Discover Centmin Mod today
Register Now

Security CSF Block the SSH Port to All Except the Specific IP's

Discussion in 'System Administration' started by negative, Jun 3, 2019.

  1. negative

    negative Active Member

    343
    39
    28
    Apr 11, 2015
    Ratings:
    +80
    Local Time:
    1:13 AM
    1.9.10
    10.1.11
    Hello!

    I want block the SSH access of server from all (everywhere) except static 3 ip address.

    I've tried with tcp wrappers but i didn't also i though using the csf will be better.

    How can i do it basically?

    Thanks
     
  2. Jimmy

    Jimmy Well-Known Member

    1,614
    343
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +862
    Local Time:
    6:13 PM
    1.15.x
    MariaDB 10.3.x
    You can do it in sshd_config.

    Locking access to specific IP Address
    Code:
    # nano /etc/ssh/sshd_config
    # AllowUsers [email protected]
     
    • Informative Informative x 2
  3. Jimmy

    Jimmy Well-Known Member

    1,614
    343
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +862
    Local Time:
    6:13 PM
    1.15.x
    MariaDB 10.3.x
    • Informative Informative x 1
  4. Khairul

    Khairul New Member

    7
    2
    3
    Nov 20, 2017
    Ratings:
    +3
    Local Time:
    6:13 AM
    1.13.6
    MariaDB 10
    Beside sshd config, you can easily do this with csf.

    Basically;
    1. Add your 3 static IP in /etc/csf/csf.allow
    2. Edit /etc/csf/csf.conf in the TCP_IN section, remove your SSH port.
    3. Reload csf.
    Or, if you want to allow those static IP access only to your SSH port, in csf.allow add;

    tcp|in|d="ssh port"|s="your ip"

    example: tcp|in|d=22|s=192.168.0.1​
     
    • Informative Informative x 1
  5. negative

    negative Active Member

    343
    39
    28
    Apr 11, 2015
    Ratings:
    +80
    Local Time:
    1:13 AM
    1.9.10
    10.1.11
    Thank you for your helps!

    When i add that line to csf.allow;
    tcp|in|d=22|s=192.168.0.1

    Should i add something to csf.deny file ?

    Or it just allows that rules, and deny other ips automatically.

    Thanks
     
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    41,643
    9,378
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,405
    Local Time:
    8:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    That only allows your s= defined source IP, to block others as mentioned need to remove the port from TCP_IN, TCP6_IN and/or UDP_IN/UDP6_IN comma separated list of whitelisted ports in CSF Firewall config file /etc/csf/csf.conf and then restart CSF Firewall
    Code (Text):
    csf -ra


    Be sure if your web host has out of band console/kvm access, you know how to use it to regain access to your VPS/server if you lock yourself out though.
     
    • Like Like x 1
  7. robert syputa

    robert syputa Member

    70
    13
    8
    Jan 18, 2018
    Seattle
    Ratings:
    +38
    Local Time:
    6:13 PM
    latest
    10
    I've read on this topic elsewhere but found no need to implement it. The discussion included establishing a back door using port-knocking. Essentially, you would first set up port-knocking which can be done through CSF (see docs) so the back-door would be created to open the server to either a specific IP/client or to all access not otherwise restricted. Port-knocking is where you hit.knock on selected ports in sequence. The ports you select should be those not being used on the server. CSF/iptables then check the log for access to the ports within the selected amount of time and if the conditions are met, opens up the ports or selected port(s) for access or selected address access.
    This obviously opens up a security risk that the exclusive access is aimed at preventing. However, so long as the port-knocking scheme is kept secure, the chances of a breach are generally beyond what is needed by most admins/firms.
     
  8. fabianski

    fabianski Member

    102
    13
    18
    Feb 20, 2019
    Brazil
    Ratings:
    +35
    Local Time:
    7:13 PM
    It's possible to set a dynamic dns?

    I have my added in the csf.dyndns file and tried to add the following rule in csf.allow

    Code (Text):
    tcp|in|d=123|s=domain.duckdns.org


    but access was still allowed for all ips

    I removed in the csf.conf file the ssh port from the allowed list, it worked, but only that I was also blocked but regained access.
     
  9. eva2000

    eva2000 Administrator Staff Member

    41,643
    9,378
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,405
    Local Time:
    8:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  10. fabianski

    fabianski Member

    102
    13
    18
    Feb 20, 2019
    Brazil
    Ratings:
    +35
    Local Time:
    7:13 PM
    Yes I did it
    I would like to allow connections on the ssh port only to the dynamic dns that I put in.
     
  11. eva2000

    eva2000 Administrator Staff Member

    41,643
    9,378
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,405
    Local Time:
    8:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    then the dynamic dns instructions + removing sshd port from csf.conf whitelisted ports would be enough
     
    • Like Like x 1
  12. fabianski

    fabianski Member

    102
    13
    18
    Feb 20, 2019
    Brazil
    Ratings:
    +35
    Local Time:
    7:13 PM
    Ok, now its working
    It was not working because I thought it was necessary to add this rule to csf.allow
    Code (Text):
    tcp|in|d=123|s=domain.duckdns.org
     
    • Informative Informative x 1