Whitelisting IP Addresses

A whitelist is a list of IP addresses that are explicitly granted access to the server. A blacklist is a list of address that are explicitly denied access. The TCP Wrappers feature built into many Linux distributions lets you define whitelists and blacklists for services like SSH.

To whitelist specific IP addresses for the sshd service, open the hosts.allow file by running the following command in the server terminal:

$ sudo nano /etc/hosts.allow

Then put the IP addresses you want to whitelist in this file, either individually:

sshd: 192.168.2.2

or as a group using CIDR notation:

sshd: 192.168.2.0/24

You can then blacklist all the remaining IP addresses by modifying the hosts.deny file. Open the hosts.deny file:

$ sudo nano /etc/hosts.deny

And add following line:

sshd: ALL

If you would prefer to just blacklist specific addresses, enter the specific address or address range in hosts.deny:

sshd: 192.168.2.2
sshd: 192.168.5.0/24

After changing the hosts.allow and hosts.deny files, restart your SSH server by running following command:

$ sudo systemctl restart ssh

Now your SSH server is open to only specific IP addresses.

Blocking Addresses with a Firewall

An SSH server accessible by the public is bound to come under attack. The hosts.deny file is one way to block access to a specific IP address, but a firewall is another important line of defense.

For this example, I'll use the Uncomplicated Firewall (UFW) tool used to configure firewalls in Ubuntu. UFW comes preinstalled on many Linux distributions, but if your Linux uses a different tool, the concepts are similar. Check the status of UFW by running the following command (Figure 4):

$ sudo ufw status

Figure 4: Checking the status of UFW.

If UFW is inactive on your server, activate it as follows:

$ sudo ufw enable

Now say you want to block the IP address 192.168.2.2 and a range of IP addresses (192.168.5.0/24) on the SSH server, which is running on port 22 (of course, if you follow the advice given in this article, you'll be using a different port instead of port 22). Use the following command to block a single IP address:

$ sudo ufw deny from 192.168.2.2 port 22

This command will add a rule to block this IP address on port 22. Now check the status of UFW by again running the status command:

$ sudo ufw status

If UFW is active, the command will display all the rules, as shown in Figure 5.

Figure 5: If UFW is active, the status command displays the current ruleset.

Now run the following commands to block a range of IP addresses, and then check the UFW status on the SSH server:

$ sudo ufw deny from 192.168.5.0/24 port 22
$ sudo ufw status

These commands block the IP addresses and display all the rules, as shown in Figure 6.

Figure 6: Adding a rule in UFW.

Now your server is secure against attacks from these IP addresses. You can restore access to these addresses by deleting the rules. To delete the second rule from UFW rules (Figure 7):

$ sudo ufw delete 2
$ sudo ufw status

Figure 7: Deleting a rule.

Adding Two-Factor Authentication

One of the best ways to secure your SSH server against hijack is adding two-factor authentication (2FA). In this example, I will use Google Authenticator to add multifactor authentication to the SSH server. Following are the steps to activate 2FA on the SSH server.

First of all, install Google Authenticator on your Android device. You can install Google Authenticator with the following link:

https://play.google.com/store/apps/details id=com.google.android.apps.authenticator2&hl=en

Now log into the SSH server and run the following command in the terminal to install Google Authenticator on the server:

$ sudo apt-get install libpam-google-authenticator

After installing, open Google Authenticator by typing following command:

$ google-authenticator

You will be asked if you want Google Authenticator to generate time-based authentication tokens. If you reply with yes, tokens will expire after a specific time and new tokens will be generated. It is more secure to use time-based authentication tokens.

Answering this question will generate some credentials, including a QR code, a verification code, a secret key, and emergency scratch codes. Now open Google Authenticator on your Android device and scan the QR code generated on the terminal.

If your mobile device does not support QR code scanning, you can use a verification code to get started. Now you will be asked if you want to change the Google Authenticator configuration file. If you want to customize Google Authenticator, select yes (Figure 8).

Figure 8: Configuring Google Authenticator.

Once you have Google Authenticator configured and working, the next step is to configure SSH to use Google Authenticator for two-factor authentication. Open the SSH configuration file by typing the following command:

$ sudo nano /etc/ssh/sshd_config

Find the following lines and set them to yes:

UsePAM yes
ChallengeResponseAuthentication yes

After changing the configuration file (Figure 9), restart the SSH server by running following command:

$ sudo systemctl restart ssh

Figure 9: Configuring sshd_config for Google Authenticator.

Now whenever you try to login to your SSH server, it will ask for secondary credentials, which will then be generated on your smartphone. You can get access to the server after providing these credentials.