0

I've just checked with nmap a proxy server (ubuntu 10.04 with squid) for vulnerabilities and I decided to start an hardening process... Is it possible to close, for example, ssh port only on eth1? So I could keep using it when I'm in LAN with eth0. I have various services that are very handy in my lan but I'd like to close definitively the access to those from the internet.

Pitto
  • 2,009
  • 10
  • 33
  • 49

2 Answers2

1

The usual way to achieve this is by using a firewall. Under Linux, most firewalls are based on iptables. Depending on your linux skills, you could set up iptables rules in a script file and then run it out of an entry in /etc/init.d/ or, if you are not so fluent with shell scripting, you could look at any of the more user friendly standard packages for firewalling such as Lokkit (very simple, but also not very flexible) or Guarddog (more advanced). Other options are firestarter, shorewall or fwbuilder.

Generally, the more flexibility you want or need, the more complex the application will be. Some of the really advanced features of iptables can only be done by scripting rules directly.

wolfgangsz
  • 8,847
  • 3
  • 30
  • 34
  • so, if I've understood correctly, a simple: "iptables -A INPUT -i eth1 -p tcp –dport 22 -j DROP" will do the job until next restart, right? Creating a script and adding it to /etc/rc.local or /etc/network/if-up.d/ should do the trick? Thank you for helping! :) – Pitto Jun 06 '11 at 10:48
  • There are many ways to get the script to run on startup, but the command as such is essentially correct. You might want to create a regular service entry in /etc/init.d/, so that you can start and stop the firewall. – wolfgangsz Jun 06 '11 at 11:09
1

While @wolfgangsz's answer is correct, most daemons have an option along the lines of "Bind to" or "Listen on" which allows you to choose which interface(s) or IPs to attach to. In the case of sshd, you should put something like this on your /etc/ssh/sshd_config file:

ListenAddress <IP_on_eth1>

The nice thing about this approach is that you're sure that the daemon won't ever be available on the other interfaces. A mistake on your ruleset or a delay in applying your rules (or restarting your firewall) may otherwise expose your server temporarily to the internet.

Eduardo Ivanec
  • 14,881
  • 1
  • 37
  • 43