Blocking unauthorized access externally to SSH

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Blocking unauthorized access externally to SSH

Postby kjburto » Tue Sep 20, 2016 9:22 pm

So I set up a brand new server based off the latest vicibox .iso and I installed and configured the Dynamic Good guys following all the steps one by one. I have confirmed that web access is blocked to all traffic not on the whitelist, but just recently discovered that SSH is pretty much open to all.

I currently have two different NICs configured, one for external traffic with its own IP address and one configured for internal traffic with an internal IP address.

The question is how do I secure SSH to not allow traffic from unauthorized IP addresses? I did not see any steps within the directions for DGG about securing ssh externally so I'm at a loss as to how to do this.


VERSION: 2.12-565a BUILD: 160827-0917
Express install on Dell Power edge 1950 Dula xeon quad core processors with 16GB ram and 1TB harddrive in Raid 1
kjburto
 
Posts: 81
Joined: Tue Aug 23, 2016 2:07 pm

Re: Blocking unauthorized access externally to SSH

Postby kjburto » Tue Sep 20, 2016 9:57 pm

Im going through my settings in yast firewall and under allowed services I still have SSH as allowed on my external NIC. According to the instructions on the DGG wiki it says DO NOT remove Secure Shell Server (that's SSH!!):

Allowed Services
"Tab" until you have highlighted "HTTP Server" and hit "Alt-t" (which is delete)
Yes, I really want to delete the selected entry (enter to select yes)
"Alt-t" again for HTTPS and delete it as well.
DO NOT remove Secure Shell Server (that's SSH!!)

So I didn't, but I am wondering if this is why I can still access SSH even though the IP is not whitelisted and should I remove that from the allowed services in order to secure my server further?
kjburto
 
Posts: 81
Joined: Tue Aug 23, 2016 2:07 pm

Re: Blocking unauthorized access externally to SSH

Postby covarrubiasgg » Tue Sep 20, 2016 10:37 pm

Yes, that is why, if you are 100% sure that you are not going to lock out the server and that it will not be very painful to get physical access to the server in case something goes wrong, go ahead and remove that rule, because it is unsafe to have ssh exposed to the world.
covarrubiasgg
 
Posts: 420
Joined: Thu Jun 10, 2010 10:20 am
Location: Tijuana, Mexico

Re: Blocking unauthorized access externally to SSH

Postby kjburto » Wed Sep 21, 2016 7:06 am

covarrubiasgg wrote:Yes, that is why, if you are 100% sure that you are not going to lock out the server and that it will not be very painful to get physical access to the server in case something goes wrong, go ahead and remove that rule, because it is unsafe to have ssh exposed to the world.


Yep that was it. Thanks for the help
kjburto
 
Posts: 81
Joined: Tue Aug 23, 2016 2:07 pm


Return to Support

Who is online

Users browsing this forum: No registered users and 54 guests