For the update server there is no need to install APF, just allow connections from only AG IP range:
nano /etc/hosts.allow sshd : 24.18.207.167 sshd : 216.218.184.96/27 sshd : 66.160.206.192/26 sshd : 216.218.219.80/28 sshd : 216.218.139.240/29 sshd : 65.49.80.96/27 sshd : 216.218.133.16/28 sshd : 78.47.141.96/28 sshd : 148.251.51.172 sshd : 144.76.49.0/28 sshd : 136.243.118.16/28 sshd : 192.99.185.192/28
And deny all other connections:
nano /etc/hosts.deny: ALL : ALL
Create a user `drupdate` and then the `/home/drupdate/updates` directory with the following content.
useradd -m drupdate passwd drupdate
Check open ports with ss -lntu or netstat -tlnp and make sure port 22 is closed and 19759 is open instead.
iptables -I INPUT -p tcp --dport 19759 -j ACCEPT iptables -I INPUT -p tcp ! -s 216.218.184.108 --dport 22 -j DROP service iptables save service iptables restart iptables -S
Add the following tasks with crontab -e:
30 * * * * /home/drupdate/updates/cron/every30min
Note that after the above changes made you'll be able to SSH in only from within AG network.
- Log in to post comments