I´ve tried to get into restricting access to a ubuntu server but i´m still unsure which way to go. the situation: We want to restrict access for ssh, and sftp to 4 clients with no static ip on a ubuntu 12.04 server. therefore each client has a dyndns account. the server will use a shared firewall, which unfortunately cannot use the dyndns account as allow rules.
The idea: allow access to ssh and sftp in the shared firewall, but block all instead the 4 dyndns accounts on server side.
but what´s the easiest way to achive this?
First solution would be the use of iptabels with this script: Run by a cronjob it checks for dyndns ips and updates iptable rules with something like:
# All connectsion from address 1.2.3.4 to SSH (port 22)
iptables -A INPUT -p tcp -m state --state NEW --source DYNDNS_IP --dport 22 -j ACCEPT
# Deny all other SSH connections
iptables -A INPUT -p tcp --dport 22 -j DROP
Second solution would be a restricion through denyhosts, f.e.:
# /etc/hosts.allow
sshd: client.dyndns.org
# /etc/hosts.deny
sshd: ALL
But I am unsure if denyhosts is also able to restrict ftp access. if so, this solution would look a bit easier to manage.
thankful for every idea,
with kind regards,
toni
Best Answer
If the clients don’t have static IPs, then the next best solution would be to use SSH keys with—or without—passphrases & disabling passwords. This is a good primer on SSH keys.
And on the server you would adjust SSH to only accept
publickeyvia adjustments toPreferredAuthenticationsin/etc/ssh/ssh_config(which is in Ubuntu 12.04). A good explanation of SSH server-side options is here.Past that I would still use
iptablesto further restrict ports to make things even more secure.