APF Deny ALL for SSH Limit IP Connections

[taslayer]

APF Deny ALL for SSH - Limit IP Connections

APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server. We'll guide you through DENY ALL with APF firewall.

PROBLEM:
You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.

APF SOLUTION:
1) Login to your server as the root user.

2) cd /etc/apf

3) Use vi or nano to edit the /etc/apf/allow_hosts.rules file
EG: vi /etc/apf/allow_hosts.rules

4) Scroll down until after their last comment with the ##

Add the following in:

tcp:in:d=22:s=YOURHOMEIPHERE
out:d=22:d=YOURHOMEIPHERE

The d=22 part is the port, so you can repeat for other services as well to limit connections if you like.

Save the changes.

5) Edit the /etc/apf/deny_hosts.rules file
EG: vi /etc/apf/deny_hosts.rules

Scroll down until the last default comment ## then below it add the following:

tcp:in:d=22:s=0/0
out:d=22:d=0/0

Save the changes.

6) Restart APF firewall
apf -r


Your server is now only allowing connections to the SSH service from one IP using APF. To add more than one IP repeat the steps in 4) adding a new tcp and out line for each IP.

[carl]

The following will install APF firewall with cPanel :

Login as root
download the latest APF version and extract
then go the directory and for instance cd apf-0.9.3_3
Run the installation code ./install.sh
It will provide the notification
After the installation, define the firewall such in /etc/apf/conf.apf
You can make the ports for connection

such as follows :

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
2083,2086,2087,2095,2096,3306,6666"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"

# Common ICMP (inbound) types
IG_ICMP_TYPES="3,5,11,0,30,8"

Instruct them to monitor the outgoing connection

Changes can be made in the allow and deny file for allowing the IPs or disallowing them.

Once the changes are made, you may start APF : /usr/local/sbin/apf -s

11) Start APF

[bod-jack]

you should move SSH completely off of port 22 period because all the bad folks, script kids and other know to try port 22. Changing it is very easy as editing a script and restarting the daemon. Changing the port to something more obscure coupled with denying Root access login (require reular login then SU) plus IP restriction is a very solid practice for securing one of the biggest liability holes on a webserver...especially for those new to *nix and/ or websites.

[taslayer]

i have my ssh set to port 666 and the welcome msg is welcome to hell :P

[Christina]

I don't like to read your welcome message

[Glenn]

If you have cPanel server on your box, then i would like to suggest you to use CSF instead of APF as it is compatible with cPanel server. CSf 's best feature is it is user friendly as you can configure it from whm >> ConfigServer Security & Firewall once you install it on server.

Glenn.

[Sean]

CSF can be installed without cPanel, this is what i have found. The script provides the following :

a) Straight-forward SPI iptables firewall script
b) Daemon Process for login Authentication failures
c) POP3/IMAP login tracking
d) SSH login notification
e) SU login notification
f) Over Connection blocks
g) Upgration through shell
h) SSH port Auto-configuration
i) Unused Server IP
j) Alert when end-user sends mass emails
k) Suspicious process reporting
l) Excessive report usage
m) Suspicious file reporting
n) File and Directory monitoring
o) Traffic block
p) Multiple ethernet devices
q) Server Security check
r) Allow Dynamic IPs
s) Load Alerts
t) mod_security log
u) Email relay tracking
v) IDS (Intrusion Detection System)

So perhaps, both ways look good