{"id":4733,"date":"2023-04-25T12:37:34","date_gmt":"2023-04-25T19:37:34","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4733"},"modified":"2023-04-25T12:37:35","modified_gmt":"2023-04-25T19:37:35","slug":"how-to-allow-ssh-access-based-on-country","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4733","title":{"rendered":"How to Allow SSH Access Based on Country"},"content":{"rendered":"\n

GeoIP database has records of Geographical location based on IP address. Using this database we can search for any IP belonging to which country using the Linux command line. This article will help you to allow SSH or FTP (vsftpd) access based on the user\u2019s country. This example uses TCP wrappers to secure your services.<\/p>\n\n\n\n

Advertisement<\/p>\n\n\n\n

Install GeoIP and GeoIP Database<\/h2>\n\n\n\n

First, install GeoIP binary for Linux and their database based on your operating system. For CentOS and RedHat users GeoIP binary and database are combined in a single package.<\/p>\n\n\n\n

On CentOS and RedHat:<\/h5>\n\n\n\n
sudo yum install GeoIP <\/code><\/pre>\n\n\n\n
On Ubuntu and Debian:<\/h5>\n\n\n\n
sudo apt-get install geoip-bin geoip-database <\/code><\/pre>\n\n\n\n
Create the SSH\/FTP Filter Script<\/h2>\n\n\n\n
Now create a shell script that checks for all incoming connection IP addresses and searches their corresponding country using the GeoIP database and allowed only those countries whose code is defined in ALLOW_COUNTRIES<\/strong> variable in the script.ADVERTISEMENT<\/p>\n\n\n\n
vim \/usr\/local\/bin\/ipfilter.sh <\/code><\/pre>\n\n\n\n
#!\/bin\/bash\n# License: WTFPL\n\n# UPPERCASE space-separated country codes to ACCEPT\nALLOW_COUNTRIES=\"IN US\"\nLOGDENY_FACILITY=\"authpriv.notice\"\n\nif [ $# -ne 1 ]; then\n  echo \"Usage:  `basename $0` \" 1>&2\n  exit 0 # return true in case of config issue\nfi\n\nif [[ \"`echo $1 | grep ':'`\" != \"\" ]] ; then\n  COUNTRY=`\/usr\/bin\/geoiplookup6 \"$1\" | awk -F \": \" '{ print $2 }' | awk -F \",\" '{ print $1 }' | head -n 1`\nelse\n  COUNTRY=`\/usr\/bin\/geoiplookup \"$1\" | awk -F \": \" '{ print $2 }' | awk -F \",\" '{ print $1 }' | head -n 1`\nfi\n[[ $COUNTRY = \"IP Address not found\" || $ALLOW_COUNTRIES =~ $COUNTRY ]] && RESPONSE=\"ALLOW\" || RESPONSE=\"DENY\"\n\nif [[ \"$RESPONSE\" == \"ALLOW\" ]] ; then\n  logger -p $LOGDENY_FACILITY \"$RESPONSE sshd connection from $1 ($COUNTRY)\"\n  exit 0\nelse\n  logger -p $LOGDENY_FACILITY \"$RESPONSE sshd connection from $1 ($COUNTRY)\"\n  exit 1\nfi\n<\/pre>\n\n\n\n
Script srouce: https:\/\/gist.github.com\/jokey2k\/a74f56955124880749e7<\/p>\n\n\n\n
Make this script executableADVERTISEMENT<\/p>\n\n\n\n
chmod +x \/usr\/local\/bin\/ipfilter.sh <\/code><\/pre>\n\n\n\n
Restrict SSH\/FTP Connections<\/h2>\n\n\n\n
Now apply SSH and FTP restrictions using TCP wrappers. First we need to deny everyone by adding below line in \/etc\/hosts.deny<\/code>.<\/p>\n\n\n\n
\/etc\/hosts.deny:<\/strong><\/p>\n\n\n\n
sshd: ALL\nvsftpd: ALL\n<\/pre>\n\n\n\n
Now edit \/etc\/hosts.allow<\/code> and allow only those ips which are allowed by your IP filter script.ADVERTISEMENT<\/p>\n\n\n\n
\/etc\/hosts.allow:<\/strong><\/p>\n\n\n\n
sshd: ALL: spawn \/usr\/local\/bin\/ipfilter.sh %a\nvsftp: ALL: spawn \/usr\/local\/bin\/ipfilter.sh %a\n<\/pre>\n\n\n\n
Above FTP restrictions are for vsftpd only. Also, make sure you have enabled (tcp_wrappers=YES) in your vsftpd configuration. You can also create similar rules for any other services supported by a TCP wrapper.<\/p>\n\n\n\n
Testing<\/h2>\n\n\n\n
Finally, test your server by login in using SSH or FTP from different-2 locations and analyze the access log files. Below are some demo logs created by ipfilter.sh.<\/p>\n\n\n\n
Feb 27 13:03:29 TecAdmin root: DENY sshd connection from 212.191.246.202 (PL)\nFeb 27 13:34:28 TecAdmin root: DENY sshd connection from 212.181.246.202 (SE)\nFeb 27 13:34:36 TecAdmin root: DENY sshd connection from 211.181.246.203 (KR)\nFeb 27 13:35:00 TecAdmin root: DENY sshd connection from 221.191.146.204 (JP)\nFeb 27 15:11:04 TecAdmin root: ALLOW sshd connection from 49.15.212.12 (IN)\nFeb 27 15:11:09 TecAdmin root: ALLOW sshd connection from 149.15.212.12 (US)\nFeb 27 15:11:22 TecAdmin root: ALLOW sshd connection from 49.15.156.123 (IN)\nFeb 27 15:11:32 TecAdmin root: ALLOW sshd connection from 231.15.156.123 (IP Address not found)\nFeb 27 15:14:04 TecAdmin root: DENY sshd connection from 111.15.15.123 (CN)\nFeb 27 15:14:56 TecAdmin root: ALLOW sshd connection from 49.15.110.123 (IN)\n<\/pre>\n\n\n\n
In logs, you can say that all ips belonging to the US (United States) and IN (India) are allowed. Also if any IP does not match in the GeoIP database will be allowed by default. The rest of the matching other countries\u2019 ips are denied.<\/p>\n\n\n\n
Ref: https:\/\/tecadmin.net\/allow-server-access-based-on-country\/<\/p>\n","protected":false},"excerpt":{"rendered":"
GeoIP database has records of Geographical location based on IP address. Using this database we can search for any IP belonging to which country using the Linux command line. This article will help you to allow SSH or FTP (vsftpd) access based on the user\u2019s country. This example uses TCP wrappers to secure your services. Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[262,5],"tags":[1578,1579,1577],"class_list":["post-4733","post","type-post","status-publish","format-standard","hentry","category-centos","category-linux","tag-allow-ssh-access-based-on-country","tag-allow-ssh-access-based-on-ip-location","tag-geoip"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4733"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4733\/revisions"}],"predecessor-version":[{"id":4734,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4733\/revisions\/4734"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}