What's new
PGBlitz.com

Register Now! Find useful tips, Interact /w Community Members and join the part the Best Community on the Internet!

Guides Security: Limit your SSH logins using GeoIP

pYTTH

Senior Member
Staff
for all those peoples out there struggeling with security, that's a good way to limit SSH logins to your server.
the howto is courtesy of axllent.org
assuming you're running a dedicated or VPS server

https://www.axllent.org/docs/view/ssh-geoip/

make sure you follow all steps exactly as shown and pay attention to the details.
important: edit the script according to your needs especially here
Code:
#!/bin/bash

# UPPERCASE space-separated country codes to ACCEPT
ALLOW_COUNTRIES="US DE AU CH"
make sure your country where you connect from is set here, and if you want to add more countries that are allowed they are separated by space.

if you want to check and see if it works/blocks just type
Code:
cat /var/log/syslog | grep DENY
and you should get something like

Code:
Dec 26 14:06:38 yourservername root: DENY sshd connection from 61.184.247.3 (CN)
Dec 26 14:09:33 yourservername root: DENY sshd connection from 61.184.247.8 (CN)
Dec 26 14:25:56 yourservername root: DENY sshd connection from 36.156.24.97 (CN)
Dec 26 14:40:44 yourservername root: DENY sshd connection from 36.156.24.96 (CN)
Dec 26 14:45:58 yourservername root: DENY sshd connection from 95.112.119.12 (DE)
Dec 26 14:51:16 yourservername root: DENY sshd connection from 122.226.181.166 (CN)
Dec 26 14:51:32 yourservername root: DENY sshd connection from 85.224.40.159 (SE)
Dec 26 14:56:15 yourservername root: DENY sshd connection from 223.111.139.210 (CN)
Dec 26 15:02:56 yourservername root: DENY sshd connection from 61.184.247.6 (CN)
Dec 26 15:05:15 yourservername root: DENY sshd connection from 122.226.181.167 (CN)
 

pYTTH

Senior Member
Staff
glad to hear @macfreaker
more security is provided to use ssh keys and disable login, but in some cases this is not wanted or not possible
 

pYTTH

Senior Member
Staff
this is good in case you have a static ip, but if you have a dynamic (not talking about the vpn thing) it's hard to narrow it down. anyway, it just decreases expousure to the bad internet :giggle:
 
M

MrDoob

Guest
You don't need a static IP.
You can use the VPN-IP.

10.0.8.3 or another Ip.

Or Buy anothet iP from Provider and use this for the dockers .

The regular Ip only for SSH-access.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads


Development Donations

 

Top NZB NewsGroups!

Members - Up To a 58% Discount!

Trending

Online statistics

Members online
5
Guests online
115
Total visitors
120
Top