[sllug-members]: SSH question

Remo Mattei remo at italy1.com
Fri Apr 18 18:47:39 MDT 2008 

well good option but if you travel then you will not be able to login to 
your server if you need to have access to troubleshoot something...

Depends on what you need. On my server at work I only allow ssh from a 
specific ip so all depends..


Remo

Dan Witt wrote:
> Mark K. Spute wrote:
>>
>>
>> Dan Witt wrote:
>> [snip]
>>>> Okay, I updated my iptables as you suggested above and restarted 
>>>> iptables.  Now I can login from machines behind my firewall (using 
>>>> 127.0.0.1)  However, I tried to use putty to login to my public IP 
>>>> address (216.126.226.210) and I get a fatal error.  It says Network 
>>>> Error: connection refused.
>>>>
>>>> Is this still an iptables issue?  (I know nothing about iptables, so 
>>>> I am hesitant to get in there and mess around.)
>>>
>>> Hey Mark,
>>>
>>> Sorry, I'm a little confused when you say, "Now I can login from 
>>> machines behind my firewall (using 127.0.0.1)" because it sounds like 
>>> you are now able to connect to your server using any machine on your 
>>> internal network but you then give the IP of 172.0.0.1 which is the 
>>> local machine you are logged in to. If "127.0.0.1" was just a typo 
>>> and you are able to SSH in from any internal machine then it sounds 
>>> like the port isn't being forwarded properly from your router, you 
>>> are trying to access your public IP internally or something like that.
>>>
>>> I have to agree with Remo, you can shut down the iptables service 
>>> temporarily and see if it works externally just to eliminate the 
>>> firewall question.
>>>
>>> /etc/init.d/iptables stop
>>
>> Sorry.  It was a typo.  I can ssh from the server console on 
>> 127.0.0.1.  I can ssh from other machines behind the firewall using 
>> 192.168.0.10.
>> But I can't ssh from other machines behind the firewall using the 
>> public ip of 216.126.226.210.
>>
>> I shut down iptables using the command you listed.  I still got the 
>> same error message on putty as before: network error, connection refused.
>>
>> What else could it be?
> 
> I think that Knight Walker is correct on this one. The route is not set 
> up properly for you to resolve your public IP address internally, which 
> is pretty normal for home networks. If you try to SSH into your machine 
> from an external location, you'll probably be able access it.
> 
>> I am very interested in Dan Witts suggestion, I'm just not sure how to 
>> do it.
> 
> I agree with the others, 'authfail' or 'denyhosts' is definitely a good 
> option. However, if you're a total paranoid nut case, like me, and you 
> don't want anybody to attempt login unless it's from an IP address that 
> you trust, use the previously mentioned filter rules. Here's an example:
> 
> I pulled the following iptables filter script from some guy's Fedora 
> box, it was generated at install time by 'system-config-securitylevel', 
>  adapt as needed for your system (# = comment):
> 
> #--------------------------------------------
> #/etc/sysconfig/iptables
> # Firewall configuration written by system-config-securitylevel
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> 
> #Following is commented for the upcoming SSH filter rules.
> #-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
> ACCEPT
> 
> #Here's where you can add the previously mentioned filter rules.
> #Fedora/RedHat jump the INPUT chain to the user-defined chain 
> 'RH-Firewall-1-INPUT' (not sure why but it's fine).
> 
> #Log any attempts to connect on port 3022
> -A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 3022 -j LOG
> #Allow my internal network to connect on port 3022
> -A RH-Firewall-1-INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 
> 3022 -j ACCEPT
> #Allow my work IP to connect on port 3022
> -A RH-Firewall-1-INPUT -i eth0 -s 123.123.23.31 -p tcp -m tcp --dport 
> 3022 -j ACCEPT
> #Allow my Friend's IP to connect on port 3022
> -A RH-Firewall-1-INPUT -i eth0 -s 121.121.43.11 -p tcp -m tcp --dport 
> 3022 -j ACCEPT
> #Block any other IP from trying to connect on 3022
> -A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 3022 -j DROP
> 
> COMMIT
> #--------------------------------------------
> 
> 
> -Dan Witt
> ______________________________________________________________________
> See http://www.sllug.org/ for latest SLLUG news, information, links.
> Join SLLUG and other UT LUG members on irc.FreeNode.net channel #Utah
> sllug-members at sllug.org
> http://www.sllug.org/cgi-bin/mailman/listinfo/sllug-members
> 
> !DSPAM:48092159153591804284693!
>

More information about the sllug-members mailing list