There is a real security risk to leaving your shell connection ports exposed to the internet especially if you don’t ever intend on connecting from Zimbabwe as well as other random countries.

This can limit brute force attack exposure and also save valuable resources and bandwidth by rejecting a packets before a tcp handshake.

Install GeoIP

You will need to implement a database that can be queried locally that stores IP ranges to countries.

Query GeoIP database

The script

Past the following in:

Enable script

Lock down SSH

Setup a deny all for the ssh daemon

Add the following into the deny file

Enable the script in the allow ssh file

Add the following into the allow file

Testing

Test the script by inputting the script name and then an IP afterwards

Should output something like the following:

Update GeoIP

There is only one constant with the world and that is change, IP addresses are no exception.

Create a new file called update_geo.sh in /scripts

Add the following into the file

Change the script to execute

Edit the crontab

Paste the following at the bottom of the crontab

2 Responses to “Limit SSH connections geographically”

  1. Jan!

    The crontab entry looks odd to me:

    # Min Hours Date Month Weekd Command
    * * * 12 * /scripts/update_geo.sh

    That would run the script every minute of every hour of every day, but only in December. No?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.