Join Log in
Score:0
transient_loop avatar Server

Do I need to allow ssh v6?

ru flag
transient_loop

I ran

sudo ufw allow from <IPv4> proto tcp to any port 22.

But this resulted in allowing ssh in from Anywhere to ssh v6. Which is kinda not what I wanted so I sudo ufw delete <sshv6-rule-index>.

Now I am unsure though if I did right. Do I need to re-add the ssh v6 rule if I want to restrict ssh access from specific hosts only?

The problem is that I am logging in mostly from my home, which is with a provider without fixed IP address, as usually is the case. I entered a wide subnet range for the IPV4 rule (I have a secondary static address I have added as backup to avoid lockout), but I would not know how to do that for an IPV6 rule...

I am trying to secure as much as I can ssh access to the server. I could just allow only through the other static address I own, and use that as jump host, would certainly be more secure, but it would add more latency (hosting in privacy-observing country so far away already...), and also allowing a single-host access only feels like high-lockout-risk (I should be able to trust my other hosting running the static address, but I am paranoid...what can you do...).

Suggestions?

35
0 + 0
ufw
Paul avatar
cn flag
Paul
Assuming you have access to virtual console, the better option is to only allow the IP addresses you connect from. The normal behavior for residential dynamic IP address assignment is infrequent changes to the assigned IP address.
0
Reply
transient_loop avatar
ru flag
transient_loop
Thanks @Paul, but I am not sure I understand. You mean limit explicitly to my own IP exact address? I do know that my provider DOES change the IP from time to time.
0
Reply
Paul avatar
cn flag
Paul
Yes, that is why you should be sure you have some other method to access the server. Most ISPs offer a virtual console, which you could log directly into the server with and update firewall.
1
Reply
transient_loop avatar
ru flag
transient_loop
Oh I finally understand "virtual console". Looks like the hosting has some support for that but it needs to be requested when needed. So I guess this works (unless I am in real time-sensitive trouble I guess...). Apart from that - can I the leave the v6 SSH access completely disabled?
0
Reply
Paul avatar
cn flag
Paul
Make sure you can access the console and log into the server prior to configuring. The purpose of permitting is to deny everything not granted permission to access.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.