Loading...
 

How to configure ClearOS to only permit management from a specific IP address

ClearOS offers Attack Detector but if you have a fixed IP address, you can restrict SSH and / or Webconfig (the web-based admin panel) to a specific IP address.

Below is an example to remove SSH (usually port 22) and Webconfig (port 81) access from default Incoming Firewall (https://example.org:81/app/incoming_firewall) and replace by rules in the Custom Firewall

Be careful not to lock yourself out!

Blanket block of SSH access on port 22
iptables -I INPUT -p tcp --dport 22 -j DROP
Accept connections from 203.0.113.0 (replace with your IP)
iptables -I INPUT -p tcp --source 203.0.113.0 --dport 22 -j ACCEPT
Blanket block of ClearOS Webconfig
iptables -I INPUT -p tcp --dport 81 -j DROP
Accept connections from 203.0.113.0 (replace with your IP)
iptables -I INPUT -p tcp --source 203.0.113.0 --dport 81 -j ACCEPT

Notes 

  • The order of the rules is important, so in this case, it's block everything, and after, add an exception.
  • Rules from the default Incoming Firewall override Custom Firewall rules, so you'll want to disable the SSH and Webconfig rules that are there by default
  • Make sure you have activated the rules on the Custom Firewall (you disable a rule instead of deleting)
  • You can also use ClearOS as a gateway and VPN server, and thus, you would VPN in to your office, and access the server from there.
  • The same idea could be used to restrict a web-based intranet (with port 80 / 443)
  • Webconfig (port 81) also offers phpMyAdmin so it's one more reason to restrict access