SSH allow only form selected IP'

SSH allow only form selected IP'

[Kev]

hi,

i have a redhat enterprise 3 linux box, how can i configure SSH demon
only to allow SSH connections only form selected IP's ? 

i have 3 IP rangers that i need to allow, how can i do this ?

thanks a lot
Kev


------- 
Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
http://www.orbitsl.net

Re: SSH allow only form selected IP'

[James Turnbull]

[-- Attachment #1: Type: text/plain, Size: 960 bytes --]

Kev wrote:

>hi,
>
>i have a redhat enterprise 3 linux box, how can i configure SSH demon
>only to allow SSH connections only form selected IP's ? 
>
>i have 3 IP rangers that i need to allow, how can i do this ?
>
>thanks a lot
>Kev
>
>
>------- 
>Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
>PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
>http://www.orbitsl.net
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-config" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>  
>
Use your firewall rules.  Something like:

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s 
192.168.0.0/24 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d 
192.168.0.0/24 --sport 22 -j ACCEPT

Where 192.168.0.0/24 is the range you are allowing.

Regards

James



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2801 bytes --]

Re: SSH allow only form selected IP'

[James Turnbull]

[-- Attachment #1: Type: text/plain, Size: 987 bytes --]

Kev wrote:

>>e your firewall rules.  Something like:
>>
>>iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s 
>>192.168.0.0/24 --dport 22 -j ACCEPT
>>iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d 
>>192.168.0.0/24 --sport 22 -j ACCEPT
>>
>>Where 192.168.0.0/24 is the range you are allowing.
>>    
>>
>
>anyway i can do this with the SSH config ?
>
>i can use the iptabel rules for 2-3 IP rangers ?
>  
>
Have a read of:  
http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html#45775

The firewall rules yes you can do more than one subnet:

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s 
192.168.0.0/24 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d 
192.168.0.0/24 --sport 22 -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s 
10.0.0.0/24 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d 
10.0.0.0/24 --sport 22 -j ACCEPT

etc etc

Regards

James



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2801 bytes --]

Re: SSH allow only form selected IP'

[James Turnbull]

[-- Attachment #1: Type: text/plain, Size: 92 bytes --]

Kev wrote:

Sorry:  http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html

Regards

James

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2801 bytes --]

Re: Re[2]: SSH allow only form selected IP'

[luke]

One very effective way that I have found to do this is to use the
'hosts.allow' file located at /etc/hosts.allow

Openssh uses this to restrict or allow access to the server from IP,
host names, etc. Keep in mind that using this method can restrict
access to the server using ANY method. To retrict only SSH you must
them also ALLOW all other system methods.

For instance, to block access to the server from any IP except
216.12.214.217, but allow all IP's to access the server using ftp,
use this syntax:

-------------------------------

ALL : 216.12.214.217 : ALLOW

vsftpd : ALL

ALL : ALL : DENY

--------------------------------

basically, this says, allow 216.12.214.217 access of any kind. Allow
anyone to access using VSFTP. Deny all others.

One other important note: hosts.allow only blocks or allows access
to system services such as SSH, FTP, HTTPD, etc. This will not
restrict access to a non-standard service such as a game server or
chat software running on port 10000.

Luke


>>>
>>>i have a redhat enterprise 3 linux box, how can i configure SSH
>>> demon
>>>only to allow SSH connections only form selected IP's ?
>>>
>>>i have 3 IP rangers that i need to allow, how can i do this ?
>>>
>>>thanks a lot
>>>Kev
>>
>>>
>>Use your firewall rules.  Something like:
>>
>>iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s
>>192.168.0.0/24 --dport 22 -j ACCEPT
>>iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d
>>192.168.0.0/24 --sport 22 -j ACCEPT
>>
>>Where 192.168.0.0/24 is the range you are allowing.
>
> anyway i can do this with the SSH config ?
>
> i can use the iptabel rules for 2-3 IP rangers ?
>
> -------
> Web Hosting at a cheap price, starting at $1 per month with your
own domain, .COM, .NET, .LK, .ORG etc..
> PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
> http://www.orbitsl.net
>
> -
> To unsubscribe from this list: send the line "unsubscribe
> linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: SSH allow only form selected IP'

[James Turnbull]

[-- Attachment #1: Type: text/plain, Size: 279 bytes --]

luke@techfreak.org wrote:

>One very effective way that I have found to do this is to use the
>'hosts.allow' file located at /etc/hosts.allow
>
>  
>
hosts.allow is NOT secure.  You can easily spoof the IP addresses 
contained within it.  You should not use it.

