a one-time exception.

I'd recommend the first option...it's served me well so far.

-Tim

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch

The iptables geoip module allows blocking by country. See http://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering. I don't think this works with the standard Linode kernel so you may need to setup your own with pvgrub.

Because you can block by country doesn't make it a good idea. Disable all password authentication and use keypair authentication and you are already as secure as it gets. You can add fail2ban, connection rate limiting in IPtables, or move SSH to a non-standard port but these techniques don't gain you any real security improvements. They will reduce the size of your logfiles though.