I wanted to block all traffic on port 22 except for a few hosts that I use.
I was tried of seeing lots of stupid worm attack traffic on my EC2 host.
Jun 9 19:02:45 ip-172-30-4-108 sshd: Invalid user cisco from 18.104.22.168 Jun 9 19:02:45 ip-172-30-4-108 sshd: input_userauth_request: invalid user cisco [preauth] Jun 9 19:02:46 ip-172-30-4-108 sshd: Connection closed by 22.214.171.124 port 9224 [preauth]
Yes, I could use security groups, but then I’d have to use security groups.
iptables ! -s with,more,than,one,address fails
iptables v1.6.0: ! not allowed with multiple source or destination IP addresses
The alternative is to use ipset. Its not hard!
ipset create ssh-ok hash:ip ipset add ssh-ok mine.example.com ipset list # is this thing working, just checking. ipset add ssh-ok myfriend.example.com ipset add ssh-ok mywork.example.com ipset list # still working, ok looks good. iptables -A INPUT -m set \! --match-set ssh-ok src -p tcp --dport 22 -j DROP
Thanks for the help: