firehol issues

Hi I'm securing my linodes using firehol, only problem is for some reason the rules being setup block my ssh port. I have a ssh definition in the file:

serversshports="tcp/99999"

clientsshports="99999"

That's not the real port, but you get the idea.

here are the rules for eth0

web

interface eth0 public src not "${UNROUTABLE_IPS}"

protection strong

client all accept

server ICMP accept

server ping accept

server http accept

server https accept

server ssh accept

server mysql accept dst "private.ip.address"

Whenever I attempt to login via ssh here is what i see in the console:

''IN-public':'IN=eth0 OUT= MAC=MACADDRESS* SRC=MYREMOTEIP* DST=SLICEIP* LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=16994 DF PROTO=TCP SPT=51438 DPT=SSH_PORT* WINDOW=8192 RES=

0x00 SYN URGP=0

Anyone have any idea why this is being blocked?

6 Replies

Found the answer:

although the firehol documentation says to setup new servers the above way, this is what actually worked for me:

server custom ssh tcp/99999 default accept 

Also I've done a quick guide for getting basic security in place:

~~[http://gregsidberry.com/2008/10/22/building-something-scalable-security/" target="_blank">](http://gregsidberry.com/2008/10/22/buil … -security/">http://gregsidberry.com/2008/10/22/building-something-scalable-security/](

@poetics5:

server custom ssh tcp/99999 default accept 

When you added the custom line do you remove the regular "server ssh accept" line?

Also in the ssh config, you just change the port from 22 to whatever you wanted? Is it advisable to try both ports before commiting? I am asking because that is exactly what I wanted to try by putting "port = 25 99999" (not the real port) and I am not getting a connection after restarting on the huigh port but 22 still works. maybe I need a colon between the ports? I should look that up.

You have to edit your ssh config to use the port as well, then restart ssh

I'm not sure if you can make SSH bind to two ports at the same time. Anyway, the whole point of binding SSH to a custom port is to gain some measure of security by obscurity, so you aren't going to get real benefits if SSH is still listening on port 22.

Bedevere: the reason you're still connecting on 22 is because you have the regular "server ssh accept" line in your firehol conf. Remove that and you'll only be able to connect through the custom port. (Provided, of course, that your SSH configuration is adjusted accordingly.)

It's also a good idea to limit incoming SSH connections to a certain IP range, unless you're giving out shell accounts to random people. This can be done by adding an "src" clause to the appropriate line in your Firehol conf. For example,

server custom ssh tcp/99999 default accept src 123.123.123.123

I have a static IP at home, so this directive kicks out everyone except my home computer. If your IP changes from time to time, it might be better to use a broader IP range such as 123.123.0.0/16 This way, nobody in China will be able to connect to your box through SSH, let alone hack it through SSH, even if they happened to know which port to connect to.

If you lock yourself out, or you need emergency access from an IP address not listed in your Firehol conf, you can always go into Lish to fix it!

Yes I was editing the ssh config…sorry if I wasn't clear on that.

OK I wil remove the regular SSH. I actually tried naming the custom one SSH1, but thats not clean. And yeah when I messed it up I used the ajax console.

I already did the src as well. Good move there.

You can make ssh listen on one or more ports/ips..

I have this as my config in sshd_config so that i can connect in on 443 from some places.

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress <second ip="" here="">:443
ListenAddress 0.0.0.0</second> 

Basicly that says use port 22, and listen on all interfaces (0.0.0.0) for connections, AND listen on :443

Let me know if ou have any questions..

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct