Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

How to block some ssh traffic, but not all [SOLVED]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
PostPosted: Sun Jul 19, 2015 11:48 pm    Post subject: How to block some ssh traffic, but not all [SOLVED] Reply with quote
I have some non-computers on my LAN, two Samsung Smart TV's, a Samsung Galaxy S5 smart phone and an Amazon Firestick, along with my wife's Windows 7 laptop and five Gentoo desktops. I am concerned about security from the non-computers, especially with news reports of Samsung SmartTV's spying an viewers (http://www.bbc.com/news/technology-31296188).

I used to control ssh access with /etc/hosts.allow and /etc/hosts.deny,but Openssh doesn't support that anymore. It would appear that I need an iptables firewall, but, honestly, my eyes glaze over when reading the documentation and Wiki How To's. I emerged fwbuilder, thinking that might be an easy way, but it isn't and the documentation links don't work.

I block external access to port 22 with my router, but that doesn't help with devices on the LAN. All the router settings seem to control incoming and outgoing connections between the WAN and the LAN, but nothing internal to the LAN (D-Link DIR-655).

Isn't there a simple way, like hosts.allow/hosts.deny to block internal ssh traffic for only some ip addresses?

Last edited by Tony0945 on Mon Jul 20, 2015 4:22 pm; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21633
PostPosted: Mon Jul 20, 2015 12:46 am    Post subject: Reply with quote
iptables -A INPUT -p tcp --dport 22 -s blacklist-address -j DROP
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1369
Location: EU or US
PostPosted: Mon Jul 20, 2015 12:48 am    Post subject: Reply with quote
You lost me, why are you trying to block SSH? If you do not want your spying devices to call home deny all traffic from them to the outside world.
_________________
Life is a tragedy for those who feel and a comedy for those who think.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
PostPosted: Mon Jul 20, 2015 1:00 am    Post subject: Reply with quote
Buffoon wrote:
You lost me, why are you trying to block SSH? If you do not want your spying devices to call home deny all traffic from them to the outside world.


If i do that they cannot retrieve video from the internet. But I don't want some bot trying to crack the passwords. I don't care if they talk to the outside world, just the inside world.

Have you ever read those license agreements? You are giving them carte blanche over your network. Better that they not even see other devices.

Hu's solution looks good. I'll try it. In fact, I'll check the man page and see if I can block all ports.
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1369
Location: EU or US
PostPosted: Mon Jul 20, 2015 1:26 am    Post subject: Reply with quote
I still do not see what SSH has to do with it. Those devices are trying to harvest file listings from your network shares. Well, create a different subnet for them and let them call home if you think it is OK. I personally deny them all internet access (they are not plugged in, can't beat that!) and use MythTV and Kodi to play content from net. There are very affordable devices that allow you to play HD content from net using FOSS - you are in complete control.
_________________
Life is a tragedy for those who feel and a comedy for those who think.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
PostPosted: Mon Jul 20, 2015 4:22 pm    Post subject: Reply with quote
Hu wrote:
iptables -A INPUT -p tcp --dport 22 -s blacklist-address -j DROP


This works!
Quote:
X3 ~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.168.0.190 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.191 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.192 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.193 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.194 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.195 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.196 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.197 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.198 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.199 anywhere tcp dpt:ssh


First I had to research why iptables was complaining about the kernel. This link explained how to set it up https://wiki.gentoo.org/wiki/Iptables#Kernel

Many many thanks, Hu.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy