Results 1 to 6 of 6
  1. #1
    Join Date
    Sep 2001

    Ipchains config question

    Hi everyone,
    Does anyone know a valid IP chains command that will refuse SSH connections on port 22, other than my one static IP address?


  2. #2

    Pretty easy

    The best way to do this is:

    Allow anything from your one static IP address:
    /sbin/ipchains -A input -s -j ACCEPT

    Don't specify anywhere in your rules that you allow access to port 22

    Deny everything that you haven't explicitly allowed:
    /sbin/ipchains -A input -i eth0 -p tcp --syn -j DENY -l

    Sequence of these rules in your firewall script is important - it should be in the same sequence as I've outlined.

  3. #3
    all of your default policies should be DENY. thats the cornerstone of good firewall rule design.

    in other words


    $ipchains -P input DENY

    # go on to allow whatever you need, ie

    $ipchains -A input -p tcp --dport 80 -j ACCEPT
    $ipchains -A input -p tcp -s $yourip --dport 22 -j ACCEPT

    the suggestion in the post above is incorrect in that the port would still show as open when using certain port scanning techniques, even though connecting to it would not be trivial (but possible if the attacker had root access to a box on your ethernet segment, not too uncommon at hosting facilities)

    as a sidenote, i always start ssh on some obscure port, such as 64321, in addition to limiting access to it. automatic scanning usually wont scan ports that high.

    btw, did you remember to upgrade your: sshd, ssh, openssl, apache and php?

    good luck,

  4. #4
    If a service is listening on a port it can show open to a port scan regardless of how the firewall is blocking it. If the firewall blocks it totally then it won't show open, but won't do any good because no one will be able to access it.

    I agree that setting a default policy of deny and then opening up the access that you want is better practice, but personally do it both ways on different servers. Setting a policy to deny requires more care if you want to be able stop your firewall for any reason - you have to reset the policy before you flush your rules or you will be left with no access at all except from the console.

    I also do not run SSH on port 22 for the same reasons, but what port you DO run it on should be kept private.

  5. #5
    Join Date
    Nov 2001
    Ann Arbor, MI
    Like others have said, you can't do that with just one rule. You'll need two.

    I agree that a strict firewall doesn't start with a DENY all TCP w/SYN, but rather a DENY ALL rule.

    Don't forget to specify the interface for the rules if you have more than one!
    -Mark Adams - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  6. #6

    in general, you should be really careful with what you're doing when you admin a nix box =] trading security for convenience, when exacmining it from an roi perspective, rarely pays =]

    * Rusko Enterprises LLC - Upgrade to 100% uptime today!
    * Premium NYC collocation and custom dedicated servers
    call 1-877-MY-RUSKO or paul [at]

    dedicated servers, collocation, load balanced and high availability clusters

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts