If I set rule sudo ufw allow from *MY IP* to any port 22 it allow access to my server only for me, but what happen, if my IP change? Will I loose access to the server?
Asked
Active
Viewed 390 times
0
user3013494
- 51
1 Answers
0
If you allow ssh access from only your IP, and your IP then changes, then yes, you lose access to the server. However, changes using sudo ufw are not permanent, so since you can probably reboot the server in some way without logging in, you can recover. Even if you make the change permanent (using iptables-save), depending on where you get your server from, you might be able to get it back by using the console password or some other solution.
I assume that what you want to do is to protect your server from being scanned on the ssh port by the whole Internet? I recommend making ssh listen on an additional random port, between 10000 and 49191.
Choose a port that doesn't have a lot of traffic associated with it (for example, port 11111 has some things and is apparently used by some trojan, but port 11114 seems mostly unused, let's imagine you choose that one for the sake of example.
Making sshd listen on the port of your choice is done by adding a line to /etc/ssh/sshd_config. The file already contains the line Port 22. Add another line Port 11114.
You must also add a firewall rule to allow access from "any"to your additional port.
You then need to reload sshd. That will not kill your current session.
To test, first run lsof -i :11114 and lsof -i :22. Each of those should return a line ending with LISTEN (maybe two if you have IPv6 on the server). If that is OK, open a second ssh session using the additional port (that way if you've messed up the file you'll be able to correct it using the first session).
Once that is done, you can log in from anywhere using the port you chose. You can then firewall off port 22 from the Internet at large.
It is certainly possible to modify the configuration of your ssh client (maybe PuTTY on Windows, probably ssh on Linux) to use your custom port by default when contacting your server, that way you don't have to think about it any more.
Hope this helps!
Law29
- 3,577
-
You also need to allow the not-standard port through any other firewalls on the network, and allow the port with SELinux. I am not convinced changing ssh port helps, it just reduces the noise of you getting scanned. Yes, it is an example of altering the ssh port on the host firewall. – John Mahowald Nov 25 '18 at 13:15