SSH to only allow logins from specific IPs and block all oth

This is the second time I am posting on the Linode forum, and my first experience was really great. Thank you to all who respond, in advance!

We use a Linode with Ubuntu 12.04. I went through the basics to install RSA encryption for SSH logins, and setup fail2ban, but I am not sure how to do the following. I want to only allow specific IP addresses (or ranges of IP addresses) to be able to SSH. In other words, I want to turn away ALL others from SSH. This way, I will be able to SSH from my office, and from home, and so will 1 other administrator. And block everybody else.

With my rudimentary unix sysadm knowledge - really, so rudimentary - I don't know how to configure fail2ban to enforce such a ban. Is this a normal thing to do, or is there a different way to achieve what I want - make it really restrictive for the world to access our servers, but allow a handful of known administrators only.

Any advice appreciated!

Thanks,

Vik

3 Replies

This is the job of your firewall, not fail2ban. fail2ban just watches your kernel logs for probes on your SSH and then sends commands to the firewall to start blocking those IP addresses.

If you want to whitelist specific IP addresses then you have no need for fail2ban… because all (non-whitelisted) IP addresses will already be blocked by the firewall.

On Ubuntu the easiest firewall choice for admins with rudimentary knowledge is Uncomplicated Firewall or "ufw". The guide I linked there will give you a few quick lines you can use to setup ufw, but in particular you are interested in is example 6:````
sudo ufw allow proto tcp from 192.168.0.2 to any port 22

````

… where you replace 192.168.0.2 with an ip address you want to whitelist.

The Linode Iptables Guide also has an example of whitelisting IP addresses for SSH, but uses iptables directly instead of a beginner friendly syntax like ufw.

For ssh I use AllowUsers lines in /etc/ssh/sshd_config.

Ox - I will read up on UFW, thanks for the information. I thought fail2ban was a firewall, but I guess I didn't read the Linode article properly (https://www.linode.com/docs/security/se … our-server">https://www.linode.com/docs/security/securing-your-server). I presume I can configure UFW to only block SSH traffic, but it will let all users to my web server (of course, I don't mind blocking bots from my web server).

Jebblue - That sounds like a very good thing for me to try. I appreciate the new solution!

You guys are great for helping, thank you!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct