PDA

View Full Version : SSH to my Fedora Core 2 box - Allowing just one IP!!!

jpierre
2004-07-30, 09:17 PM CDT
Hi!
I have a LINUX Fedora Core 2 box and i'd like to allow only one IP to access my LINUX. What is the best way?


Thanks,
jp


PS: I'm a newby!!! :D
kosmosik
2004-07-30, 09:43 PM CDT
I have a LINUX Fedora Core 2 box and i'd like to allow only one IP to access my LINUX. What is the best way?
there of course are plenty of ways ;)

1] block other IP's for this service on firewall - this is probably worst because when firewall is compromised service will get exposed
2] use a superdaemon (xinetd, inetd) - this is probably good choice and you will save system resources
3] configure it within sshd (man sshd_config) AFAIR HostsAllow

but to be honest you probably shall not block the service (as this is not very good), just harden settings, use keys instead of passwords and that will be secure. limiting access from host is also a way, but it has nothing to do with security rather it has to do with access control witch is different thing...
jpierre
2004-07-30, 10:20 PM CDT
there of course are plenty of ways ;)

1] block other IP's for this service on firewall - this is probably worst because when firewall is compromised service will get exposed
2] use a superdaemon (xinetd, inetd) - this is probably good choice and you will save system resources
3] configure it within sshd (man sshd_config) AFAIR HostsAllow

but to be honest you probably shall not block the service (as this is not very good), just harden settings, use keys instead of passwords and that will be secure. limiting access from host is also a way, but it has nothing to do with security rather it has to do with access control witch is different thing...


Hi! Thanks for your answer!
I liked the idea of using RSA keys. Can you help me with that?

Regards,
JP
kosmosik
2004-07-30, 10:42 PM CDT
http://www-106.ibm.com/developerworks/library/l-keyc.html
http://www-106.ibm.com/developerworks/library/l-keyc2/
http://www-106.ibm.com/developerworks/linux/library/l-keyc3/
Ned
2004-07-31, 09:58 AM CDT
To allow access through your linux firewall (iptables), if your default settings is to block just add a rule like this:

iptables -A INPUT -s xxx.xxx.xxx.xxx --destination-port 22 -j ACCEPT

where xxx.xxx.xxx.xxx is the IP address you wish to allow access. Then save your new settings with

/sbin/service iptables save

and list the settings with

iptables -L -v

Ned
ewdi
2004-08-01, 04:03 PM CDT
another good secure way is to do wheel root and disallow direct root login, use a wheel account and use su to gain root access (using SSH2)
jpierre
2004-08-09, 11:08 AM CDT
Thanks guys for you help!

JP