Network-Level Hardening

2 min read Data Protection & Compliance

Network-Level Hardening

Implement network-level controls that protect SSH services from reconnaissance and attack attempts. These measures create additional defensive layers beyond application-level security.

Deploy comprehensive firewall rules:

#!/bin/bash
# ssh-firewall-hardening.sh
# Advanced firewall configuration for SSH

# Flush existing rules
iptables -F SSH_HARDENING 2>/dev/null
iptables -X SSH_HARDENING 2>/dev/null

# Create hardening chain
iptables -N SSH_HARDENING

# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH specific rules
iptables -A INPUT -p tcp --dport 22 -j SSH_HARDENING

# GeoIP blocking (requires xt_geoip)
iptables -A SSH_HARDENING -m geoip --source-country CN,RU,KP -j LOG --log-prefix "SSH-GEO-BLOCK: "
iptables -A SSH_HARDENING -m geoip --source-country CN,RU,KP -j DROP

# Time-based access (business hours only)
iptables -A SSH_HARDENING -m time --timestart 08:00 --timestop 18:00 --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
iptables -A SSH_HARDENING -m time --datestart 2024-01-01 --datestop 2024-12-31 -j DROP

# Rate limiting with progressive penalties
iptables -A SSH_HARDENING -m recent --name SSH_ATTEMPT --set
iptables -A SSH_HARDENING -m recent --name SSH_ATTEMPT --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix "SSH-RATE-LIMIT: "
iptables -A SSH_HARDENING -m recent --name SSH_ATTEMPT --rcheck --seconds 60 --hitcount 3 -j DROP

# Port scan detection
iptables -A SSH_HARDENING -m recent --name PORTSCAN --rcheck --seconds 86400 -j DROP
iptables -A SSH_HARDENING -m recent --name PORTSCAN --remove

# Deep packet inspection for SSH protocol
iptables -A SSH_HARDENING -m string --algo bm --string "SSH-" -j ACCEPT
iptables -A SSH_HARDENING -j LOG --log-prefix "SSH-DPI-FAIL: "
iptables -A SSH_HARDENING -j DROP

# IPv6 rules
ip6tables -P INPUT DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -m recent --name SSH6 --set
ip6tables -A INPUT -p tcp --dport 22 -m recent --name SSH6 --rcheck --seconds 60 --hitcount 3 -j DROP