All installation and configuration problems and questions
Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
by kjburto » Tue Sep 20, 2016 9:22 pm
So I set up a brand new server based off the latest vicibox .iso and I installed and configured the Dynamic Good guys following all the steps one by one. I have confirmed that web access is blocked to all traffic not on the whitelist, but just recently discovered that SSH is pretty much open to all.
I currently have two different NICs configured, one for external traffic with its own IP address and one configured for internal traffic with an internal IP address.
The question is how do I secure SSH to not allow traffic from unauthorized IP addresses? I did not see any steps within the directions for DGG about securing ssh externally so I'm at a loss as to how to do this.
VERSION: 2.12-565a BUILD: 160827-0917
Express install on Dell Power edge 1950 Dula xeon quad core processors with 16GB ram and 1TB harddrive in Raid 1
-
kjburto
-
- Posts: 81
- Joined: Tue Aug 23, 2016 2:07 pm
by kjburto » Tue Sep 20, 2016 9:57 pm
Im going through my settings in yast firewall and under allowed services I still have SSH as allowed on my external NIC. According to the instructions on the DGG wiki it says DO NOT remove Secure Shell Server (that's SSH!!):
Allowed Services
"Tab" until you have highlighted "HTTP Server" and hit "Alt-t" (which is delete)
Yes, I really want to delete the selected entry (enter to select yes)
"Alt-t" again for HTTPS and delete it as well.
DO NOT remove Secure Shell Server (that's SSH!!)
So I didn't, but I am wondering if this is why I can still access SSH even though the IP is not whitelisted and should I remove that from the allowed services in order to secure my server further?
-
kjburto
-
- Posts: 81
- Joined: Tue Aug 23, 2016 2:07 pm
by covarrubiasgg » Tue Sep 20, 2016 10:37 pm
Yes, that is why, if you are 100% sure that you are not going to lock out the server and that it will not be very painful to get physical access to the server in case something goes wrong, go ahead and remove that rule, because it is unsafe to have ssh exposed to the world.
-
covarrubiasgg
-
- Posts: 420
- Joined: Thu Jun 10, 2010 10:20 am
- Location: Tijuana, Mexico
-
by kjburto » Wed Sep 21, 2016 7:06 am
covarrubiasgg wrote:Yes, that is why, if you are 100% sure that you are not going to lock out the server and that it will not be very painful to get physical access to the server in case something goes wrong, go ahead and remove that rule, because it is unsafe to have ssh exposed to the world.
Yep that was it. Thanks for the help
-
kjburto
-
- Posts: 81
- Joined: Tue Aug 23, 2016 2:07 pm
Return to Support
Who is online
Users browsing this forum: No registered users and 54 guests