SSH : Allow only specific public IP

8 posts Page 1 of 1
emperorlinux
Junior Member
Posts: 5
Joined: 01 Aug 2017, 14:27


I have 20 Linux servers hosted in the cloud. I installed CSF on all them, I want SSH to be accessible specifically on our office Internet IP so that it won't be accessible somewhere else. Is this possible? If it is, how do i set it on my CSF Conf.


Thanks
Spork Schivago
Junior Member
Posts: 16
Joined: 24 Jan 2016, 20:22


Wouldn't using something like iptables be a better solution instead of using CSF to accomplish your task?

Maybe I'm misunderstanding your question here.

Does the 20 Linux servers reside on the same network? For example, the 192.168.1.0 network? If so, you could configure the SSH server to listen only on the local area network's interface only. So, if you're office has the following private IPv4 address, 192.168.1.2, in /etc/sshd_config, you'd have something like:
Code: Select all
ListenAddress 192.168.1.2
Now, if you only want to allow connections from those 20 Linux servers to that office server, you could use iptables and do something like this:
Code: Select all
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -s 192.168.1.3 -j ACCEPT
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -s 192.168.1.4 -j ACCEPT
...
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j REJECT
You'd replace 22 with whatever port your SSH server is running on. And we'd replace 192.168.1.3, 192.168.1.4, etc with the IP address of each of the Linux servers.

I believe you can create an executable file called csfpost.sh in the /etc/csf directory and add those commands.

With the code I just posted, it would allow traffic ONLY from 192.168.1.3 and 192.168.1.4, on port 22 (the default SSH port), and then it would reject connections from anyone else. You can use public or private IP addresses with that.

Once you create the file with the 20 IP addresses, then you'd want to chmod +x /etc/csf/csfpost.sh the file and run csf -ra to restart csf.

If I'm misunderstanding something, please let me know and I'll see if I can help more.

Thanks!
emperorlinux
Junior Member
Posts: 5
Joined: 01 Aug 2017, 14:27


Let me elaborate it a little.

Its like this, Those servers are web servers that has ssh, http, https mysql. Normally, you can do ssh anywhere using its public ip. My objective is that, i don't want it to be accessible anywhere, i want it only to be accessible inside office Internet IP not entirely from any ISP. Can i only allow our office public and block everybody else for SSH servic.
sawbuck
Junior Member
Posts: 349
Joined: 10 Dec 2006, 16:20


Use tcp_wrappers.
emperorlinux
Junior Member
Posts: 5
Joined: 01 Aug 2017, 14:27


Im not familiar. can you give me a sample config for it please.

Thanks
sawbuck
Junior Member
Posts: 349
Joined: 10 Dec 2006, 16:20


https://www.akadia.com/services/ssh_tcp_wrapper.html

If you're using WHM/cPanel then additional ports will need to be enabled for access. Additionally your data center/cloud provider may require specific IPs to be included in the hosts.allow file for monitoring/access purposes.

Wrappers gives you the additional security of denying everything that isn't specifically allowed.
emperorlinux
Junior Member
Posts: 5
Joined: 01 Aug 2017, 14:27


what i really want to happen is to block all and only allow specific ports and internet to allow access that specific port. Is this possible with CSF?
emperorlinux
Junior Member
Posts: 5
Joined: 01 Aug 2017, 14:27


What if i want to block all and only allow specific ports and ips on our internet IP. is this possible with CSF?
8 posts Page 1 of 1