Reputation: 123
How to allow a user to connect only from a specific IP?
The scenario is as follows: I have a VPS (Droplet) in Digital Ocean (DO), I connect via putty-ssh, however I must have another user enabled with root privileges and with password access (without ssh), this is because When there are connection problems through putty-ssh, I must enter through my DO account, and access the droplet console using that user with a password to fix the problem. This usually happens every time I restart the server and I can not connect with any user from putty, the connection is rejected. The solution is simple, restart ufw and everything solved.
However I open a door for hackers who can easily break this user password with all privileges. The idea is to allow this user to connect only from my personal IP, but the Ubuntu firewall only allows IP / port / application rules, no user can be referenced. How could I solve this problem?
Upvotes: 0
Views: 327
Answers (1)
Reputation: 123
After much research and testing and more tests, specifically with the commands telnet and login, I discovered something I did not know; when the SSH service is active, only ssh connection with a private key is allowed, no other connection is allowed, even with ssh+password. This feature, either integrated into Ubuntu, or is implemented by Digital Ocean, I guess the first.
Considering this, there is no problem that raised in this question; no one can connect to the server unless you have the private key, and if you also only allow the ssh connection from a specific IP, the security is very good. By configuring the firewall in this simple way, it will be sufficient:
ufw status verbose
To Action From
-- ------ ----
8000 ALLOW IN Anywhere
6666/tcp ALLOW IN 15.15.15.15
8000(v6) ALLOW IN Anywhere (v6)
Port 8000 for incoming requests from HTTP and HTTPS clients, which will be managed by django, and any port other than the default 22 for ssh, specifying the private IP of my computer, I can only connect from my computer with the corresponding private key. We will also have to modify the ssh configuration file which is the file /etc/ssh/sshd_config replacing port 22, PasswordAuthentication no and restarting the service with service ssh restart.
Upvotes: 0
Related Questions
- Only allow certain ip addresses to register a user in Laravel 5.2
- Allowing a specific user of Azure SQL Server Database to connect only through a specific IP
- Restricting access to a site using IP address
- Restrict access to Node.js-based HTTP server by IP address
- Restrict user's access from different ip in SugarCRM
- How to allow user to login only from the office?
- Allow access to directory only from specific IP addresses in node.js
- Django auth: How to disallow user session if his IP doesn't match the original one(the one he logged in with)
- How to access a website only from a specified IP using PHP
- Block access to site from specific IPs?