edirpedro
By:
edirpedro

How to allow SSH connections only from my country on Cloud Firewalls?

June 12, 2017 1.3k views
Firewall

How do I set IP ranges on Digital Ocean Cloud Firewalls to allow SSH connections only from my country?

  • I use dynamic IP
  • I know that my country uses IP starting with 187, 189, 200 and 201
  • I didn't understand what /8, /16, /24 means and how to use it
2 Answers
jtittle1 June 12, 2017
Accepted Answer

@edirpedro

The Cloud Firewall service doesn't allow you to block requests from a specific country. You can allow an IP range, though unless you're 100% sure that your country/ISP owns all IP's in all four ranges, by allowing access from each, you may be allowing access from a country other than your own.

Honestly, the best way to go about limiting access would be per IP. Since you have a dynamic IP, the way around this would be to setup and connect to a VPN. The VPN would provide a static IP and that would be the IP allowed to access SSH.

This would be the best route as it's far easier to manage a whitelist then it is a large blacklist. It's better to simply blacklist everyone other than what you whitelist, which is what most recommend when setting up a firewall.

Hi @edirpedro

Depending on which country in Latin America (LACNIC) you're located in, the list is a bit more extensive than that:
https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks#List_of_assigned_.2F8_blocks_to_the_Regional_Internet_Registries
And that doesn't tell if some of the IP segments has been sold to other countries/companies.

You can add every segment to the Sources like this:
177.0.0.0/8 179.0.0.0/8 181.0.0.0/8 186.0.0.0/8 187.0.0.0/8 189.0.0.0/8 190.0.0.0/8 191.0.0.0/8 200.0.0.0/8 201.0.0.0/8

There's a pretty good explanation of the CIDR (/8 /16 /24) on Wikipedia:
https://en.wikipedia.org/wiki/IPv4_subnetting_reference
And in Spanish too: https://es.wikipedia.org/wiki/M%C3%A1scara_de_red

But blocking all but non-LACNIC segments will only get you so far. You should be using SSH keys instead of passwords and probably run something like fail2ban as well.

SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.
  • I'm using fail2ban and a SSH key, but i had this idea to allow only from my country and I decided to test. Now I know it's not simple and not the best practice. Thanks for the explanations.

Have another answer? Share your knowledge.