Multiple IP addresses
But now what? is it possible to set up firewall rules based on incoming IP address?
is it possible to dedicate a service to an ip? so if you port scanned one IP only certain ports would appear open?
17 Replies
As you mention firewall you could do port-forwarding from 1 ip address to another, but I'd personally configure the service to run on a certain IP address instead as mentioned above.
As for your application question, most do support binding to specific IPs. Check the configuration documentation. Some software doesn't have that feature, of course, in which case it would probably be easiest to let it listen on whatever it wants to but firewall off the other IPs, knowing that the service would be accessible on the other IP if something happened to your firewall.
Why do you care about running different services on different IPs, though?
does anybody know if it can be done with UFW, or a good document on how to do it with iptables? i am missing some of the search vocabulary to locate the document myself.
Don't waste public IP's on something as useless as "security thru obscurity".
@vonskippy:
1, 2, or 20 IP's it's still the SAME box.
Don't waste public IP's on something as useless as "security thru obscurity".
While I do agree that by itself, splitting services like this is a "security thru obscurity" argument, it does have a certain merit if used as described above.
Assume my box has 2 IPs. I setup my web server on one IP, setup DNS to point all my domains at that IP. Then, I limit my ssh server to only listen on the other IP. The SSH server is still locked down to only allow key-based auth, not allow root login, etc etc.
With a setup like that, you are just as vulnerable to the random IP sweeping, but your vulnerability to those sweeps, since your ssh is key only, and you keep your web server up to date, is pretty close to zero.
The benefit to splitting the services is that Mr. Angry Hacker, having been offended by your inflammatory blog posts, has almost zero chance at discovering your second IP, cutting in half the number of services he can attempt to exploit as a method of harming your box.
@jzimmerlin:
Forgive me if I'm wrong, but if you're using key-based authentication, aren't the chances of someone hacking into your Linode via SSH extremely low?
+1
I'd be a lot more worried about the bad guys hacking a webserver than a decently-configured sshd. Wasting a second IP for this is silly at best.
@dmwilliams:
does anybody know if it can be done with UFW, or a good document on how to do it with iptables? i am missing some of the search vocabulary to locate the document myself.
It's always a good idea to configure your services so that they only listen on the IP address they're supposed to listen on in the first place, rather than having them listen on all IPs and using a firewall to block them.
If you want to use Ubuntu's UFW (which is one of the easiest firewall tools out there), just apt-get install it and run the following commands:
sudo ufw allow from any to 12.34.56.78 port 22
sudo ufw allow from any to 98.76.54.32 port 80
sudo ufw allow from any to 98.76.54.32 port 443
sudo ufw default deny
sudo ufw enable
The first line allows SSH on 12.34.56.78. The next two lines allow HTTP and HTTPS on 98.76.54.32. The fourth line disallows everything else, and the fifth line activates the firewall. Change to fit your needs. If you accidentally lock yourself out, go to Lish and try again.
I host a subversion server via svn+ssh://
and it is very difficult to configure the subversion clients to use the keys.
Right now I am filtering IP addresses.
And I just got the multiple IP address thing working by binding IP addresses within the config of each service. It works pretty well.
Its really cool, now somebody can't ping my domain and look at the IP address, then try and tamper with my ssh because they don't like my website. I'll be monitoring the number of ssh brute force attempts and see how much less it is then before.
@vonskippy:
Drop all external SSH access and use a VPN. Lets see the mean old hacker bypass that.
I am trying to do this, but I'm having trouble.
I did this
ufw allow from 10.0.0.0/24 to any port 22
but it still does not work when I connect from the VPN!!!
@vonskippy:
Drop all external SSH access and use a VPN. Lets see the mean old hacker bypass that.
I trying to do this but I can't get it working.
I allowed all connections from the 10.8.0.0/24 range, and my openvpn ip address is 10.8.0.6
for some reason I still cant login via ssh oven openvpn until I also allow connections from my the external Ip that the computer is on.
It says that it was connected to the VPN, and the VPn is working on the web browser my Ip address is changed. but for ssh through the terminal it seems to care about my original Ip address.
@dmwilliams:
Its really cool, now somebody can't ping my domain and look at the IP address, then try and tamper with my ssh because they don't like my website. I'll be monitoring the number of ssh brute force attempts and see how much less it is then before.
Key auth or not, an attacker is much more likely to attack your web server than your SSH daemon.
Attackers also scan for vulnerable web or ssh services more than they find a website they don't like and then attack.