Re: hardening SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michael Klinosky wrote:
I use ssh (on my own machines, personal use). My primary box (for ssh, it's the my daemon) is on dsl. The only machine that I log in from (client?) is on the same ISP, and is on a dial-up line.

I'd like to allow only those IPs that I might dynamically get. How would
this be accomplished? I checked my secure log file (on the daemon box), and have examples of IPs that I was assigned. Nota bene: It seems like only the first and second parts are consistant. So, how can I specify a range thus: 200.100.x.x ? Would I use a zero, or 'x', or ...?

I know this isn't the most efficient method (using non-standard port numbers and public/private key authentication can do more), but it is an interesting exercise in networking:

If you would be able to tell us which ISP you have, you may be able to narrow down the address range even more. ISPs are given blocks of IP addresses to give out, and depending on your ISP, we may be able to calculate a subnet mask which will give you a smaller range of addresses to allow than the current 200.100.0.0/16 (which allows 65536 possible addresses). For example, I can narrow down my ISPs address block to a 19 bit mask (255.255.224.0 in network mask notation). That leaves on 8192 possible addresses (an 87.5% reduction), and that's using only the information available from arin.net. If you could figure out the range of their dynamic IPs, you could reduce the possible range even more (because there's going to be a block reserved for static IP clients).

You can then restrict the incoming ssh attempts using a simple line in iptables. It may look something like this (assuming you drop packets which haven't been specifically allowed):

iptables -A INPUT -p tcp --dport 22 -s 200.100.64.0/19 -m state --state NEW, ESTABLISHED,RELATED -j ACCEPT

Justin W

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux