0

So I recently bought a Raspberry Pi to work on a small passion project with the RetroPie Debian-based image.
I am now at the stage where I want to completely shield the server only allowing specific connections to it. For my use case, they are as follows:

  • Only allow inbound ssh connections from the same network the server is on
  • Allow only outbound connections to specific IPs

To achieve this I have resorted to two different approaches: install and configure ufw for inbound/outbound connections and hosts.allow and hosts.deny for additional safety.

Here's my current setup:

hosts.allow

sshd: LOCAL
sshd: 192.168.1.0/255.255.255.0 # allow ssh from local network IPs only
sendmsg: 8.8.8.8 # allow ping google DNS to validate internet connectivity


hosts.deny

sshd: ALL


ufw:
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    192.168.1.0/24             # from local

XX.XX.XXX.XXX 443/tcp       ALLOW OUT   Anywhere                   # to specific IP
XX.XX.XXX.XXX 443/tcp       ALLOW OUT   Anywhere                   # to specific IP
XX.XX.XXX.XXX 443/tcp       ALLOW OUT   Anywhere                   # to specific IP
140.82.121.4 443/tcp       ALLOW OUT   Anywhere                   # to github
46.235.231.151 80/tcp      ALLOW OUT   Anywhere                   # to raspberry registry
93.93.128.193 80/tcp       ALLOW OUT   Anywhere                   # to raspberry registry
XX.XX.XXX.XXX 443/tcp        ALLOW OUT   Anywhere                   # to specific IP

What is currently happening is that whenever the server is rebooted, I am unable to connect via ssh from my machine (on the same network as Raspberry PI) which currently has an IP of 192.168.1.65 and, even though it may be dynamic, never leaves the specific range of IPs on hosts.allow.

Whenever I restart the server I need to manually use a keyboard connect to the Pi to sudo systemctl stop ufw in order for ssh connections to be available, but why if I have set an inbound rule on ufw to allow tcp connections on port 22 from the local IP range? Am I missing something here?

Thank you in advance.

Improve this question
2
  • "install and configure ufw for inbound/outbound connections and hosts.allow and hosts.deny for additional safety." IMHO combining those two will only increase confusion and increase the odds for operator error. TCP wrappers as a security mechanism is nowadays more a relic than added security. But opinions differ Commented Mar 8, 2024 at 16:13
  • Guess I can stick only to ufw then, but nevertheless it seems that the issue isn't with the hosts.allow or hosts.deny files which still begs the question as to why is ufw not allowing the inbound connection Commented Mar 8, 2024 at 16:31

1 Answer 1

Reset to default
0

I'm unsure as to why this solved the issue, but it seems to be working fine now after I disabled PasswordAuthentication no and PermitEmptyPasswords no, therefore defaulting ssh to force key authentication.

No changes were done to hosts.* files posted originally.

Also ran sudo systemctl restart sshd and sudo systemctl restart ufw to refresh any changes. Rebooted the system and I can now login using the generated private/public key pair.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.