Regards

James


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2801 bytes --]

Re[2]: SSH allow only form selected IP'

[Kev]

>hosts.allow is NOT secure.  You can easily spoof the IP addresses 
>contained within it.  You should not use it.
>

yeah, i'm using iptabels and its working fine


------- 
Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
http://www.orbitsl.net

Re: SSH allow only form selected IP'

[luke]

I'm definitely not a firewall expert, but isn't it also possible to
get around
IPchains using IP spoofing? From what I know ipchains is only
protected against spoofing by using source address verification.

Or am I way off?

Luke



> luke@techfreak.org wrote:
>
>>One very effective way that I have found to do this is to use the
'hosts.allow' file located at /etc/hosts.allow
> hosts.allow is NOT secure.  You can easily spoof the IP addresses
contained within it.  You should not use it.
>
> Regards
>
> James
>
>

Re: SSH allow only form selected IP'

[James Turnbull]

[-- Attachment #1: Type: text/plain, Size: 547 bytes --]

luke@techfreak.org wrote:

>I'm definitely not a firewall expert, but isn't it also possible to
>get around
>IPchains using IP spoofing? From what I know ipchains is only
>protected against spoofing by using source address verification.
>
>Or am I way off?
>
>Luke
>  
>
A little off. :)  Yes you can spoof iptables but not nearly as easily as 
hosts.allow can be spoofed.  Hosts.allow's verifications procedures are 
considerably less sophisticated than those of iptables.

Regards

James

P.S. Generally Ipchains has been replaced by Iptables. 

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2801 bytes --]

Re[2]: SSH allow only form selected IP'

[Kev]

>
>>I'm definitely not a firewall expert, but isn't it also possible to
>>get around
>>IPchains using IP spoofing? From what I know ipchains is only
>>protected against spoofing by using source address verification.
>>
>>Or am I way off?
>>
>>Luke
>>  
>>
>A little off. :)  Yes you can spoof iptables but not nearly as easily as 
>hosts.allow can be spoofed.  Hosts.allow's verifications procedures are 
>considerably less sophisticated than those of iptables.
>
>Regards
>
>James
>
>P.S. Generally Ipchains has been replaced by Iptables. 


I did both, i blocked IP's with iptbels and i also configured SSH Demean
to only allow connections form given IP's 

my server was down like 2-3 times a week due to DDOS attach or some one
running a attach on my SSH, now the server seem to be running fine.

oh yeah and i also blocked all ICMP communication and only allowed form
my IP only :)


------- 
Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
http://www.orbitsl.net

VPN question

[Tony Gogoi]

Hello,

Right now when we use the VPN each of our computers needs a unique
external IP-address to communicate with the server.

To overcome the problem of having a few external IP addresses,
I was wondering if there's any software that would map all client's
external IP addresses to one unique IP address and communicate with the
server through another software that would "decrpyt" the unique IP address
into individual ones.

Regards,
Tony Gogoi

Re: VPN question

[Adam Lang]

Obvious first question is: why is it a problem?
----- Original Message ----- 
From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
To: <linux-admin@vger.kernel.org>
Sent: Monday, August 16, 2004 12:30 PM
Subject: VPN question


>
> Hello,
>
> Right now when we use the VPN each of our computers needs a unique
> external IP-address to communicate with the server.
>
> To overcome the problem of having a few external IP addresses,
> I was wondering if there's any software that would map all client's
> external IP addresses to one unique IP address and communicate with the
> server through another software that would "decrpyt" the unique IP address
> into individual ones.
>
> Regards,
> Tony Gogoi
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: VPN question

[Tony Gogoi]

Hi Adam,

I'm not too familiar with VPNs.

But our PC's sit on a LAN behind a firewall.  A few PC's are VPN clients.
Right now we have configured our firewall to map VPN clients on the
private LAN to static external IP addresses. The rest of the PC's on the
LAN are mapped to a single IP address. We are running out of external IP
addresses. Was wondering if there was a way out instead of having to buy
more IP addresses.

