Menu
▾
▴
Re: [Astlinux-users] Wireguard VPN Security
|
From: Lonnie A. <li...@lo...> - 2019-09-09 03:10:47
|
> On Sep 8, 2019, at 8:46 PM, Michael Knill <mic...@ip...> wrote: > > Hi Group > > I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway. > As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others. > > With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently. > > Is it easy to do? > > Regards > Michael Knill If SSH access can only occur within a WireGuard tunnel, no port filtering is required since access is secured by WireGuard. As such, only allow remote user access to the management VPN via a WireGuard tunnel. But, if you want to filter SSH from wg0 to the local device by source IP address, try Firewall Rules: Action: [ Deny LAN->Local ] keeping in mind that the wg0 interface is treated as an isolated LAN subnet from any other LAN subnet. Lonnie |
