SSH Port 22 Firewall Settings

I want to block access to SSH Port 22 for all IP addresses except my home IP address. Only issue I see is that my home IP address is not static so it will change every now and again and I could get locked out of the server when it does change.

(1) How do other people handle this situation?
(2) Can you write to the firewall settings from the Linode control panel without being logged into the server proper?

Ununtu 18.04LTS

Thank you.

2 Replies

Personally I just don't worry about it.

Using ssh key only authentication - and disallowing password based - increases security, a lot.

It's often the default already, but just in case the setting is in /etc/ssh/sshd_config:

PasswordAuthentication no

Make sure you already have ssh key auth set up when you make this change.

Another thing that helps in my experience is tightening what crypto algorithms are enabled on the server, the default set is quite large.

If you do this, a lot of ssh scan bots won't be able to connect at all - and won't proceed to guessing the password (which won't work anyway when password based is turned off).

But it warms my heart to see things like this in system logs:

Unable to negotiate with 58.242.83.29 port 52774: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

Here the hacker uses older crypto, and cannot establish a connection at all.

Again sshd_config:

KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
MACs [email protected],[email protected]
Ciphers [email protected],[email protected],[email protected]

After making changes to sshd_config, apply them with systemctl restart sshd and try to log in from another window while keeping the window where you made the change still open.

But if you do get locked out somehow - just use Lish and revert the changes:

https://www.linode.com/docs/networking/using-the-linode-shell-lish/


If you still wanted to go with your original idea…

Just change your firewall rule for ssh:

  • Instead of allowing ssh (22) from any address
ufw allow 22
  • Only allow it from your home connection's public IP
ufw allow from 1.2.3.4  to any port 22
  • When the IP changes and you get locked out, use Lish to log into the server and replace the IP specific rule.

  • Be sure to add new rules first and only then delete the originals (just to be safe).

  • If your IP addresses, as they vary, still come from same subnet (which they most likely should, unless we're also considering travel), you can make things easier by allowing connections from that subnet.

For example:

ufw allow from 1.2.0.0/16 to any port 22

Here we're allowing access from 65536 potential source IPs (1.2.0.0 - 1.2.255.255), which is a lot better than the default "from all" which really means "4 billion".

You can narrow it down even more, to 256 potential source IPs:

ufw allow from 1.2.3.0/24 to any port 22

… or something in between, say "/20". Depends on your provider and what you want in terms of convenience.

kmansoft,
Thank you. This is perfect and exacty what I needed. I like the idea of tightening up the crypto algorithms.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct