One golden rule we have in security is: first close everything then open services one by one and only to white listed IPs.
It is exactly what we are going to see together with SSH protocol.
Iptables is one of the most famous firewall on Linux. Some people say that it is too complicated and that's why ufw has been created. But still, Iptables is the only one for me .
We are going to drop all packets not coming from one specific IP and log them before dropping.
iptables -N SSH # rule name iptables -A SSH -j LOG --log-prefix "SSH DROP: " # log with prefix iptables -A SSH -j DROP # drop packets sent to this rule iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT # allow one IP iptables -A INPUT -p tcp -s 127.0.0.1 --dport 22 -j ACCEPT # allow localhost iptables -A INPUT -p tcp --dport 22 -j SSH # send everything else to the drop rule
We can see our rule is setup properly into iptables config by running command:
iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 1.2.3.4 anywhere tcp dpt:ssh ACCEPT tcp -- localhost anywhere tcp dpt:ssh SSH tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain SSH (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix "SSH DROP: " DROP all -- anywhere anywhere
We can have a look to system logs and verify it is working well.
dmesg -T -w [Mon May 3 03:18:38 2021] SSH DROP: IN=eno1 OUT= MAC=ab:cd:ef:f1:85:82:1c:e6:c7:52:07:40:08:33 SRC=46.101.18.4 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=26716 DF PROTO=TCP SPT=55360 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Once you have checked that everything is running as expected, you can reboot your server and you will osberve that the 'SSH' rule has been deleted. Why ? Well by default iptables rules are not persistent after a reboot. One package is dedicated to reload your rule after each reboot: iptables-persistent
dpkg --list | grep iptables ii iptables 1.8.2-4 amd64 administration tools for packet filtering and NAT ii iptables-persistent 1.0.11+deb10u1 all boot-time loader for netfilter rules, iptables plugin