edirpedro
By:
edirpedro

How to allow SSH connections only from my country on Cloud Firewalls?

June 12, 2017 406 views
Firewall

How do I set IP ranges on Digital Ocean Cloud Firewalls to allow SSH connections only from my country?

  • I use dynamic IP
  • I know that my country uses IP starting with 187, 189, 200 and 201
  • I didn't understand what /8, /16, /24 means and how to use it
2 Answers
jtittle1 June 12, 2017
Accepted Answer

@edirpedro

The Cloud Firewall service doesn't allow you to block requests from a specific country. You can allow an IP range, though unless you're 100% sure that your country/ISP owns all IP's in all four ranges, by allowing access from each, you may be allowing access from a country other than your own.

Honestly, the best way to go about limiting access would be per IP. Since you have a dynamic IP, the way around this would be to setup and connect to a VPN. The VPN would provide a static IP and that would be the IP allowed to access SSH.

This would be the best route as it's far easier to manage a whitelist then it is a large blacklist. It's better to simply blacklist everyone other than what you whitelist, which is what most recommend when setting up a firewall.

Hi @edirpedro

Depending on which country in Latin America (LACNIC) you're located in, the list is a bit more extensive than that:
https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks#List_of_assigned_.2F8_blocks_to_the_Regional_Internet_Registries
And that doesn't tell if some of the IP segments has been sold to other countries/companies.

You can add every segment to the Sources like this:
177.0.0.0/8 179.0.0.0/8 181.0.0.0/8 186.0.0.0/8 187.0.0.0/8 189.0.0.0/8 190.0.0.0/8 191.0.0.0/8 200.0.0.0/8 201.0.0.0/8

There's a pretty good explanation of the CIDR (/8 /16 /24) on Wikipedia:
https://en.wikipedia.org/wiki/IPv4_subnetting_reference
And in Spanish too: https://es.wikipedia.org/wiki/M%C3%A1scara_de_red

But blocking all but non-LACNIC segments will only get you so far. You should be using SSH keys instead of passwords and probably run something like fail2ban as well.

by Etel Sverdlov
SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.
  • I'm using fail2ban and a SSH key, but i had this idea to allow only from my country and I decided to test. Now I know it's not simple and not the best practice. Thanks for the explanations.

Have another answer? Share your knowledge.