Torna alla DocumentazioneWarning: Risk of complete lockout. If your IP changes (e.g., dynamic IP from your internet provider) after applying these rules, you'll lose server access. Before proceeding, make sure you have a static IP or alternative access (VNC Console from VirtFusion panel).
Verify Your Current IP
# From the server, check where you connected from
echo $SSH_CLIENT | awk '{print $1}'
# Or check who's connected now
who
last | head -5
From your PC you can also verify your public IP at https://ifconfig.me.
Method 1: iptables (SSH Whitelist)
Complete Block with Single IP Whitelist
# Replace 1.2.3.4 with your real IP
MY_IP="1.2.3.4"
# Allow your IP on SSH port (22 or your custom port)
iptables -A INPUT -p tcp --dport 22 -s $MY_IP -j ACCEPT
# Block everyone else on port 22
iptables -A INPUT -p tcp --dport 22 -j DROP
# Save the rules (Debian/Ubuntu)
apt install iptables-persistent -y
iptables-save > /etc/iptables/rules.v4
Drop Silent vs Reject
# DROP: packet is ignored (attacker doesn't know if port exists)
iptables -A INPUT -p tcp --dport 22 -j DROP
# REJECT: attacker receives "connection refused" error (slower for scanners)
iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset
Recommended: DROP: more secure, reveals nothing to scanners.
Method 2: UFW (Simpler)
# Deny SSH to everyone (by default)
ufw deny 22/tcp
# Allow only your IP
ufw allow from 1.2.3.4 to any port 22 proto tcp
# Apply
ufw enable
ufw status verbose
To update the whitelist when your IP changes:
# Remove the old rule
ufw delete allow from 1.2.3.4 to any port 22
# Add the new IP
ufw allow from 5.6.7.8 to any port 22
Method 3: ipset (Multiple IPs, More Efficient)
Useful if you have multiple IPs (home, office, VPN) that need access.
apt install ipset -y
# Create a set of authorized IPs
ipset create ssh-whitelist hash:ip
# Add your IPs
ipset add ssh-whitelist 1.2.3.4
ipset add ssh-whitelist 5.6.7.8
ipset add ssh-whitelist 10.0.0.0/24 # CIDR range
# iptables rule using the set
iptables -A INPUT -p tcp --dport 22 -m set --match-set ssh-whitelist src -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
# Save ipset persistently
ipset save > /etc/ipset.conf
# At boot (add to /etc/rc.local or create a service)
ipset restore < /etc/ipset.conf
Block a Port Completely (Total DROP)
If you want to close a port to everyone, without exceptions:
# Close port 3306 (MySQL) to all
iptables -A INPUT -p tcp --dport 3306 -j DROP
# Close everything except SSH, HTTP, HTTPS
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT # loopback always allowed
Don't set iptables -P INPUT DROP without first adding ACCEPT rules for SSH and ESTABLISHED connections. You'll lock yourself out immediately.
Windows Whitelist (RDP)
To limit RDP (port 3389) to your IP only on Windows:
# Remove generic RDP rule
Remove-NetFirewallRule -DisplayName "Remote Desktop*" -ErrorAction SilentlyContinue
# Create RDP rule for your IP only
New-NetFirewallRule -DisplayName "RDP Whitelist" `
-Direction Inbound -Protocol TCP -LocalPort 3389 `
-RemoteAddress "1.2.3.4" `
-Action Allow -Profile Any
# Block RDP from everyone else
New-NetFirewallRule -DisplayName "RDP Block All" `
-Direction Inbound -Protocol TCP -LocalPort 3389 `
-Action Block -Profile Any
To update the IP:
Set-NetFirewallRule -DisplayName "RDP Whitelist" -RemoteAddress "5.6.7.8"
Emergency Plan
If you lose access after applying these rules:
iptables -F # flush all rules
iptables -P INPUT ACCEPT
See the guide VNC Console for emergency access.
- Access the VNC Console from the VirtFusion panel
- From there you can remove iptables rules:
- Then reconfigure with the correct IP
Articoli correlati
Base Server Hardening
Checklist of fundamental security operations to secure a new VPS before putting it into production
Fail2ban: Brute Force Protection
How to install and configure Fail2ban to protect your server from SSH and web brute force attacks
Change SSH Port
How to change SSH port to reduce automatic brute force attempts from bots and scanners on the internet
DeluxHost, fondata nel 2023, offre soluzioni di hosting di alta qualità per diverse esigenze digitali. Forniamo hosting condiviso, VPS e server dedicati con sicurezza avanzata e datacenter globali.
