- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Restrict ip access
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restrict ip access
I have 2 Netgear NASes. One is rsyncing its backup to the other. I need to restrict ip access at the destination to only allow the one at the source. It is using port 22.
I have created a hosts.allow with:
ALL: 71.xxx.xxx.x, 108.xx.xx.xx: ALLOW
ALL: ALL; DENY
Those IPs are the public ip's of each side.
The hosts.deny is empty.
When someone goes to my public ip address and tries ssh access at port 22, they see a login. Is this correct?
Should this work?
What should change to prevent anyone from seeing a login screen with ssh access on port 22 from my public ip address?
Can that be accomplished in the Netgear NAS?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Restrict ip access
I've never seen that format. With no hosts.deny, hosts.allow typically serves no purpose. I believe you want hosts.allow as
ALL: 71.xxx.xxx.x, 108.xx.xx.xx
and hosts.deny as:
ALL: ALL
But that doesn't give access to whatever local computer you are using to administer the NAS, asssuming you need one. On the other hand, I don't know if those affect the GUI or ReadyNAS Remote. Putting it's own public address on the access list also doesn't really make sense. Are the NASes really at those addresses, or are you port forwarding to them? If you are port forwarding, then you need to include the local LAN address of the local computer for admin, not the public one; maybe allowing all .local addresses. If all admin is (and always will be) done remotely, then you only need the remote public IP on the list.
This all does require that you have static IP addresses.
You might want to look here at a pretty good explanation:
using-etchosts-allow-and-etchosts-deny-to-secure-unix
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Restrict ip access
You might consider deploying ZeroTier, which would allow you to make the rsync-over-ssh connection without forwarding any ports in your router. You would have to trust ZeroTier's security, but you could still use the access controls in the NAS to restrict IP access to the zerotier IP addresses.
If these are OS-6 NAS you should also make sure that the ssh connection is limited to a user account that doesn't have shell access. See using a remote host here: https://kb.netgear.com/29929/ReadyNAS-OS-6-Setting-up-a-backup-job-with-rsync-over-SSH
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Restrict ip access
Yes, it is Os 6 on both ends.
I got those hosts.allow settings from a website. I believe either will work.
I can change it to your suggestion and see if it works.
This effort is to secure the NASes against vulnerabilities in protocol 1 of openssh.
I tried Zerotier but had no luck in making it work.
The rsync has been working without fail for several months now, so if this can be secured then it would seem to be ok.
I hope it is ok to also include openssh questions in this discussion.
When I run rpm -qi openssh it says openssh is not installed.
But then when I run dpkg -l | grep -i openssh I get:
ii openssh-client 1:6.7p1-5+deb8u3.netgear1 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:6.7p1-5+deb8u3.netgear1 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:6.7p1-5+deb8u3.netgear1 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
It seems to be there.
But then I run apt-get changelog ssh |grep -i cve I get
E: Failed to fetch changelog:/openssh.changelog Changelog unavailable for openssh=1:6.7p1-5+deb8u3.netgear1
It seems to not be there.
But then the person comfirming I am in PCI compliance says I am running
SSH-2.0-OpenSSH_6.7p1-hpn14v5 Debian-5+deb8u3.netgear1 jessie (security) 1:6.7p1-5+deb8u3
So it seems to be there.
Which is it?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Restrict ip access
Or maybe start a thread on what issues you had with ZeroTier and I can help you with that. It's what I use.