Is there a way to only allow access for a set geographical location?
I am running a VPS and would like to restrict access on ports 2083,2087,2096 and ftp,ssh to only my location. Basically I want for every visitor that tries to access those ports to have their ip tracerouted to their city, and if it is not the same as my city then they should not have access. This would really reduce the probability of getting hacked and such. Is there such a way to implement an ip security system like this?
Thanks in advance.
Yes, you can do it but little expensive
subscribe to http://www.maxmind.com/app/city and use the iptables to allow those ips
hope that helps
Affordable Linux Server Managament Solution
http://www.linuxnetworkcare.com/services/cpanel.php
[ Phone: 647-722-5303 MSN : sutha@linuxnetworkcare.com AIM : xerophytev skype:ksutha5]
Yes that is expensive. They have a slightly less accurate version for free: http://www.maxmind.com/app/geolitecity
But doesn't cpanel's IP deny function restrict access to the whole site, not just those key ports?
And since I know the IP range of my service provider there must be a way just to restrict access to 2083,2087,2096,21,22 to only my range, instead of denying every ip on earth. Perhaps there is some 3rd party script that can take care of this?
Thanks again
iptables -A INPUT -s ! 1.1.1.1 -p tcp --dport 21:22 -j REJECTOriginally Posted by wrighteq
iptables -A INPUT -s ! 1.1.1.1 -p tcp --dport 2083:2096 -j REJECT
Replace 1.1.1.1 with your IP address or CIDR range
Note: Do not forget the exclamation mark before the IP or you will ban yourself!
or if you're using a firewall like APF you can follow this guide to limit IPs/ranges to specific services.
http://www.webhostgear.com/406.html
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
GeoIP restrictions are a waste of time. As has been explained, limited SSH and other management protocols to the range of addresses assigned by your RISP is sufficiently secure for anything you should be doing with cPanel and residential connections.
In reality, though, IP restrictions aren't likely to save you from being "hacked". To keep your server secure, what you really need to do is change the default SSH port, and enable login controls after 2-3 failed attempts.
The vast majority of SSH "hack attempts" are run by automated online crackers looking for weak systems operating with default parameters. Avoiding these defaults will stop these malicious programs in their tracks. As long as your passwords are good, and role accounts cannot log in, then the most harm these programs will cause is a slight bloat in your log files.
You also need to make note of your server's key fingerprint, and use software which verifies that this fingerprint is what it should be on each connection. Protecting yourself against Man-in-the-Middle attacks is much more likely to stop an intrusion attempt than are IP limitations on SSH logins.
Oh, and if this server has anything of high value on it, then you need to take special precautions to prevent your client computer from being infected with a Trojan Horse or other form of keylogger. If an attacker has infected your client computer, then there is no security precaution that will save your server from an attack. Your server's security is only as strong as the weakest client machine which logs in as root.
If you have a root password on file with your colo/datacenter, then remove it and change it. Every time you need to give a tech access to your server, you should change the password to something temporary, allow him to complete the needed work, then change it right back again after examining ~/.bash_history. This isn't a foolproof way to prevent abuse by trusted parties, but will protect you against a mischievous tech or a compromise in the host's support database.
The root password for each of your servers should be unique. Do not share it with any other servers or services.
LinkBack URL
About LinkBacks
Reply With Quote