LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 08-26-2010, 09:09 AM   #1
chips11
LQ Newbie
 
Registered: Nov 2008
Posts: 13

Rep: Reputation: 0
Logging into linux server via SSH - allowed ip addresses


Is there somewhere in WHM where I can allow and disallow various ip addresses to login using PuTTY for SSH.

OpenSSH Server, is not running (for security reasons).

If OpenSSH is not running, is there a way to allow certain ip addresses only to use ssh.

Security plugins i have are
ConfigServer Security&Firewall
Mod Security
 
Old 08-26-2010, 09:36 AM   #2
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,395
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
I don't know whether the SSH server has the ability to filter incoming traffic by IP. You could, however, implement such filtering fairly easily with an iptables script to block specified IP traffic on port 22. Some might argue that in terms of security, this would be a better approach.
--- rod.
 
1 members found this post helpful.
Old 08-26-2010, 10:00 AM   #3
vinaytp
Member
 
Registered: Apr 2009
Location: Bengaluru, India
Distribution: RHEL 5.4, 6.0, Ubuntu 10.04
Posts: 704

Rep: Reputation: 55
Quote:
If OpenSSH is not running, is there a way to allow certain ip addresses only to use ssh.
Do you mean to say sshd deamon is not running ?

If yes, then you cannot login through ssh client from any IP address.

If sshd deamon is running then,

As suggested by theNbomr it is possible to drop the incoming traffic to port 22 through IPtables for selected IP addresses.

Add following Iptable rule
Code:
iptables -A INPUT -s <IP_to_be_blocked> -p tcp --dport 22 -j DROP
You can also use /etc/hosts.deny file to deny specific IP addresses
Code:
sshd: <IP_to_be_blocked>
 
1 members found this post helpful.
Old 08-26-2010, 01:42 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,369
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Quote:
Originally Posted by vinaytp View Post
You can also use /etc/hosts.deny file to deny specific IP addresses
An iptables rule set, as mentioned before, would be the safer option, security-wise.
 
1 members found this post helpful.
Old 08-26-2010, 01:50 PM   #5
vinaytp
Member
 
Registered: Apr 2009
Location: Bengaluru, India
Distribution: RHEL 5.4, 6.0, Ubuntu 10.04
Posts: 704

Rep: Reputation: 55
Quote:
Originally Posted by unSpawn View Post
An iptables rule set, as mentioned before, would be the safer option, security-wise.
I have also read regarding this, blocking traffic for a particular port in iptables is saffer than blocking through tcp_wrappers.

But how to justify this ? On what basis the above statement holds true ?
 
1 members found this post helpful.
Old 08-26-2010, 03:13 PM   #6
chips11
LQ Newbie
 
Registered: Nov 2008
Posts: 13

Original Poster
Rep: Reputation: 0
Question allowing an ip address shell access

Thanks,

My particular problem is that I am unable to login to the server using PuTTY from my own ip address. I have previously asked the server management to allow my ip address access and they did so, but as my ip address changes, i do not want to bother them with it every time my ip changes, which seems to happen if I switch on/off my router.

Is there a way I can specify which ip addresses are allowed rather than disallowed?
 
Old 08-26-2010, 03:17 PM   #7
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,395
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Quote:
I have also read regarding this, blocking traffic for a particular port in iptables is saffer than blocking through tcp_wrappers.

But how to justify this ? On what basis the above statement holds true ?
My logic on the matter would be that the earlier that traffic is blocked, the less opportunity there would be for undesirable behavior. As I understand it, the IP stack will not even see a packet that has been dropped by the netfilter/iptables layer.
--- rod.

Last edited by theNbomr; 08-26-2010 at 03:18 PM.
 
1 members found this post helpful.
Old 08-26-2010, 11:28 PM   #8
xtacease
LQ Newbie
 
Registered: Oct 2007
Location: Austin/Warsaw
Distribution: oSuse 11.1
Posts: 12

Rep: Reputation: 1
Quote:
Originally Posted by chips11 View Post
Thanks,

My particular problem is that I am unable to login to the server using PuTTY from my own ip address. I have previously asked the server management to allow my ip address access and they did so, but as my ip address changes, i do not want to bother them with it every time my ip changes, which seems to happen if I switch on/off my router.

Is there a way I can specify which ip addresses are allowed rather than disallowed?
notify them you would like a static IP configuration rather than, what I will assume, is your current DHCP setup.
 
1 members found this post helpful.
Old 08-26-2010, 11:52 PM   #9
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,280

Rep: Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032
See the Match block here http://www.openbsd.org/cgi-bin/man.c...penBSD+Current and PATTERNS defs here http://www.openbsd.org/cgi-bin/man.c...penBSD+Current
 
1 members found this post helpful.
Old 08-27-2010, 03:43 PM   #10
chips11
LQ Newbie
 
Registered: Nov 2008
Posts: 13

Original Poster
Rep: Reputation: 0
allowing an ip address shell access

I found out that the way to add an ip in the SSH allow list from WHM >> > Security Center >> Host Access Control option.

There you can just choose which ip addresses are allowed shell access.
 
  


Reply

Tags
ip, linux, server, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Logging in to SSH server with Keys SuperDude123 Linux - Server 6 05-05-2009 10:30 PM
ssh logging info redirect from one linux to another junust Linux - Security 1 07-20-2008 05:21 PM
Logging into Linux through SSH locks up machine bjh4 Linux - Newbie 3 10-16-2007 08:49 AM
not logging local ip addresses in apache? swatward Linux - Networking 1 08-20-2006 01:29 AM
only linux to linux server SSH allowed?! etegration Linux - Software 17 02-05-2004 06:30 PM


All times are GMT -5. The time now is 01:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration