I have Linux server with SSH enabled and I want to allow only my mobile phone to access it from anywhere and any network.
I tried to make a Firewall rule to allow specific IP but the thing is my mobile's IP Changes continuously.
So what is the procedure to perform this task?
I tried firewall rule to prevent all IPs.
I tried Fail2ban to ban all IPs that enter wrong password but it
blocks huge number of IPs which will affect system's performance.
It'll be difficult unless you figure out a way to expose an api via https from your sever that can change deny/allow rule when your mobile IP changes. I personally don't know of anything like that... I just use openvpn for my mobile to connect and I ssh to remote systems.
Related
I want to connect to a vm in the Azure cloud from home i.e. without a fixed IP. I have added the two security rules for network interface and NSG respectively to accept inbound connections on the ssh port 22 using the ipv4 address given by showip.net. This doesn't work and I get a connection time-out - I tried out ipv6 address as well. If I do the very same thing for another server (outside Azure), the very same procedure works. The native ip address for both my home computer and the virtual machine I use as alternative are IPv6.
So the question is - does my connection from home fail, because there is some sort of reverse lookup failing or what could be the other causes?
Thanks!
It sounds like most likely the issue is some weird NATing of your ISP - especially when IPv6 comes into play, it can often be a bit hard to find the actual external IP address that your requests are coming from. You can try different sites like whatsmyip.com etc to see if you find another one that you can add.
Apart from that, there are various things you could try:
Use SSH from the Azure Cloud Shell (https://shell.azure.com)
Use Azure Bastion to have a jump host in the same VNET
Use a point-to-site VPN from your PC into your VNET
I have a newly installed MikroTik switch, and have successfully configured it for VPN traffic. However, behind the switch is a Linux server to which I am unable to connect via PuTTY. I can see the server and its IP address in Winbox->IP->DHCP Server->Leases, but as I say, I can't connect from within the VPN. I've made several attempts to add a rule to the firewall that would permit access and I've even gone so far as to uncheck the firewall router box in Quick Set, but no matter what I've tried, it always times out. To be clear, I'd like the server to be visible to all machines connected to the switch - both via ethernet and via pp2p.
I've been googling for hours, and I'm completely new to network engineering, so any help would be greatly appreciated.
I think the problem may be due to NAT and your VPN IP Subnet. I have my VPN users in 192.168.4.0/24 the main subnet is 192.168.0.0/22. In Winbox got to IP>Firewall then in the NAT tab make sure you have a masquerade action on your VPN subnet. I think the VPN quick set adds one but if your using different subnets it gets confused. See the image for what I have set for my VPN users to access servers and resources on the main network.
I have a major problem and I am at my wit's end. First, I added my IP (like 172.32.1.0/255.255.255.0) to allow access for ssh, whm and cpanel in WHM -> Host Access Control. Then, I added all IP to deny access for them. However, after saved changes, I lost access all of them. Now, If I try to login WHM, I see that:
HTTP error 401
You do not have permission to access this page.
Also, I cannot access SSH. I don't know what to do. Maybe if I restart server, the problem will be solved? Please help me. Thank you.
A few possible options here.
Contact your web host support and ask them to whitelist your IP or turn off HAC - whichever option you prefer.
Go to the nearest WiFi hotspot, connect from there, remove your IP in HAC.
Use VPN to connect to your server.
Ask someone you know and trust to log in and remove your IP (guide him/her via Skype screen sharing if needed).
You will have to contact your server provider to edit /etc/hosts.allow and /etc/hosts.deny file, OR if you have KVM access, then you can edit it through KVM console
Up until two weeks ago I'd been happily connecting to a virtual machine hosted in the Azure cloud over SSH. All of a sudden, the connection could not be established anymore, the SSH always times out. The tricky part is that it only happens from a computer that is in a certain firm's lan (one public IP). Every other internet access connection works fine and I'm able to connect to the virtual machine successfully. My IT support tells me that they can see the packets leaving our network and the firewall is not blocking the connection - I can't see any failed login attempts in the SSH log on the server. The IT suggests the Azure may be blocking our IP for the SSH connection (other ports work fine btw). My question is - is such a thing even real? Can Azure block the IP without the user knowing about it? Is there some kind of IP blacklist I could edit?
Thanks!
The only place where Your IP could be cutted-off is ACL on SSH endpoint. Go to management portal and check if You have any ACLs on SSH endpoint. Maybe You misconfigured some?
I've just put my new server up on an IP address with a domain pointing to it. I need to be able to remote admin it. I've opened the firewall for Remote Desktop and HTTP traffic. Is this going to be secure enough? I guess I should probably rename the administrator user...
The absolute minimum you should do is change the Remote Desktop port, change the Admin username, and have a very strong admin password.
Should be sufficient, as long as you use a crazy-complex password for the admin account, and make sure your http server is security-patched and up-to-date.
Also, I hope firewall != Windows Firewall.
Edit: +1 for EHaskin's suggestion of changing RD port, if only to reduce the bruteforce spam that your FW will have to endure, but never think that security == obscurity.
Any chance you can set up your server as a VPN endpoint? Then you would only have the VPN ports and the HTTP ports open. When you want to RDP to the server, you would connect to the VPN first and then you're good to go.
Only reason is, if my memory serves me right, RDP traffic is not encrypted.
This is how I run my IIS server at home, works very well.
Windows Server 2008 supports VPN capabilities. You can configure your remote access policies by using the Network Policy and Access Services. I believe this needs to be installed as a role before you can use it. Also, simply changing the RDP port on your firewall will not prevent an experienced hacker from still getting to your server. A simple port scan would reveal open ports.