SSH Port 22 Firewall Settings
I want to block access to SSH Port 22 for all IP addresses except my home IP address. Only issue I see is that my home IP address is not static so it will change every now and again and I could get locked out of the server when it does change.
(1) How do other people handle this situation?
(2) Can you write to the firewall settings from the Linode control panel without being logged into the server proper?
Personally I just don't worry about it.
Using ssh key only authentication - and disallowing password based - increases security, a lot.
It's often the default already, but just in case the setting is in
Make sure you already have ssh key auth set up when you make this change.
Another thing that helps in my experience is tightening what crypto algorithms are enabled on the server, the default set is quite large.
If you do this, a lot of ssh scan bots won't be able to connect at all - and won't proceed to guessing the password (which won't work anyway when password based is turned off).
But it warms my heart to see things like this in system logs:
Unable to negotiate with 126.96.36.199 port 52774: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Here the hacker uses older crypto, and cannot establish a connection at all.
KexAlgorithms firstname.lastname@example.org,diffie-hellman-group-exchange-sha256 MACs email@example.com,firstname.lastname@example.org Ciphers email@example.com,firstname.lastname@example.org,email@example.com
After making changes to sshd_config, apply them with
systemctl restart sshd and try to log in from another window while keeping the window where you made the change still open.
But if you do get locked out somehow - just use Lish and revert the changes:
If you still wanted to go with your original idea…
Just change your firewall rule for ssh:
- Instead of allowing ssh (22) from any address
ufw allow 22
- Only allow it from your home connection's public IP
ufw allow from 188.8.131.52 to any port 22
When the IP changes and you get locked out, use Lish to log into the server and replace the IP specific rule.
Be sure to add new rules first and only then delete the originals (just to be safe).
If your IP addresses, as they vary, still come from same subnet (which they most likely should, unless we're also considering travel), you can make things easier by allowing connections from that subnet.
ufw allow from 184.108.40.206/16 to any port 22
Here we're allowing access from 65536 potential source IPs (220.127.116.11 - 18.104.22.168), which is a lot better than the default "from all" which really means "4 billion".
You can narrow it down even more, to 256 potential source IPs:
ufw allow from 22.214.171.124/24 to any port 22
… or something in between, say "/20". Depends on your provider and what you want in terms of convenience.
Thank you. This is perfect and exacty what I needed. I like the idea of tightening up the crypto algorithms.