Logging into linux server via SSH

chips11 · 08-26-2010, 09:09 AM

Is there somewhere in WHM where I can allow and disallow various ip addresses to login using PuTTY for SSH.

OpenSSH Server, is not running (for security reasons).

If OpenSSH is not running, is there a way to allow certain ip addresses only to use ssh.

Security plugins i have are
ConfigServer Security&Firewall
Mod Security

theNbomr · 08-26-2010, 09:36 AM

I don't know whether the SSH server has the ability to filter incoming traffic by IP. You could, however, implement such filtering fairly easily with an iptables script to block specified IP traffic on port 22. Some might argue that in terms of security, this would be a better approach.
--- rod.

vinaytp · 08-26-2010, 10:00 AM

Quote:

If OpenSSH is not running, is there a way to allow certain ip addresses only to use ssh.

Do you mean to say sshd deamon is not running ?

If yes, then you cannot login through ssh client from any IP address.

If sshd deamon is running then,

As suggested by theNbomr it is possible to drop the incoming traffic to port 22 through IPtables for selected IP addresses.

Add following Iptable rule

Code:

iptables -A INPUT -s <IP_to_be_blocked> -p tcp --dport 22 -j DROP

You can also use /etc/hosts.deny file to deny specific IP addresses

Code:

sshd: <IP_to_be_blocked>

unSpawn · 08-26-2010, 01:42 PM

Quote:

Originally Posted by vinaytp

You can also use /etc/hosts.deny file to deny specific IP addresses

An iptables rule set, as mentioned before, would be the safer option, security-wise.

vinaytp · 08-26-2010, 01:50 PM

Quote:

Originally Posted by unSpawn

An iptables rule set, as mentioned before, would be the safer option, security-wise.

I have also read regarding this, blocking traffic for a particular port in iptables is saffer than blocking through tcp_wrappers.

But how to justify this ? On what basis the above statement holds true ?

chips11 · 08-26-2010, 03:13 PM

Thanks,

My particular problem is that I am unable to login to the server using PuTTY from my own ip address. I have previously asked the server management to allow my ip address access and they did so, but as my ip address changes, i do not want to bother them with it every time my ip changes, which seems to happen if I switch on/off my router.

Is there a way I can specify which ip addresses are allowed rather than disallowed?

theNbomr · 08-26-2010, 03:17 PM

Quote:

I have also read regarding this, blocking traffic for a particular port in iptables is saffer than blocking through tcp_wrappers.

But how to justify this ? On what basis the above statement holds true ?

My logic on the matter would be that the earlier that traffic is blocked, the less opportunity there would be for undesirable behavior. As I understand it, the IP stack will not even see a packet that has been dropped by the netfilter/iptables layer.
--- rod.

xtacease · 08-26-2010, 11:28 PM

Quote:

Originally Posted by chips11

Thanks,

My particular problem is that I am unable to login to the server using PuTTY from my own ip address. I have previously asked the server management to allow my ip address access and they did so, but as my ip address changes, i do not want to bother them with it every time my ip changes, which seems to happen if I switch on/off my router.

Is there a way I can specify which ip addresses are allowed rather than disallowed?

notify them you would like a static IP configuration rather than, what I will assume, is your current DHCP setup.

chrism01 · 08-26-2010, 11:52 PM

See the Match block here http://www.openbsd.org/cgi-bin/man.c...penBSD+Current and PATTERNS defs here http://www.openbsd.org/cgi-bin/man.c...penBSD+Current

chips11 · 08-27-2010, 03:43 PM

I found out that the way to add an ip in the SSH allow list from WHM >> > Security Center >> Host Access Control option.

There you can just choose which ip addresses are allowed shell access.