Solved CSF allow only 1 specific IP address

patrickkasie

Verified User
Joined
Sep 21, 2021
Messages
178
Location
Een echte Hollander
Dear DirectAdmin forum,

I would like to know how only one or several IP addresses van access port 22, denying every other IP address on port 22, but all other open ports to be accessible by the zoo nextdoors or those Russian hackers that always seem to wiggle their way into everyone's system. Edit: Similar to /etc/hosts.allow in CentOS7, but for AlmaLinux 8

I have seen the following thread but I don't know where to put this specifically in the file/how to make it work/what line etc:

I am familiar with the conf, so this is the -confusing- result when asking ChatGPT:

Code:
User
So what happens when I do something like this:TCP_IN = "20,21,22,123.456.78.90,192.168.1.0/24,111.111.111.111,23,53,80"


ChatGPT
In the configuration you provided:
plaintextCopy code
TCP_IN = "20,21,22,123.456.78.90,192.168.1.0/24,111.111.111.111,23,53,80"
You are specifying a list of allowed TCP ports and IP addresses for incoming connections. Here's what each component means:
[LIST]
[*]20,21,22,23,53,80: These are the TCP ports allowed for incoming connections. Ports 20, 21, 22, 23, 53, and 80 are commonly associated with FTP, SSH, Telnet, DNS, and HTTP respectively.
[*]123.456.78.90: This is an IP address from which SSH connections are allowed.
[*]192.168.1.0/24: This is a CIDR notation representing the IP address range 192.168.1.0 to 192.168.1.255, commonly associated with a local network.
[*]111.111.111.111: This is an additional specific IP address from which incoming connections are allowed on the specified ports.
[/LIST]
With this configuration:
[LIST]
[*]Incoming connections to ports 20, 21, 22, 23, 53, and 80 from any IP address are allowed.
[*]Incoming SSH connections (port 22) are allowed only from the IP addresses 123.456.78.90 and 192.168.1.0/24.
[*]Incoming connections from any IP address within the 192.168.1.0/24 network are allowed on all specified ports.
[*]Incoming connections from the specific IP address 111.111.111.111 are allowed on all specified ports.
[*]All other incoming connections to unspecified ports are denied by default.
[/LIST]
As with any firewall configuration, it's essential to thoroughly review and test your rules to ensure they align with your security requirements and that they function as intended. Regularly monitoring and updating your firewall rules is also important to maintain the security of your system.

User
What about something like this:

TCP_IN = "20,21,23,53,80,tcp|in|d=22|s=111.111.111.111"
ChatGPT
In the configuration you provided:

plaintext
Copy code
TCP_IN = "20,21,23,53,80,tcp|in|d=22|s=111.111.111.111"
You are specifying a list of allowed TCP ports and IP address/port combinations for incoming connections. Here's what each component means:

20,21,23,53,80: These are the TCP ports allowed for incoming connections. Ports 20, 21, 23, 53, and 80 are commonly associated with FTP, SSH, Telnet, DNS, and HTTP respectively.
tcp|in|d=22|s=111.111.111.111: This is a specific rule for SSH (port 22) connections from the IP address 111.111.111.111.
With this configuration:

Incoming connections to ports 20, 21, 23, 53, and 80 from any IP address are allowed.
SSH connections (port 22) are allowed only from the specific IP address 111.111.111.111.
All other incoming connections to unspecified ports are denied by default.
This configuration provides granular control over SSH access by allowing connections only from the specified IP address while allowing other services to accept connections from any IP address. It's a more specific rule compared to allowing SSH access from all IP addresses or from a range of IP addresses.

As always, thoroughly review and test your firewall rules to ensure they meet your security requirements and function as intended. Regularly updating and monitoring your firewall rules is also important to maintain the security of your system.
 
Step 1.
Remove port 22 from the open ports.
Step 2.
Edit /etc/csf/csf.allow
Step 3.
Add
tcp|in|d=22|s=IPADDRESS
tcp|out|d=22|s=IPADDRESS

Change port 22 to your SSH port if you use an other one
 
So why using this difficult method?
If you want to block access to SSH and limit to 1 ip, just disable the SSH port (like 22) and add your own ip to the /etc/csf/csf.allow file.
Any ip in there will by pass the firewall completely, so not only SSH but everything.

If you coupled csf.ignore with csf.allow by using the IGNORE_ALLOW = "1" setting in csf.conf then you won't be blocked for anything either.

Much easier solution.

Another option is to only allow key authentication. In /etc/ssh/sshd_config set:
PasswordAuthentication no
PubkeyAuthentication yes

Make sure your key is working on forehand.
If you want to enable it again, you can always edit this sshd_config file via the Directadmin GUI again, so almostn no risk at issues for yourself either.
And hackers mostly try passwords, not keys.
I even have a password on my key so even when stolen from a server, it can't be used.
 
Step 1.
Remove port 22 from the open ports.
Step 2.
Edit /etc/csf/csf.allow
Step 3.
Add
tcp|in|d=22|s=IPADDRESS
tcp|out|d=22|s=IPADDRESS

Change port 22 to your SSH port if you use an other one
How does this work for IPv6? Do I need to do this?
tcp6|in|d=22|s=IPADDRESS
tcp6|out|d=22|s=IPADDRESS

So why using this difficult method?
Because this may also be used for other ports in the future for other IP addresses with different rights to access which parts of the server, instead of putting the IP address itself in there allowing everything and anything. I actually like this.

I even have a password on my key so even when stolen from a server, it can't be used.
How does that work and how is that achieved?
 
How does that work and how is that achieved?
When creating the SSH key one can choose to have a password on the SSH key or not.
Normally when creating the SSH key you're prompted for a password.
You can even add one if you don't have one yet, or change it. There are numerous tutorials about it. It's quite easy.
 
Back
Top