I am trying to whitelist ONE ip (myself) from accessing a device via ssh. How do I ban ALL ip except myself (1 ip that i am using?)
Context: I saw there are 500 ip attacks yesterday, I just wanna make my device safe.
Related
I need to access company's internal network without using their OPENVPN server directly (My ISP blocks it). So I used an instance with a public IP, where my company is located, and have configured a OPENVPN client then used it to connect to the company's OPENVPN server.
(public IP instance) ===OPENVPN===> (Company)
Now, I need to achieve a further thing, which is working from my local machine by using VPN over SSH tunnel using sshuttle, such that the topology becomes:
(local) ===SSHUTTLE===> (public IP instance) ===OPENVPN===> (Company)
Note that public IP instance has two network adapters; eth0 (it has public IP) and tun0 (which belongs to OPENVPN)
I installed sshuttle, and tested the next command:
sshuttle --dns -r <user>#<public IP instance address> 0.0.0.0/0
It says connected after then but I still cant access anything. I tested dig and it returned results showing addresses of company's internal services. However, I still can't ping them. I tested using traceroute and it stops at some point after displaying some hops.
One important point is that I can't ping the tun0 address (on public ip instance) from my local machine.
I suspect that I need to add some routes on the intermediate public IP instance, but I am not sure.
I would appreciate any help
Thanks in advance
your setup is right but your assumptions are wrong.
Initially, check that your vpn is working fine on the jump box , if linux just check
route -n
Wrong assumptions:
sshuttle will route your dig commands , sshutle only route TCP and DNS queries are UDP
using --dns in your sshuttle meanless as you wont gain dns of vpn but of the jump box and that wont work
you should add the DNS of local vpn in your /etc/resolv.conf with target domain for local discovery
like : < call tech support to provide you with right DNS , you can find it in vpn log on jump box
search companydomain.internal
nameserver 10.x.y.z
its better to split the traffic and only target your company CIDR over sshuttle , most of them use parts of 10.0.0.0/8 instead of all traffic 0.0.0.0/0
important note: that may be your company block egress traffic to the internet over VPN access
I would like:
1) all devices within a ZeroTier network to be able to ssh into each other via ZeroTier IPs.
2) No devices from outside the network to be able to ssh into the network neither via ZeroTier IPs or standard public IPs.
The issue is that in spite of having my devices on the same ZT network, I can still ssh into those via public IP. How do I prevent this?
IP address for eth0: 104.xxx.xx.xxx (public IP)
-> should not be able to ssh using this IP
IP address for ztxxxxxxxx: 10.xxx.xx.xx (ZeroTier IP)
-> should be able to ssh using this IP
Many thanks.
You need to bind the sshd process to the ip given by zerotier to your server,
follow the steps on this link: http://www.geekpills.com/operating-system/linux/how-to-limit-ip-binding-in-ssh-server
When I ssh to my host vps I am able to connect and login easily when on different ISP's i.e.,
My Phone's internet connection
My Friends internet connection
But when I do it at my home,
I get response by ping but unable to connect to ssh using either of,
dns name
ip address
First, make sure that the IP you tried to connect to is a public IP.
Second, if you are using a router, make sure that port forwarding from the router to the destination PC is properly configured. You can usually set it on the router's settings page.
If the ping is entered correctly but the connection is denied, it is likely to be a configuration problem on the router. Or, your ISP may have blocked that port, so use the port scan site to make sure that the port is blocked. If you search for port scanner online on Google, you will see many sites.
When I host a page in /var/www/page, I can view it via:
localhost/page
192.xxx.x.xxx/page
Recently, I have started playing with websockets (using this repository).
When I activate the server, I can connect using localhost/page but not with 192.xxx.x.xxx/page (note that I can access the page but not connect to the server)
Can someone explain why?
"On most computer systems, localhost resolves to the address 127.0.0.1, which is the most-commonly used IPv4 loopback address..." (https://en.wikipedia.org/wiki/Localhost)
It's likely that the "localhost" host name is being resolved to the loopback interface IP address (127.0.0.1), as that is the standard on most machines.
If you want the server to respond to another IP address, you'll have to configure it.
I have two real machines.
One is responsible for NAT and IP redirect called NC2 and another is responsible for eucalyptus KVM established 3 virtual machine.
No doubt, the OS of machine which is responsible for eucalyptus is Linux.
The guest OS of virtual machines are Windows XP.
Each virtual machine is a web server which runs Tomcat
NC2 gives an private IP 192.168.0.3 to Linux server.
Linux server gives 3 IPs which are private class B to virtual machines.
For example, one of guest OS gained IP 172.16.1.5
Now I use NC2 to redirect a physical IP x.x.x.x to 172.16.1.5
Here is my problem:
I can use other PC ,outer IP, connect to the website which is established on 172.16.1.5 with IP x.x.x.x, but I can't use machine with IP 172.16.1.5 to connect to it's own website.
I turned off the firewall on 172.16.1.5, and it's able to connect to internet such as yahoo or amazon. But it just can't use x.x.x.x to connect to it's own website.
I tested other guest OS which are gained 172.16.x.x also not able to connect to x.x.x.x.
How can I do to make guest OS connect it's redirected physical address?
It look likes this is caused by a NAT issue called 'hairpin'. Here is the explanation:
Let machine A on a LAN have a private IP address 192.168.0.10.
Let NAT N translate A's private IP to public 77.33.45.67 for the WAN.
Some 'early/old' NATs take for granted that the translated address in only going to be used from the WAN. Therefore, they don't forward packets on the LAN having ip address = 77.33.45.67 and only let in and forward those with this ip address when they come from the WAN.
This problem is solved in more recent NATs which detect these situations and forward packets properly. This problem is sometime encountered in P2P systems.
If you are lucky, your NAT be may be reconfigured to enable usage of translated address on the LAN. If not, then you need a new NAT.