Re: hardening SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Michael Klinosky wrote:

Rick:

If you only want to allow incoming ssh sessions from that address
block, use iptables and insert a rule:
-A INPUT -p tcp -m tcp -s 200.100.0.0/16 --sync --dport 22 -j ACCEPT
and make sure the last rule is something like:
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
to drop any other connection attempts other than the ones allowed above
it.


How does this differ from the hosts.allow & hosts.deny method?
Not by a whole lot looking at the end result. It's perfectly possible to use the hosts.* files. I personally feel safer with iptables knowing it works for every program on the computer, while the hosts.* files only work for programs which are tcpwrappers aware (iptables works with the kernel's tcp stack and can control connections at a low level, while the deny.* controls are implemented within each program/daemon). 


Justin:

If you would be able to tell us which ISP you have, you may be able to
narrow down the address range even more.


I know about whois.org - so I tried it. I had to delve a bit to get the
detailed info, but found the range. There is a CIDR - is that what I
want? It's narrowed down to /21.
Yes. CIDR stands for Classless Interdomain Routing. It allows for network masks to go beyond the original Class A, B, C, etc addresses. By using CIDR, it is possible to use the internet address space more efficiently, and waste less addresses when different networks are needed. With 5 bits borrowed from the Class B address, there's a possibility of 32 (2**5) different address ranges which you could be part of. Each network can only have 2048 hosts (down from a Class B's 65536), an impressive 96.875% reduction.
I've constructed a listing of the different address ranges which are possible in your situation. All you need to do is dial-up the client, get it's current IP address, and find which range it falls in. Then in the iptables (or hosts.allow) line below the table, replace the network address with the one you selected from the list (e.g. 200.100.48.0 if your IP is 200.100.51.192): 

200.100.0.0-200.100.7.255      |  200.100.128.0-200.100.131.255
200.100.8.0-200.100.15.255     |  200.100.132.0-200.100.143.255
200.100.16.0-200.100.23.255    |  200.100.144.0-200.100.151.255
200.100.24.0-200.100.31.255    |  200.100.152.0-200.100.159.255
200.100.32.0-200.100.39.255    |  200.100.160.0-200.100.167.255
200.100.40.0-200.100.47.255    |  200.100.168.0-200.100.175.255
200.100.48.0-200.100.55.255    |  200.100.176.0-200.100.183.255
200.100.56.0-200.100.63.255    |  200.100.184.0-200.100.191.255
200.100.64.0-200.100.71.255    |  200.100.192.0-200.100.199.255
200.100.72.0-200.100.79.255    |  200.100.200.0-200.100.207.255
200.100.80.0-200.100.87.255    |  200.100.208.0-200.100.215.255
200.100.88.0-200.100.95.255    |  200.100.216.0-200.100.223.255
200.100.96.0-200.100.103.255   |  200.100.224.0-200.100.231.255
200.100.104.0-200.100.111.255  |  200.100.232.0-200.100.239.255
200.100.112.0-200.100.119.255  |  200.100.240.0-200.100.247.255
200.100.120.0-200.100.127.255  |  200.100.248.0-200.100.255.255
iptables -A INPUT -p tcp --dport 22 -s 200.100.0.0/21 -j ACCPET (with a drop policy) 

sshd: 200.100.0.0/255.255.248.0      (hosts.allow)
sshd: ALL                            (hosts.deny)

Justin W
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux