hardening SSH

Justin W jlist at jdjlab.com
Sat Aug 18 04:26:46 UTC 2007 

Michael Klinosky wrote:
> Rick:
>> If you only want to allow incoming ssh sessions from that address
>> block, use iptables and insert a rule:
>> -A INPUT -p tcp -m tcp -s 200.100.0.0/16 --sync --dport 22 -j ACCEPT
>> and make sure the last rule is something like:
>> -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
>> to drop any other connection attempts other than the ones allowed above
>> it.
>
> How does this differ from the hosts.allow & hosts.deny method?
>
Not by a whole lot looking at the end result.  It's perfectly possible 
to use the hosts.* files.  I personally feel safer with iptables knowing 
it works for every program on the computer, while the hosts.* files only 
work for programs which are tcpwrappers aware (iptables works with the 
kernel's tcp stack and can control connections at a low level, while the 
deny.* controls are implemented within each program/daemon).

> Justin:
>> If you would be able to tell us which ISP you have, you may be able to
>> narrow down the address range even more.
>
> I know about whois.org - so I tried it. I had to delve a bit to get the
> detailed info, but found the range. There is a CIDR - is that what I
> want? It's narrowed down to /21.
>

Yes. CIDR stands for Classless Interdomain Routing.  It allows for 
network masks to go beyond the original Class A, B, C, etc addresses.  
By using CIDR, it is possible to use the internet address space more 
efficiently, and waste less addresses when different networks are 
needed.  With 5 bits borrowed from the Class B address, there's a 
possibility of 32 (2**5) different address ranges which you could be 
part of. Each network can only have 2048 hosts (down from a Class B's 
65536), an impressive 96.875% reduction.

I've constructed a listing of the different address ranges which are 
possible in your situation.  All you need to do is dial-up the client, 
get it's current IP address, and find which range it falls in.  Then in 
the iptables (or hosts.allow) line below the table, replace the network 
address with the one you selected from the list (e.g. 200.100.48.0 if 
your IP is 200.100.51.192):

200.100.0.0-200.100.7.255      |  200.100.128.0-200.100.131.255
200.100.8.0-200.100.15.255     |  200.100.132.0-200.100.143.255
200.100.16.0-200.100.23.255    |  200.100.144.0-200.100.151.255
200.100.24.0-200.100.31.255    |  200.100.152.0-200.100.159.255
200.100.32.0-200.100.39.255    |  200.100.160.0-200.100.167.255
200.100.40.0-200.100.47.255    |  200.100.168.0-200.100.175.255
200.100.48.0-200.100.55.255    |  200.100.176.0-200.100.183.255
200.100.56.0-200.100.63.255    |  200.100.184.0-200.100.191.255
200.100.64.0-200.100.71.255    |  200.100.192.0-200.100.199.255
200.100.72.0-200.100.79.255    |  200.100.200.0-200.100.207.255
200.100.80.0-200.100.87.255    |  200.100.208.0-200.100.215.255
200.100.88.0-200.100.95.255    |  200.100.216.0-200.100.223.255
200.100.96.0-200.100.103.255   |  200.100.224.0-200.100.231.255
200.100.104.0-200.100.111.255  |  200.100.232.0-200.100.239.255
200.100.112.0-200.100.119.255  |  200.100.240.0-200.100.247.255
200.100.120.0-200.100.127.255  |  200.100.248.0-200.100.255.255

iptables -A INPUT -p tcp --dport 22 -s 200.100.0.0/21 -j ACCPET  (with a 
drop policy)

sshd: 200.100.0.0/255.255.248.0      (hosts.allow)
sshd: ALL                            (hosts.deny)

Justin W

More information about the users mailing list