So, i was wondering if there's a set up that could make our PC's connect
to some sort of VPN server at our end which would act as a gateway to the
actual server located far away.

Regards,
Tony

On Mon, 16 Aug 2004, Adam Lang wrote:

> Obvious first question is: why is it a problem?
> ----- Original Message -----
> From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
> To: <linux-admin@vger.kernel.org>
> Sent: Monday, August 16, 2004 12:30 PM
> Subject: VPN question
>
>
> >
> > Hello,
> >
> > Right now when we use the VPN each of our computers needs a unique
> > external IP-address to communicate with the server.
> >
> > To overcome the problem of having a few external IP addresses,
> > I was wondering if there's any software that would map all client's
> > external IP addresses to one unique IP address and communicate with the
> > server through another software that would "decrpyt" the unique IP address
> > into individual ones.
> >
> > Regards,
> > Tony Gogoi
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



Tony Gogoi

Re: VPN question

[Adam Lang]

Ok, so you are CLIENTS  connecting to a VPN server.  That whole scenario you
were speaking of is called NAT (private ip addresses are mapped to a single
public ip address.  The router/firewall keeps track of the connections).

That is not the problem though.  The issue is that some encryption
technologies do not allow the connections to be NATed because your data
packets are "mangled" to achieve this, and the encryption protocol requires
packets to be unmodified so as to verify integrity.

You have two options.  The first option is to get the people hosting the VPN
server to change what they are doing into somethign more NAT friendly (but
loses a level of security) or work with them to set up a vpn server in your
network that builds a conenction with their vpn server.  Then, you set up
info on your routing tables to route over it.  This way, you have a single
VPN connection, and all your clients send data over it.

----- Original Message ----- 
From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
To: "Adam Lang" <aalang@rutgersinsurance.com>
Cc: <linux-admin@vger.kernel.org>
Sent: Monday, August 16, 2004 2:50 PM
Subject: Re: VPN question


>
> Hi Adam,
>
> I'm not too familiar with VPNs.
>
> But our PC's sit on a LAN behind a firewall.  A few PC's are VPN clients.
> Right now we have configured our firewall to map VPN clients on the
> private LAN to static external IP addresses. The rest of the PC's on the
> LAN are mapped to a single IP address. We are running out of external IP
> addresses. Was wondering if there was a way out instead of having to buy
> more IP addresses.
>
> So, i was wondering if there's a set up that could make our PC's connect
> to some sort of VPN server at our end which would act as a gateway to the
> actual server located far away.
>
> Regards,
> Tony
>
> On Mon, 16 Aug 2004, Adam Lang wrote:
>
> > Obvious first question is: why is it a problem?
> > ----- Original Message -----
> > From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
> > To: <linux-admin@vger.kernel.org>
> > Sent: Monday, August 16, 2004 12:30 PM
> > Subject: VPN question
> >
> >
> > >
> > > Hello,
> > >
> > > Right now when we use the VPN each of our computers needs a unique
> > > external IP-address to communicate with the server.
> > >
> > > To overcome the problem of having a few external IP addresses,
> > > I was wondering if there's any software that would map all client's
> > > external IP addresses to one unique IP address and communicate with
the
> > > server through another software that would "decrpyt" the unique IP
address
> > > into individual ones.
> > >
> > > Regards,
> > > Tony Gogoi
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-admin"
in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin"
in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
>
>
>
> Tony Gogoi

Re: SSH allow only form selected IP'

[Stephen Samuel]

blocking using iptables is easily the most efficient if you're dealing
with a DDOS situation.  It blocks at the kerrnel, so the opening packet
is never accepted and sshd is never called.  Any other solution is
likely to require an open connection and a process to deal with things.

I actually can't find a way to get sshd to only allow certain hosts
by IP address.  AllowHosts used to work, but seems to be missing fromm
the mosth recent sshd_config format

Kev wrote:

> I did both, i blocked IP's with iptbels and i also configured SSH Demean
> to only allow connections form given IP's 
> 
> my server was down like 2-3 times a week due to DDOS attach or some one
> running a attach on my SSH, now the server seem to be running fine.
> 
> oh yeah and i also blocked all ICMP communication and only allowed form
> my IP only :)

-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
      the jewel within each person and bringing it to light.