Hi everyone,
Does anyone know a valid IP chains command that will refuse SSH connections on port 22, other than my one static IP address?

Thanks :)

The best way to do this is:

Allow anything from your one static IP address:
/sbin/ipchains -A input -s 111.222.111.222 -j ACCEPT

Don't specify anywhere in your rules that you allow access to port 22

Deny everything that you haven't explicitly allowed:
/sbin/ipchains -A input -i eth0 -p tcp --syn -j DENY -l

Sequence of these rules in your firewall script is important - it should be in the same sequence as I've outlined.

all of your default policies should be DENY. thats the cornerstone of good firewall rule design.

in other words

#!/bin/sh
ipchains='/sbin/ipchains'
yourip='1.1.1.1'

$ipchains -P input DENY

# go on to allow whatever you need, ie

$ipchains -A input -p tcp --dport 80 -j ACCEPT
$ipchains -A input -p tcp -s $yourip --dport 22 -j ACCEPT

the suggestion in the post above is incorrect in that the port would still show as open when using certain port scanning techniques, even though connecting to it would not be trivial (but possible if the attacker had root access to a box on your ethernet segment, not too uncommon at hosting facilities)

as a sidenote, i always start ssh on some obscure port, such as 64321, in addition to limiting access to it. automatic scanning usually wont scan ports that high.

btw, did you remember to upgrade your: sshd, ssh, openssl, apache and php?

good luck,
paul

If a service is listening on a port it can show open to a port scan regardless of how the firewall is blocking it. If the firewall blocks it totally then it won't show open, but won't do any good because no one will be able to access it.

I agree that setting a default policy of deny and then opening up the access that you want is better practice, but personally do it both ways on different servers. Setting a policy to deny requires more care if you want to be able stop your firewall for any reason - you have to reset the policy before you flush your rules or you will be left with no access at all except from the console.

I also do not run SSH on port 22 for the same reasons, but what port you DO run it on should be kept private.

Like others have said, you can't do that with just one rule. You'll need two.

I agree that a strict firewall doesn't start with a DENY all TCP w/SYN, but rather a DENY ALL rule.

Don't forget to specify the interface for the rules if you have more than one!

jimroe,

in general, you should be really careful with what you're doing when you admin a nix box =] trading security for convenience, when exacmining it from an roi perspective, rarely pays =]

paul