ssh is a very commonly attacked port. If you employ proper security on the ssh setup, no one will be getting in.
However, the relentless attacks that show in the log are not a good thing; it is best to defend against it. I personally have used blockhosts (
http://www.aczoom.com/blockhosts/ ) for many years and it works very well. Essentially, it allows a configurable number of attempts to connect, then upon failure it sets iptables to block the ip address that failed, for a week.
I monitor this, and when one ip subnet is becoming too annoying, I just block the whole subnet using iptables at the router.
Blockhosts will also protect ftp the same way. Be aware that ftp is VERY insecure, and having an internet facing ftp port is probably ill-advised unless you know what you are doing.
To configure your system to permit access from one and only one ip address, you need some iptables rules to be permanently installed in your system. This means you need to create and debug the rules, then create a systemd service to start that ruleset every time you boot.
Here are the rules you need. Note I have not tested this and won't swear absolutely to the syntax, but it's close. Don't enter the comments I have put in parentheses.
- Code: Select all
modprobe ip_conntrack_ftp (to make sure passive connections are allowed)
iptables -A INPUT -p tcp -m tcp -s my.allowed.ip.address -dport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT (allow my.allowed.ip.address to connect to ftp)
iptables -A OUTPUT -p tcp -m tcp -d my.allowed.ip.address --dport 21 --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s my.allowed.ip.address --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d my.allowed.ip.address --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -dport 21 -j DROP (drop anything for ftp that reaches this rule)
iptables -A INPUT -p tcp -dport 20 -j DROP (and this rule)
iptables -A INPUT -p tcp -m tcp -s my.allowed.ip.address --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -d my.allowed.ip.address --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT
Also, of course, my.allowed.ip.address is the ip address of the computer you wish to allow to connect via ftp.
Note that I constructed these rules with some help from here:
http://unix.stackexchange.com/questions ... coming-ftp