The RediGate uses a Linux operating system, with standard Linux tooling (iptables, etc.) available for firewall configuration.
...
The Port Management table in the Firewall grants access to any client on a given network interface. If you want to be more selective in granting access to only some clients, see Limit Access to Specific Ports 29949962 instead.
In the Firewall object, make sure that the "Input Policy" is set to "Drop All Input Packets".
...
For example, the 3rd and 4th rows in the following Custom IPTABLES table allow access to SSH port 22 on the cellular port (ppp0), but only from the range of client addresses 192.168.0.1 to 192.168.0.200. All other hosts would be blocked on port 22. The last two table rows are a single command joined with the continuation character (backslash). The 1st and 2nd rows of the table allow ping commands inbound and outbound on any interface.
iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 22 -j ACCEPT \
-m iprange --src-range 192.168.0.1-192.168.0.200
...
| Info |
|---|
| Consult online documentation and/or man pages for "iptables" help, to understand how to construct the correct conditional rules for iptables. |
...
To hamper the efforts of hackers or bots using repeated login attempts, you can add a firewall rule that will lock out a user if they fail a login too many times in a row. Use the "Custom IPTABLES" option in the Firewall configuration to add several rows, such as in the following example:
The tilde backslash (~\) indicates a continuation to the next row. The seconds (120) and hitcount (4) can be adjusted as needed (seconds=lockout time, hitcount=attempt# from the same IP to start blocking).
# The following lines block SSH attempts after 3 tries, for 2 minutes
iptables -A I INPUT 1 -p tcp --dport 22 -m state --state NEW -m recent --set ~\
--name SSH
iptables -A I INPUT 2 -p tcp --dport 22 -m state --state NEW -m recent --update ~\
--seconds 120 --hitcount 4 --rttl --name SSH -j DROP
# NOTE: Do NOT add ppp0 (port 22) into Port Management, only do it here
iptables -A INPUT -p tcp -i ppp0 --dport 22 -j ACCEPT
In addition, the Firewall "INPUT Policy" should be set to "Drop All Input Packets," and the "Port Management" section of the Firewall configuration should not include an "ACCEPT Packet" rule for port 22 on the public network.
Instead, the last line (above) in Custom IPTABLES should be used to ACCEPT port 22 over the cellular (ppp0) and/or Ethernet (eth0, eth1, etc.) interface (use one line per command). These lines ACCEPTing port 22 must come after the preceding lines that check whether to block repeated failed SSH login attempts. You may combine this example with the previous example to further limit access to port 22 from specific IP address range(s).
Using the "-I INPUT 1" (and 2) chain option inserts these rules above any port 22 ACCEPT policies that may be set in the Port Management section of the Firewall configuration, so that the rule for failed login attempts from a blocked IP address takes precedence over the subsequent ACCEPT rule.
Change SSH Port Number
Another step that can be taken to limit access to unauthorized users from logging in to the RediGate is to change the default port (22) for SSH to a different, non-standard port.
...
- Log in to the RediGate with the 'root' account.
- Enter the following command, substituting the intended port number instead of "2222":
P=2222;sed -i 's/[#]*Port[ ]*[0-9]*/Port '$P'/'/etc/sshd_config - Add one or more new temporary firewall rules with the command, using your port number instead of "2222", and using the correct interface in place of "ppp0":
iptables -A INPUT -p tcp -i ppp0 --dport 2222 -j ACCEPT
AND/OR, you will ultimately need to configure a permanent, proper firewall rule setting to ACCEPT the new port number using the ACE Firewall object (see above). - Restart sshd with the following command (make sure to include the & at the end):
/etc/init.d/S50sshd restart &
All existing SSH sessions will be closed. Log back in using the new port number.