APF Deny ALL for SSH Limit IP Connections Published: Feb 06, 2007
  • Rating

    4/5

APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server. We'll guide you through DENY ALL with APF firewall.

APF Deny ALL for SSH - Limit IP Connections

APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server. We'll guide you through DENY ALL with APF firewall.

PROBLEM:
You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.

APF SOLUTION:
1)
Login to your server as the root user.

2) cd /etc/apf

3) Use vi or nano to edit the /etc/apf/allow_hosts.rules file
EG: vi /etc/apf/allow_hosts.rules

4) Scroll down until after their last comment with the ##

Add the following in:

tcp:in:d=22:s=YOURHOMEIPHERE
out:d=22:d=YOURHOMEIPHERE

The d=22 part is the port, so you can repeat for other services as well to limit connections if you like.

Save the changes.

5) Edit the /etc/apf/deny_hosts.rules  file
EG: vi /etc/apf/deny_hosts.rules

Scroll down until the last default comment ## then below it add the following:

tcp:in:d=22:s=0/0
out:d=22:d=0/0

Save the changes.

6) Restart APF firewall
apf -r


Your server is now only allowing connections to the SSH service from one IP using APF.  To add more than one IP repeat the steps in 4) adding a new tcp and out line for each IP.

Cheers

Steve



  • Rating

    4/5

Related Articles

Comments (3)

  • Gravatar - Linux Uruguay
    Linux Uruguay 19:52, February 18, 2007
    That can be easly done using /etc/hosts.allow and only accepting ssh :<br />
    <br />
    sshd : YOUR_IP_HERE<br />
    <br />
    Then just put:<br />
    <br />
    ALL : ALL at the /etc/hosts.deny, of course IP must be listed at the /etc/apf/allow.. file.<br />
    <br />
    Keep working, this site have nice tutorials.
  • Gravatar - sandy
    sandy 16:50, April 12, 2007
    Always helpfull :)<br />
    <br />
    cheers :)
  • Gravatar - Ryan
    Ryan 19:35, June 9, 2007
    You can simply remove port 22 from the IG_TCP_CPORTS then add your allow_hosts.rules entries. The rules into deny_hosts.rules are not needed as since port 22 is not open in the common ports variable IG_TCP_CPORTS, it will be denied implicitly.

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2017 WebHostGear.com