I have 20 Linux servers hosted in the cloud. I installed CSF on all them, I want SSH to be accessible specifically on our office Internet IP so that it won't be accessible somewhere else. Is this possible? If it is, how do i set it on my CSF Conf.
Thanks
SSH : Allow only specific public IP
-
emperorlinux
- Junior Member
- Posts: 5
- Joined: 01 Aug 2017, 14:27
-
Spork Schivago
- Junior Member
- Posts: 18
- Joined: 24 Jan 2016, 20:22
Re: SSH : Allow only specific public IP
Wouldn't using something like iptables be a better solution instead of using CSF to accomplish your task?
Maybe I'm misunderstanding your question here.
Does the 20 Linux servers reside on the same network? For example, the 192.168.1.0 network? If so, you could configure the SSH server to listen only on the local area network's interface only. So, if you're office has the following private IPv4 address, 192.168.1.2, in /etc/sshd_config, you'd have something like:
Now, if you only want to allow connections from those 20 Linux servers to that office server, you could use iptables and do something like this:
You'd replace 22 with whatever port your SSH server is running on. And we'd replace 192.168.1.3, 192.168.1.4, etc with the IP address of each of the Linux servers.
I believe you can create an executable file called csfpost.sh in the /etc/csf directory and add those commands.
With the code I just posted, it would allow traffic ONLY from 192.168.1.3 and 192.168.1.4, on port 22 (the default SSH port), and then it would reject connections from anyone else. You can use public or private IP addresses with that.
Once you create the file with the 20 IP addresses, then you'd want to chmod +x /etc/csf/csfpost.sh the file and run csf -ra to restart csf.
If I'm misunderstanding something, please let me know and I'll see if I can help more.
Thanks!
Maybe I'm misunderstanding your question here.
Does the 20 Linux servers reside on the same network? For example, the 192.168.1.0 network? If so, you could configure the SSH server to listen only on the local area network's interface only. So, if you're office has the following private IPv4 address, 192.168.1.2, in /etc/sshd_config, you'd have something like:
Code: Select all
ListenAddress 192.168.1.2
Code: Select all
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -s 192.168.1.3 -j ACCEPT
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -s 192.168.1.4 -j ACCEPT
...
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j REJECT
I believe you can create an executable file called csfpost.sh in the /etc/csf directory and add those commands.
With the code I just posted, it would allow traffic ONLY from 192.168.1.3 and 192.168.1.4, on port 22 (the default SSH port), and then it would reject connections from anyone else. You can use public or private IP addresses with that.
Once you create the file with the 20 IP addresses, then you'd want to chmod +x /etc/csf/csfpost.sh the file and run csf -ra to restart csf.
If I'm misunderstanding something, please let me know and I'll see if I can help more.
Thanks!
-
emperorlinux
- Junior Member
- Posts: 5
- Joined: 01 Aug 2017, 14:27
Re: SSH : Allow only specific public IP
Let me elaborate it a little.
Its like this, Those servers are web servers that has ssh, http, https mysql. Normally, you can do ssh anywhere using its public ip. My objective is that, i don't want it to be accessible anywhere, i want it only to be accessible inside office Internet IP not entirely from any ISP. Can i only allow our office public and block everybody else for SSH servic.
Its like this, Those servers are web servers that has ssh, http, https mysql. Normally, you can do ssh anywhere using its public ip. My objective is that, i don't want it to be accessible anywhere, i want it only to be accessible inside office Internet IP not entirely from any ISP. Can i only allow our office public and block everybody else for SSH servic.
Re: SSH : Allow only specific public IP
Use tcp_wrappers.
-
emperorlinux
- Junior Member
- Posts: 5
- Joined: 01 Aug 2017, 14:27
Re: SSH : Allow only specific public IP
Im not familiar. can you give me a sample config for it please.
Thanks
Thanks
Re: SSH : Allow only specific public IP
https://www.akadia.com/services/ssh_tcp_wrapper.html
If you're using WHM/cPanel then additional ports will need to be enabled for access. Additionally your data center/cloud provider may require specific IPs to be included in the hosts.allow file for monitoring/access purposes.
Wrappers gives you the additional security of denying everything that isn't specifically allowed.
If you're using WHM/cPanel then additional ports will need to be enabled for access. Additionally your data center/cloud provider may require specific IPs to be included in the hosts.allow file for monitoring/access purposes.
Wrappers gives you the additional security of denying everything that isn't specifically allowed.
-
emperorlinux
- Junior Member
- Posts: 5
- Joined: 01 Aug 2017, 14:27
Re: SSH : Allow only specific public IP
what i really want to happen is to block all and only allow specific ports and internet to allow access that specific port. Is this possible with CSF?
-
emperorlinux
- Junior Member
- Posts: 5
- Joined: 01 Aug 2017, 14:27
Re: SSH : Allow only specific public IP
What if i want to block all and only allow specific ports and ips on our internet IP. is this possible with CSF?