[NTLUG:Discuss] SSH

David david at hayes-family.org
Thu Oct 16 22:43:11 CDT 2003 

On Thu, Oct 16, 2003 at 12:27:49AM -0500, severian at pobox.com wrote:
>     My switch will only send traffic destined for my IP address to me. 
> (and, I suppose, a few broadcast packets)  By closing all ports except 22, 
> aren't I taking care of this?  It seems like a small modification of your 

No, not really, not if I'm understanding your telecommuting
situation.  Your telecommuters, I believe, are outside your network,
coming in via their own cable modems.  That means that that from your
perspective, your telecommuters are just as much outsiders as any
potential attacker.

To get to your SSH server, behind the NAT and firewall, means that
you'll have to have some sort of open path from the Internet to the
server, at least for port-22 traffic.  The NAT device, if it's an
off-the-shelf SOHO box, isn't usually sophisticated enough to
distinguish between different sources.  If you have a tunnel for
port-22 traffic, the box will tunnel _ALL_ port-22 packets.

That's where IP Tables on your Linux server can help.  It can check
the source address to determine whether any particular packet should
be ignored entirely, or allowed to pass on to the rest of your
networking stack, and hence to the SSH server process.

> suggestion from yesterday is still a nice quick way to do it.  I noticed 
> you allowed the DNS port, as well as SSH.  So doesn't the folowing seem 
> reasonable?
>   iptables -A INPUT -i eth0 -p tcp -s 123.456.789.226/255.255.255.248 \
>             --dstport 22 -j ACCEPT
>   iptables -A INPUT -i eth0 -p udp --dstport 53 -j ACCEPT
>   iptables -A INPUT -i eth0 -j DROP

The first rule should cover your telecommuters, coming from their
cable modem addresses (or address ranges), to your SSH port.  Use
several rules if necessary.

The DNS rule really only needs to allow access to your ISP's DNS
servers.  Lock that down, because there are a few known attacks
against DNS clients which can result in a remote root compromise.

The final rule shouldn't drop everything else on the net.  You'll need
to access the Windows machines via VNC, for example.  (That was the
whole point, right, to tunnel a VNC through a secure connection?)  

Instead, use the final rule to drop other packets with the MAC address
of the NAT/firewall box.  Outsiders can't spoof that level of the
protocol.  That lets you drop unauthorized traffic from the outside,
while still remaining fairly open to your own internal traffic.

-- 
David Hayes
david at hayes-family.org

More information about the Discuss mailing list