Re: Fail2Ban Question: Can I do this without restarting the service?
On Fri, Aug 17, 2018 at 05:28:50PM -0400, cyaiplexys wrote:
> While I don't travel, the co-admin travels a LOT and doesn't always stay at
> hotels. Sometimes they are on the road, getting wifi other places, etc. So
> again, probably not possible to even get a good range.
Yes, agreed, you probably will need to open your ssh port to the world.
> >>Can I do this too?
> >>ufw deny 22/tcp # Deny connection to port 22 (ssh default port)
> >You could, but there's generally no point because all ports are denied
> >by default. You usually don't need to create specific deny rules unless
> >you have a port that you want to have open to the world, but then close
> >it for specific addresses, or if there's an IP address that you want to
> >allow access to all ports, except for a few specific ports.
> But (unless I was mistaken) wasn't port 22 open by default for ssh? So
> wouldn't I have to block it once I change and open the other ssh port?
No, it's not open by default. That's why it's necessary to set up the
"allow port 22 from..." (or whatever your alternate ssh port might be)
rule before turning the firewall on with "ufw enable".
If you've already opened port 22, then change your ssh port after
enabling the firewall, you would handle this by adding an allow rule for
the new port and then (after establishing a new ssh connection on the
new port) deleting the "allow port 22" rule rather than by adding a
"deny port 22". To do this, run "ufw status numbered" to find the
number of the rule you want to remove, then "ufw delete [rule number]".
(Handy tip: If you want to add a new rule that's similar to an existing
rule, but can't remember the exact syntax, you can "ufw delete [the
existing rule]" and say "no" when it asks to confirm the deletion. The
confirmation message includes the command used to create the rule, so
you can just copy/paste it and change the details as needed to create
the new rule.)