Hi Mick,
Thanks for the reply, the IP Tables example is a great help; I don't think I was very clear with what I want to achieve with SSH, in an attempt to be brief.
I don't want to limit the connections to SSH or change the SSH port, I would like it so that upon a successful connection to the SSH Daemon (i.e. someone authenticates with their public key) that their IP address is added to IPTables to allow access to the port range 7000-7999.
To explain why, recently, I have taken to Node.JS development and at the moment it isn't a very secure platform (http://nosql.mypopescu.com/post/14453905385/attacking-nosql-and-node-js-serv... - scary considering I've been running these on public ports up til now) but a friend and I develop on my home server and I would like to allow us to develop node on private port ranges, and then move these to the 8000-8999 range once they are in "production". However, he is "out in the sticks" and quite often has an IP change, also, I quite often uses my mobile over 3g to test/debug; so it'd be excellent if we could just 1 click login to ssh and be automatically excluded from the firewall.
I could probably write a node app to monitor the ssh or fail2ban logs and update the firewall configs etc, but I assume their is an in-built and more efficient means (that wouldn't take me a few days of string manipulation coding) to do it.
With Thanks and Festive Tidings
Alex
On Tue, Dec 20, 2011 at 8:13 PM, mick mbm@rlogin.net wrote:
On Sat, 17 Dec 2011 14:54:20 +0000 Alex Scotton alex.scotton@gmail.com allegedly wrote:
Hi All,
I rarely post to this list; mainly due to a lack of knowledge...
Hi Alex
Lack of knowledge is not a handicap here. In fact, in some cases a little knowledge can be a dangerous thing... ahem.
but find the email chains fascinating and very informative. I was hoping you could help me out with a few security adjustments on my home development server running Ubuntu 10.10; I would like to achieve the following setup with iptables and maybe a script in sshd_config?
- Accept any connection from within the LAN (192.168.0.*)
- Deny All from outside LAN (Except to ports 22, 80, 443, and the
range 8000 to 8999)
This is relatively easy in iptables. I'd suggest something like this:
--------------- iptables file -------------
# iptables firewall # # *filter
# set policy on INPUT to default drop (not reject) :INPUT DROP [0:0]
# but accept forwards and output :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
# accept all local loopback connects -A INPUT -i lo -j ACCEPT
# accept established connections (so returns from outgoing connections # are accepted) # -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept local net tcp connections. I recommend nominating the ports # acceptable rather than simply accepting any connection. # -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dports PLACE SOME PORTS OR RANGE HERE -j ACCEPT
# now accept application specific connections from anywhere. # note that you could collapse this to one line by comma delimiting # the port list, but I find this clearer and it is easy to comment # out a single line later if your policy changes. # -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # but see note below -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dports 8000:8999 -j ACCEPT
# only accept ssh (on port 7000) from known sources # It would be good if you could limit to known sources. Again, # one line per source address makes things clear and allows # easy edits later.
-A INPUT -p tcp -s SOURCE_ADDRESS_1 -m tcp --dport 7000 -j ACCEPT -A INPUT -p tcp -s SOURCE_ADDRESS_2 -m tcp --dport 7000 -j ACCEPT
# allow ping inbound (it helps the ssh users to know if the machine # is up). # -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# I like to log other attempts. You don't have to, but it can be # interesting.
# now log before (policy) drop start of all other incoming TCP packets # -A INPUT -p tcp -m state --state NEW -j LOG --log-level emerg --log-prefix "firewall "
# and log (policy) drop of all UDP packets -A INPUT -p udp -m state --state NEW -j LOG --log-level emerg --log-prefix "firewall "
COMMIT
# end
--------------- end iptables -------------
Now your syslog conf file needs a couple of lines line to allow the firewall logging thusly:
# log iptables connections to separate file # kern.=emerg -/var/log/firewall
# and other kernel messages go to kern.log # kern.!=emerg -/var/log/kern.log
but don't forget to comment out the standard line:
#*.emerg *
or you will get a flood of iptables logs to your console!
(the above is admittedly easily done with a google search) but my skills cant quite stretch to finding out how to add an exception to iptables for the IP of any authenticated ssh session and on timeout or disconnect remove that exception. I could then allow external developers to develop on a private port range (7000-7999 - as I do internally) by just connecting to ssh with their public key.
[Note]. I'm not sure why you want a range of ports for ssh. Change the default port by all means, but you only need one. I'm also unclear why you want to allow connections to ports 22 from outside as well as moving the ssh listener to port 7000 (so the iptables example above where I have placed the marker "see note" would allow anyone outside to connect to ssh on port 22 (so long as they can authenticate)
Nor am I sure how you expect to see an ssh session before iptables has permitted the connection. If there is no session, then you can't add/remove a line based on that connection.
But if you simply limit connections to those from known sources and with known ssh keys you should be pretty safe (for some definition of safe).
HTH
Mick
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt