Blocking connections to ssh without iptables
August 23rd, 2006
On our Internet connected servers, besides using iptables to limit incoming connections, we are using TCP wrappers (hosts.allow and hosts.deny) to reject connections originating on untrusted networks.
Probably you’re already using iptables to block incoming traffic on port 22 (ssh), which is fine but what we want to do is increase security by using a more persistent method for blocking traffic. Don’t get me wrong, iptables’ rules can (and should) be made persistent but sometimes while trying new rules some key ports can be left open.
Basically, you have to modify two files: /etc/hosts.deny (to reject connections) and /etc/hosts.allow. The syntax for /etc/hosts.allow and /etc/hosts.deny files is as simple:
daemon : client_hostname_or_IP
The idea is to block all incoming traffic and just allow trusted IP addresses:
/etc/hosts.deny
# Block all incoming ssh traffic
sshd : ALL
/etc/hosts.allow
# Accept ssh connections from trusted networks
sshd : trusted_ip_1
sshd : trusted_ip_2
sshd : trusted_ip_3
Just don’t forget to include all your trusted IP addresses at hosts.allow, or you’ll be left out of your server next time you try to log in.
There are many other services that can be blocked using the presented method, take a look at you daemon’s documentation. Even if TCP wrappers are not supported, the daemon might provide an alternative blocking method.
Entry Filed under: Linux
Leave a Comment
You must be logged in to post a comment.
Trackback this post | Subscribe to the comments via RSS Feed