hardening SSH

[Justin W]

Michael Klinosky wrote:
> I use ssh (on my own machines, personal use). My primary box (for ssh, 
> it's the my daemon) is on dsl. The only machine that I log in from 
> (client?) is on the same ISP, and is on a dial-up line.
>
> I'd like to allow only those IPs that I might dynamically get. How would
> this be accomplished? I checked my secure log file (on the daemon 
> box), and have examples of IPs that I was assigned. Nota bene: It 
> seems like only the first and second parts are consistant. So, how can 
> I specify a range thus: 200.100.x.x ? Would I use a zero, or 'x', or ...?
>
I know this isn't the most efficient method (using non-standard port 
numbers and public/private key authentication can do more), but it is an 
interesting exercise in networking:

If you would be able to tell us which ISP you have, you may be able to 
narrow down the address range even more.  ISPs are given blocks of IP 
addresses to give out, and depending on your ISP, we may be able to 
calculate a subnet mask which will give you a smaller range of addresses 
to allow than the current 200.100.0.0/16 (which allows 65536 possible 
addresses).  For example, I can narrow down my ISPs address block to a 
19 bit mask (255.255.224.0 in network mask notation).  That leaves on 
8192 possible addresses (an 87.5% reduction), and that's using only the 
information available from arin.net.  If you could figure out the range 
of their dynamic IPs, you could reduce the possible range even more 
(because there's going to be a block reserved for static IP clients).

You can then restrict the incoming ssh attempts using a simple line in 
iptables.  It may look something like this (assuming you drop packets 
which haven't been specifically allowed):

iptables -A INPUT -p tcp --dport 22 -s 200.100.64.0/19 -m state --state 
NEW, ESTABLISHED,RELATED -j ACCEPT

Justin W