Return to Level1Techs.com

Block all IPs from accessing SSH on my machine?

Hey guys, how do I block all IPs except for two IPs on two different subnets on my CentOS 7 machine? I have firewalld, iptables and fail2ban, but I don’t know where to go from here. I’ve tried Google but nothing seems to work. Please help me :frowning:

/etc/ssh/sshd_config:
AllowUsers [email protected] [email protected]*

Be sure to restart the SSH daemon :stuck_out_tongue:

For more information try man sshd_config

2 Likes

I’m using a fresh install of Centos7, how do I check if my SSH is using SSHD? Also is it that easy? I thought you’re supposed to use fail2ban, iptables or firewalld…

btw I’m not trying to allow users on my machine to access my machine …

something like this would probably work

firewall-cmd --zone=public --remove-service=ssh 
firewall-cmd --zone=trusted --add-source=ipaddr

I thought you needed to add the service to the trusted zone, but you dont, it will default to accept from that IP address.

If you wanted to restrict it more, you should use a different zone and add both the source ip and service to that zone.

firewalld will follow the rules based on how the zone is set up. By default it will go to the public zone (assuming thats the default on your network connection), unless its from that source ip then it will go to the zone with that ip listed.

edit: remember to add --permanent to your rules for them to stay permanently. best practice to try them without it first.

2 Likes

I believe it should be:

firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=public --remove-interface=<interface>
firewall-cmd --permanent --zone=trusted --add-interface=<interface>
firewall-cmd --permanent --zone=trusted --add-source=<ipaddr>
firewall-cmd --permanent --zone=trusted --add-service=ssh
firewall-cmd --reload

something like that

–zone=public

does that mean IPs outside my local network will won’t be able to access my machine? would --zone=private disable that?

what should replace interface? the name of the device? or the MAC address?

firewalld comes with some arbitrary defaults. public is just the name of the default zone which allows ssh by default and is the default zone for interfaces after initial install.

You can configure any of the zones to be as secure or open as you want. The names are just for reference.

This command should show you what your interfaces and corresponding IP addresses are:

nmcli -terse -mode tabular -fields IP4.ADDRESS,GENERAL.DEVICE device show

This wont work. That would move the interface from the public zone to the trusted zone, not something that is wanted here. The zone will activate on source ip or interface so in this case the trusted zone will activate from a connection from the trusted ip and only that ip. In your scenario either any source will be accepted without checks (defaults accept), or only traffic from that one ip will be accepted and nothing else, ever for any other service.

adding a service to the trusted zone isn’t required because that zone defaults to accept, you would need to add the service to other zones that don’t default to accept.

That said, @Eden suggested you use the trusted zone because it more accurately describes what you’re trying to accomplish.

So the trusted zone simply blocks everything in the public and local network

is it a requirement or does it add a level of security when you include both interface and IP?

Ah yes, I forgot trusted zone defaults to accept. I typically change all targets to drop on initial config.

I’m assuming @noobonlinux10 wants to block all incoming traffic except ssh from the secure IP addresses. I agree, if other services are wanted, then additional firewall entries should be made to allow those.

1 Like

Question to ask is, do you want to restrict just SSH, or all incoming traffic on that interface to specific IPs?

@noobonlinux10 the trusted zone accepts everything assigned to it. So if you assign an interface it would in theory accept everything on that interface, if you assign an IP it will accept anything from that IP. If you add both, in theory it would accept anything from that IP on that specific interface, ive not tested that though.

1 Like

I want to restrict all access to SSH on my machine, except for certain IPs with different subnets

Do you have physical or OOBM access to this machine or do we need to be careful that you don’t lock yourself out of ssh?

I got physical access to the system :stuck_out_tongue:

1 Like

Not needed as it’s physical… but I don’t think firewalld has an auto rollback?

could always use sleep 60 & firewall-cmd --reload &

1 Like

Yeah, exactly.

to further expand on this, how do I make it so that anyone who tries to access my machine via SSH will get locked out after 5 attempts for 3 minutes?