Re: ipchians and ssh

To: Debian Mailing list <debian-user@lists.debian.org>
Subject: Re: ipchians and ssh
From: dman <dsh8290@rit.edu>
Date: Sun, 2 Sep 2001 22:31:07 -0400
Message-id: <[🔎] 20010902223107.C14093@harmony.cs.rit.edu>
Mail-followup-to: Debian Mailing list <debian-user@lists.debian.org>
In-reply-to: <[🔎] 999467687.3b92aaa710238@heritage.sd57.bc.ca>; from megglestone@heritage.sd57.bc.ca on Sun, Sep 02, 2001 at 02:54:47PM -0700
References: <[🔎] 999450625.3b926801b14ba@heritage.sd57.bc.ca> <[🔎] 20010902131349.C13758@harmony.cs.rit.edu> <[🔎] 999467687.3b92aaa710238@heritage.sd57.bc.ca>

On Sun, Sep 02, 2001 at 02:54:47PM -0700, Mike Egglestone wrote:
| Quoting dman <dsh8290@rit.edu>:
| 
| > On Sun, Sep 02, 2001 at 10:10:25AM -0700, Mike Egglestone wrote:
| > | Hi all,
| > | 
| > | What would be a good ipchains command to block all tcp traffic
| > | to and from a box except "ssh"?
| > | I have a box that will only be running rsync thru ssh.
| > | 
| > | This is what I tried, but I don't think it worked.
| > | 
| > | ipchains -I input -p tcp -s 0/0 -d 0/0 ! ssh -j DENY
| > 
| > What you need to do is specify the port to allow, somehow.  ssh uses
| > port 22 unless you do something strange to make it use a different
| > port.
| > 
| > With iptables I use the command :
| > 
| >     iptables -A INPUT -p tcp --dport ssh -j ACCEPT
| > 
| > This says that in the input chain, for tcp packets, if the port number
| > matches ssh in /etc/services then accept the packet regardless of IP
| > addresses.  Hopefully this will give you a pointer towards the
| > necessary ipchains options.  You may need to specify an integer rather
| > than a name defined in /etc/services for ipchains, I don't know for
| > sure.
|
| Hi..
| 
| My ssh is running on port 22.
| I figured my original ipchain command will block everything
| except ssh.  (thus I used the "!" with ssh)
| 
| Do you think its best to change the state of the input chain to DENY and
| then just allow ssh ?

I think it is mostly a matter of preference.  It is usually
recommended to block everything (a default of DENY) and then open just
what you need.  Be sure that you aren't blocking any outgoing packets
(server responses) and ICMP packets (TCP uses ICMP packets for some
control information).

<response to non-list message>
Yes, I figured you were using a 2.2 kernel because you were using
ipchains.  iptables is used by the 2.4 kernels.
</response>

It would probably be a good idea to add some logging rules (with
ipchains that means to match the packet, but don't send it anywhere)
so that you will see some messages in /var/log/syslog and/or
/var/log/messages.

Make sure that your client side's packet actually have a route to the
server too (traceroute).

-D

Reply to:

References:
- ipchians and ssh
  - From: Mike Egglestone <megglestone@heritage.sd57.bc.ca>
- Re: ipchians and ssh
  - From: dman <dsh8290@rit.edu>
- Re: ipchians and ssh
  - From: Mike Egglestone <megglestone@heritage.sd57.bc.ca>

Prev by Date: Re: mounting CDs? and emacs under SU?
Next by Date: Re: mounting CDs? and emacs under SU?
Previous by thread: Re: ipchians and ssh
Next by thread: Re: ipchians and ssh
Index(es):
- Date
- Thread