Infrastructure as a Service

Cloud Infrastructure as a Service

Join us to learn more from a community of collaborative experts and IBM Cloud product users to share advice and best practices with peers and stay up to date regarding product enhancements, regional user group meetings, webinars, how-to blogs, and other helpful materials.

 View Only

  • 1.  How to Restrict SSH Access to AIX VM in IBM PowerVS Using NSG

    Posted 10 days ago

    I'm working on a security hardening task for an AIX 7.3 virtual machine hosted in IBM Power Virtual Server 

    I wnat to restrict SSH (port 22) access to the AIX VM so that only my Azure Virtual Desktop (AVD) public IP  is allowed to connect. All other external IPs should be denied.

    What I've Done So Far:

    Created a Network Address Group

    . Configured NSG Rules:

    • Allow Rule:

      • Source: 

      • Protocol: TCP

      • Port: 22 - 23

      • Action: Allow

    Deny Rule:

    • Source: Default external addresses

    • Port: 1 - 65535

    • Action: Deny

    But still system is accessible from all the public IP 

    Any guidance or validation would be much appreciated!



    ------------------------------
    Habeeb Pk
    ------------------------------


  • 2.  RE: How to Restrict SSH Access to AIX VM in IBM PowerVS Using NSG

    Posted 9 days ago

    Hello Habeeb,

    I'm not familiar with SSHD on AIX but does the SSHD on AIX support the hosts.allow and hosts.deny files as we could do on Linux (https://cloudcone.com/docs/article/how-to-restrict-ssh-access-only-to-specific-ips/)?



    ------------------------------
    Hermann Huebler
    Cloud Architect
    Alpium IT Solutions GmbH
    Vienna
    Austria

    #IBMChampion
    ------------------------------

    Original Message


  • 3.  RE: How to Restrict SSH Access to AIX VM in IBM PowerVS Using NSG

    Posted 9 days ago

    The PowerVS network security groups cannot be used on interfaces that are attached to public subnets in PowerVS: https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-nsg#quotas-limitations

    "You cannot add members to an NSG if their attached network interface (NIC) is assigned a public IP address. NSGs can only be applied to private networks."

    If you were to use NSGs to restrict SSH to a specific IP using private networks you would simply need to:

    • put the interface in an NSG
    • put the IP you want to allow in a network address group in a CIDR with /32
    • on the TCP rule allow source ports 1 to 65535 because the SSH client is binds to any port, and destination port 22
    • if you want to allow SSH out of the AIX then you should add another rule with the source/destination ports switched

    Another thing that initially gave me trouble with NSGs is that they are stateless whereas IBM VPC security groups are stateful. This distinction is also called out in the documentation:

    Note: NSGs are stateless, and since all outbound traffic is automatically permitted, rules must be defined for all return packet that flows into NSG members from other NSGs or NAGs.


    ------------------------------
    Samuel Matzek
    ------------------------------

    Original Message


  • 4.  RE: How to Restrict SSH Access to AIX VM in IBM PowerVS Using NSG

    Posted 5 days ago

    Hi Samuel,

    Thank you for the update.

    I was wondering if there are any alternative ways to restrict access from public IPs to my Power10 AIX 7.3 machine. Specifically, I'm looking to allow only specific IP addresses while blocking all others.

    Also, is there any IBM-provided firewall service preferably a free one that can help achieve this?

    Appreciate your guidance on this.



    ------------------------------
    Habeeb Pk
    ------------------------------

    Original Message


  • 5.  RE: How to Restrict SSH Access to AIX VM in IBM PowerVS Using NSG

    Posted 3 days ago

    Hi Samuel,

    Thank you for the update.

    I was wondering if there are any alternative ways to restrict access from public IPs to my Power10 AIX 7.3 machine. Specifically, I'm looking to allow only specific IP addresses while blocking all others.

    Also, is there any IBM-provided firewall service preferably a free one that can help achieve this?

    Appreciate your guidance on this.



    ------------------------------
    Habeeb Pk
    ------------------------------

    Original Message


  • 6.  RE: How to Restrict SSH Access to AIX VM in IBM PowerVS Using NSG

    Posted 3 days ago

    To my knowledge there are no other alternative ways to restrict access when using public IPs in PowerVS. You get the firewall rules as described here: https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-network-security

    There are many alternative ways to restrict access if you are using private networking: VPC VPN server (client to site VPN), VPC VPN gateway (site to site VPN), self managed firewall appliances, etc, all of which are then networked into PowerVS through various means, usually through a Transit Gateway.

    Since you mention free, the least expensive way I've found to securely reach PowerVS VSIs on private networks is to use a small cx-2x4 (2 VCPU, 4GB RAM) Linux VSI in VPC. You can attach a public floating IP to it and use VPC security groups to restrict access to an individual incoming IP. You can then run an SSH tunnel from your client to the VSI. I use sshuttle with a command like this: sshuttle -NHr root@VPC-VSI-IP 10.0.0.0/8 --ssh-cmd "ssh -i myprivatekey"

    When the shuttle tunnel is running you can ssh or do any other TCP traffic to the PowerVS VSI directly from the client using the PowerVS VSI's private IP.

    Your use case only mentions only wanting to SSH in. If you need general internet egress from a private network in PowerVS using a VPC VSI is another simple way to achieve it. I discuss that in this blog.



    ------------------------------
    Samuel Matzek
    ------------------------------

    Original Message


Related Content