The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is there a way to only allow access for a set geographical location?

Discussion in 'General Discussion' started by wrighteq, Mar 25, 2007.

  1. wrighteq

    wrighteq Member

    Joined:
    Mar 24, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I am running a VPS and would like to restrict access on ports 2083,2087,2096 and ftp,ssh to only my location. Basically I want for every visitor that tries to access those ports to have their ip tracerouted to their city, and if it is not the same as my city then they should not have access. This would really reduce the probability of getting hacked and such. Is there such a way to implement an ip security system like this?


    Thanks in advance.
     
  2. xerophyte

    xerophyte Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
  3. wrighteq

    wrighteq Member

    Joined:
    Mar 24, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Yes that is expensive. They have a slightly less accurate version for free: http://www.maxmind.com/app/geolitecity

    But doesn't cpanel's IP deny function restrict access to the whole site, not just those key ports?

    And since I know the IP range of my service provider there must be a way just to restrict access to 2083,2087,2096,21,22 to only my range, instead of denying every ip on earth. Perhaps there is some 3rd party script that can take care of this?


    Thanks again
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    iptables -A INPUT -s ! 1.1.1.1 -p tcp --dport 21:22 -j REJECT
    iptables -A INPUT -s ! 1.1.1.1 -p tcp --dport 2083:2096 -j REJECT

    Replace 1.1.1.1 with your IP address or CIDR range

    Note: Do not forget the exclamation mark before the IP or you will ban yourself!
     
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
  6. GCIS

    GCIS Active Member

    Joined:
    Dec 12, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    GeoIP restrictions are a waste of time. As has been explained, limited SSH and other management protocols to the range of addresses assigned by your RISP is sufficiently secure for anything you should be doing with cPanel and residential connections.

    In reality, though, IP restrictions aren't likely to save you from being "hacked". To keep your server secure, what you really need to do is change the default SSH port, and enable login controls after 2-3 failed attempts.

    The vast majority of SSH "hack attempts" are run by automated online crackers looking for weak systems operating with default parameters. Avoiding these defaults will stop these malicious programs in their tracks. As long as your passwords are good, and role accounts cannot log in, then the most harm these programs will cause is a slight bloat in your log files.

    You also need to make note of your server's key fingerprint, and use software which verifies that this fingerprint is what it should be on each connection. Protecting yourself against Man-in-the-Middle attacks is much more likely to stop an intrusion attempt than are IP limitations on SSH logins.

    Oh, and if this server has anything of high value on it, then you need to take special precautions to prevent your client computer from being infected with a Trojan Horse or other form of keylogger. If an attacker has infected your client computer, then there is no security precaution that will save your server from an attack. Your server's security is only as strong as the weakest client machine which logs in as root.

    If you have a root password on file with your colo/datacenter, then remove it and change it. Every time you need to give a tech access to your server, you should change the password to something temporary, allow him to complete the needed work, then change it right back again after examining ~/.bash_history. This isn't a foolproof way to prevent abuse by trusted parties, but will protect you against a mischievous tech or a compromise in the host's support database.

    The root password for each of your servers should be unique. Do not share it with any other servers or services.
     
Loading...

Share This Page