How Do I Configure Cloud Firewall Correctly
Hi,
Bit of a noob, so apologies. I am getting a lot of sshd attacks on my server. I thought I had setup the linode cloud firewall so that only permitted ports would be allowed in, but I must be doing something wrong as the attacks are getting through to the server. Although they are getting picked up by fail2ban, I would prefer if they didn't get through the initial firewall. Below is an example of a fail2ban response to one of them, but getting hundreds per day, even though my ssh port was moved. Any help is much appreciated.
Apr 1 21:22:58 server1 sshd[194455]: Invalid user fg from 34.88.170.63 port 48526
Apr 1 21:22:58 server1 sshd[194455]: Received disconnect from 34.88.170.63 port 48526:11: Bye Bye [preauth]
Apr 1 21:22:58 server1 sshd[194455]: Disconnected from invalid user fg 34.88.170.63 port 48526 [preauth]
cloud firewall configured:
accept-inbound-DNS TCP 53 All IPv4, All IPv6 Accept
accept-inbound-HTTPS TCP 443 All IPv4, All IPv6 Accept
accept-inbound-monitor TCP 11000 All IPv4, All IPv6 Accept
accept-inbound-SMTP TCP 25 All IPv4, All IPv6 Accept
accept-inbound-SMTP TCP 587 All IPv4, All IPv6 Accept
accept-inbound-POP3 TCP 995 All IPv4, All IPv6 Accept
accept-inbound-IMAP TCP 143 All IPv4, All IPv6 Accept
accept-inbound-IMAP TCP 993 All IPv4, All IPv6 Accept
accept-inbound-SMTPS TCP 465 All IPv4, All IPv6 Accept
accept-inbound-SSHD TCP xxxx All IPv4, All IPv6 Accept
Default inbound policy *drop
1 Reply
Moving the SSH port helps a little by reducing the volume of malicious scanning, but it's normal that it won't eliminate it, since some malicious scanners check all the ports.
There are many, many approaches to help here but the ones I personally prefer are:
(1) Set up cloud firewall to only permit SSH from your IP address. If you travel a lot this may be inconvenient since you yourself will be connecting from different IP addresses frequently. But if you only usually access from one or two locations, you can just whitelist their IP addresses.
You can broaden the IP address pattern too, to include all IP addresses from your ISP, so that if you get a new IP address when you reconnect, it will still work. Running a whois command against your IP address is a handy way to find out the extent of your ISP's whole IP address space for this purpose. Even a very "lazy" wide IP pattern will filter out the vast majority of attackers. For example, if my IP were 164.64.64.64 (randomly chosen example) WHOIS would show
NetRange: 164.64.0.0 - 164.64.255.255
CIDR: 164.64.0.0/16
So you can use 164.64.0.0/16 as the CIDR range to whitelist in Cloud Firewall, and even if you reconnect with a new IP address you'll still be able to connect.
In any case, you can always change the cloud firewall settings again if you mess up and get locked out, so there is no danger of being permanently locked out.
(2) Make sure your sshd is very secure so even if attackers do connect directly, they still get nothing. This means
(a) keep openssh updated regularly, so if a zeroday exploit is discovered you quickly get the patch
(b) disable password authentication in sshd_config
(c) generate strong keys with large bit size (use google to find current best practice recommendations on this, as it does change over time)
Hope this helps.
DG