View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions How To Allow Only One Country For SSH / SFTP
Log in to Ask a Question

How To Allow Only One Country For SSH / SFTP

general

I am not an expert in linux security but will it be a good practice to allow only my country IP to have SSH and SFTP access ?

If so; how to achieve anything like this ?

4 Replies

It's definitely better than nothing - though the best would be to just allow your own IP. You can do this with iptables. Or you can use CSF Firewall which also has some extra features.

@Nuvini:

It's definitely better than nothing - though the best would be to just allow your own IP. You can do this with iptables. Or you can use CSF Firewall which also has some extra features.

Yes but won't work for dynamic IPs.

This isn't the recommended way to do things. If you have a dynamic IP address just disable password authentication and use key-based authentication. If for some reason you absolutely need password authentication, use a strong password and limit the ability of people to try and brute force your system by installing something like Fail2Ban.

Going back to your original inquiry, there isn't a reliable way to do this unfortunately. You could potentially get it down to blocks operated by your country's RIR. In theory these should all be delegated out, and I don't personally see them changing much. But you should have a script that runs periodically to make sure you have the right exceptions in your firewall. You could even go a level lower and only add firewall exceptions for your ISP, but they may get a few more blocks of IP addresses moving forward so you'll need a script to check this. And if you are not connecting via your ISP, you would need to use Lish to add a one-time exception.

I'd recommend the first option…it's served me well so far.

-Tim

The iptables geoip module allows blocking by country. See ~~[http://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering" target="_blank">](http://www.howtoforge.com/xtables-addon … -filtering">http://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering](. I don't think this works with the standard Linode kernel so you may need to setup your own with pvgrub.

Because you can block by country doesn't make it a good idea. Disable all password authentication and use keypair authentication and you are already as secure as it gets. You can add fail2ban, connection rate limiting in IPtables, or move SSH to a non-standard port but these techniques don't gain you any real security improvements. They will reduce the size of your logfiles though.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct