How do I restrict IP addresses with SSH access to Statseeker?
Security scans often highlight vulnerabilities with sshd. This can be mitigated somewhat by restricting the IP addresses that can log in via SSH
FreeBSD provides 3 firewalls that are available for use:
ipfw (ipfirewall)
ipf (ipfilter)
pf (packetfilter)
This template will use ipfw as it is authored and maintained by FreeBSD
All steps are to be performed as root
=========================================================================================
1) Change the line IPADDs to reflect the IP addresses and / or CIDR notation subnets that will be allowed access to Statseeker over SSH
On Statseeker create the file /home/statseeker/ipfw.rules
Once the required IPADDs addresses have been changed, paste the section below in to the file /home/statseeker/ipfw.rules
#!/bin/sh
# Rules - with csv ip addresses and / or CIDR subnets of allowed IPs
IPADDs=192.168.200.67,192.168.200.152,192.168.1.0/24
IPF=/sbin/ipfw
$IPF -q -f flush
# ===================================
#
# Allow SSH from a single IP address
# $IPF -q add 10 deny all from not 192.168.200.67 to me 22 setup keep-state
#
# Allow SSH from an IP subnet
# $IPF -q add 20 deny all from not 192.168.1.0/24 to me 22 setup keep-state
#
# Allow SSH from multiple IP addresses - comma separated
# $IPF -q add 30 deny all from not 192.168.200.67,192.168.200.152 to me 22 setup keep-state
#
# Allow SSH from multiple IP addresses and CIDR Subnets- comma separated
# $IPF -q add 40 deny all from not 192.168.200.67,192.168.200.152,192.168.1.0/24,10.100.200.0/24 to me 22 setup keep-state
#
# ===================================
# Preferred Method
# Allow SSH using the IP addresses or subnets defined by the variable IPADDs #
$IPF -q add 50 deny all from not $IPADDs to me 22 setup keep-state
#
# Allow everything else
$IPF -q add 65530 allow ip from any to any
=========================================================================================
2) Add the follwing lines to the file /etc/rc.conf
firewall_enable="YES"
firewall_type="client"
firewall_name="ipfw"
firewall_script="/home/statseeker/ipfw.rules"
=========================================================================================
3) Start the firewall manually, the rc.conf additions will start the firewall on reboot
Be careful as it is possible to become locked out if the following commands are completed over an SSH session
Ensure that you have access to Statseeker via the console if unsure of what is being done
service ipfw start
service ipfw stop
service ipfw restart - if changes are made to the ipfw.rules
=========================================================================================
4) Useful commands: to view the firewall rules in place
ipfw list
This command displays the current list of firewall rules configured with ipfw.
ipfw show
This command lists the rules with counters.
ipfw -t show
This command lists the rules with counters and timestamps.
ipfw zero
This command resets the counters for all rules.
=========================================================================================
5) These changes may have to be re-applied or adjusted after a Statseeker version upgrade
=========================================================================================
ipfw (ipfirewall)
ipf (ipfilter)
pf (packetfilter)
This template will use ipfw as it is authored and maintained by FreeBSD
All steps are to be performed as root
=========================================================================================
1) Change the line IPADDs to reflect the IP addresses and / or CIDR notation subnets that will be allowed access to Statseeker over SSH
On Statseeker create the file /home/statseeker/ipfw.rules
Once the required IPADDs addresses have been changed, paste the section below in to the file /home/statseeker/ipfw.rules
#!/bin/sh
# Rules - with csv ip addresses and / or CIDR subnets of allowed IPs
IPADDs=192.168.200.67,192.168.200.152,192.168.1.0/24
IPF=/sbin/ipfw
$IPF -q -f flush
# ===================================
#
# Allow SSH from a single IP address
# $IPF -q add 10 deny all from not 192.168.200.67 to me 22 setup keep-state
#
# Allow SSH from an IP subnet
# $IPF -q add 20 deny all from not 192.168.1.0/24 to me 22 setup keep-state
#
# Allow SSH from multiple IP addresses - comma separated
# $IPF -q add 30 deny all from not 192.168.200.67,192.168.200.152 to me 22 setup keep-state
#
# Allow SSH from multiple IP addresses and CIDR Subnets- comma separated
# $IPF -q add 40 deny all from not 192.168.200.67,192.168.200.152,192.168.1.0/24,10.100.200.0/24 to me 22 setup keep-state
#
# ===================================
# Preferred Method
# Allow SSH using the IP addresses or subnets defined by the variable IPADDs #
$IPF -q add 50 deny all from not $IPADDs to me 22 setup keep-state
#
# Allow everything else
$IPF -q add 65530 allow ip from any to any
=========================================================================================
2) Add the follwing lines to the file /etc/rc.conf
firewall_enable="YES"
firewall_type="client"
firewall_name="ipfw"
firewall_script="/home/statseeker/ipfw.rules"
=========================================================================================
3) Start the firewall manually, the rc.conf additions will start the firewall on reboot
Be careful as it is possible to become locked out if the following commands are completed over an SSH session
Ensure that you have access to Statseeker via the console if unsure of what is being done
service ipfw start
service ipfw stop
service ipfw restart - if changes are made to the ipfw.rules
=========================================================================================
4) Useful commands: to view the firewall rules in place
ipfw list
This command displays the current list of firewall rules configured with ipfw.
ipfw show
This command lists the rules with counters.
ipfw -t show
This command lists the rules with counters and timestamps.
ipfw zero
This command resets the counters for all rules.
=========================================================================================
5) These changes may have to be re-applied or adjusted after a Statseeker version upgrade
=========================================================================================