SSH question

[pureobscure]

Being the paranoid person I am I'd like to block ssh access from anywhere but my home network. But obviously you folks need to connect occasionally as well. If I were to open ssh to your 'office.solidhost.com' IP address would that suffice? Or do people occasionally connect from other locations?

Secondly, I have created a basic user account and only allow that user to ssh in -- root is no longer allowed. If I need to open a ticket should I provide both that account/password and my root password that you folks can 'su' to?

P.S. Feel free to move this if it's in the wrong forum.

[wuurp]

I'm interested in the answer too. I've had an account for only a couple days and have already had a lot of attempts to break in. This morning someone sent several thousand ssh login requests.

[Milovan]

Ah, good to hear that you like to have your VPS secured

What I would suggest is that you open a support ticket with a reference to this post and we will provide you with the IP addresses that you should allow access for.

As for that other question: yes, please make sure to include both account/password and root password, otherwise we can't login. Oh and one more thing, you could change the SSH port from a standard 22 to something much higher, and have 22 blocked

[Andre]

Additionally I would suggest to have BFD from rfxnetworks.net installed, which will block brute force scripts and insert it into the firewall (if you have APF installed - also from rfxnetworks.net.

We can set this all up for you, so if you'd like us to set it up, please open a support ticket.

[pureobscure]

Have you guys worked at all with the apf option for using the DShield.org blacklist? What an awesome idea to have a distributed MAPS-like query for unusual firewall activity. Very cool feature.

But I imagine that performance takes a significant hit. The hit that mail takes when it queries, say, spamcop's blacklist is fine as it's just getting spooled anyway. But for a Web site visit, I would think that using DShield would slow the process way down.

[Andre]

Yes we've worked with it, and it works great.

Actually it doesn't work the way you described. It imports the blacklist to a file on your vps, and sets iptable rules to block all traffic from those IPs. That doesn't slow things down at all, it does use quite a lot of iptables rules though. The total number of iptables rules is limited per vps: 750 for starter, 1000 for business and 1500 for enterprise - this number can be increased free of charge if necessary if it doesn't cause a performance hit. However, for just abotu any purpose that number of iptables rules is more than enough.

[bubazoo]

can you post a walkthru on how to install BFD and APF?

do I just
wget http://rfxnetworks.net ? because I don't see a file download there.
or do I run
yum install BFD APF
from an ssh terminal? or what? everytime I ask what command to put in a terminal to install a program I get my post deleted? I mean, how am I supposed to know if I can run yum or not, or how to compile a program from scratch if I'm not allowed yum? if I can install rpm's, or if I have to compile everything froms scratch? or are even the compilers installed? I don't know what all I can and cannot do from within a VPS nobody ever told me, I didn't install the darn operating system I don't know.... so I just ask support to do it for me since everytime I ask how to do it I get my posts deleted, or they don't respond to my support ticket about how to do it myself, apparently I'm supposed to learn someplace else apparently.

[Andre]

Hi bubazoo,

You can install APF like this:

Code:

cd /usr/local/src
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-0.*
./install.sh

Then edit the configuration file:

Code:

pico /etc/apf/conf.apf

In there, change the following settings:

Code:

DEVEL_MODE="0"
SET_MONOKERN="1"

You should now scroll down to IG_TCP_CPORTS, you can configure the ports that should be left open in there. Afterwards, save the configuration and enter:

Code:

service apf start

Regarding BFD: first you would have to ensure that APF is installed and after that:

Code:

wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
tar -zxf bfd-current.tar.gz
cd bfd-0*
sh install.sh

That's it! If you need any further assistance just let us know.

[Jonny]

Im still a bit of a novice when it comes to servers, ssh, linux etc, but im learning everyday .

So im going to ask a really noobish questions, whats APF and BFD and would you recommend them be installed?

[Andre]

APF stands for Active Policy Firewall and is an application by rfxnetworks. It's the best open source software-based firewall, in my opinion. I would definitely recommend it, since this will help you close unneeded ports and it'll help you restrict access for specific ports. For instance you can set it so that only specific IP addresses can access SSH. That's also possible without APF though, but it's an additional security layer. Keep in mind that it does use some resources though.

BFD stands for Brute Force Detection and is also an application by rfxnetworks. It will try to detect brute force attacks, but it's not like it'll always detect an attack in time and it can also be a resource hog. Personally I wouldn't really use this in a VPS environment, it's probably easier to just restrict access for SSH to the IPs that need to have access, on other ports brute force attacks are quite rare anyway.

[Jonny]

Ok, if i were to configure APF like you have mentioned above, would that configure it so no more changes are required or would i need to ensure that port 22 is kept open incase i make any mistakes with APF?