[SOLVED]Restrict access to SFTP server open using 18500 TCP port using a home router

Started by danje57, September 10, 2023, 01:23:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

danje57

September 10, 2023, 01:23:16 PM Last Edit: September 15, 2023, 12:26:41 AM by danje57
Dear all,

I need your help, I've a Ubuntu server used as SFTP server.

The service is open locally in the LAN using the standard 22 TCP port.

As I need to open the SFTP over Internet, I configured Port Sharing in my internet box, which is a Fritzbox for home.

Everything works fine. However I would like to restrict access to the service to identified trusted IP.

I don't see anything which allow such activities in my internet box. Indeed, I can only select the internal machine I wish to open on internet, by saying what is internal port and what is the port wished on internet.


So I've a question, by default on my Internet box all connections are denied, excepted when I open specific port.

Can I configure my Ubuntu server to manage incoming IP restriction?
If yes, could you explain me how?

Supposing my Internet IP address is 75.200.123.25, how I can configure my Ubuntu?


I'm pretty sure such way is not possible, but my networking courses are far away.

Thanks in advance,

Regards

deanwebb

#1
September 11, 2023, 03:51:43 PM
You should be able to restrict to the given IP with an access control list, if Fritzbox allows that. I did not see that in a brief search, but did find this page for setting up the port sharing:

https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/1376_Setting-up-MyFRITZ-sharings/

Using the access control list, if available, as it will be the best security for you. An open port is always more risky if any address can reach it, even if it is an open port in an unusual part of the port range.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

danje57

#2
September 12, 2023, 01:38:48 AM
Thanks Dean,

Port sharing is already configured on the Fritzbox 7530 AX. However, the box doesn't offer capability to filter with incoming IP as far as I can see in the interface and the manual. But I'm not familar with this kind of box.

deanwebb

#3
September 12, 2023, 02:53:04 PM
Is there an ability to do that with the ISP router?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

danje57

#4
September 15, 2023, 12:26:08 AM
Finally done!

Real IP address is showed on serveur side so I can configure the sshd_config acordingly.
Print
Go Up Pages1
User actions